How to add ADFS layer to existing Owin/OAuth authentication layer - asp.net-mvc-4

Currently, our system implements Owin and OAuth to authenticate and log in with the access token.
However, on top of that, I now need to add a first check with an existing ADFS authentication server. The current steps are
Use OAuth to verify and log in, returning the ticket.
Now, I need to incorporate ADFS so that the steps are...
Connect to ADFS server and authenticate.
If pass, grab details from own server and proceed authenticated with token.
If fail because some users won't exist in ADFS, check for user from own server and if found and authenticated, proceed as before.
I am trying two separate possibilities:
In Startup.Auth.cs, I added WsFederationAuthenticationOptions for ADFS using the metadataaddress. I am stuck on how to actually use Wreply and Wtrealm and then how to then proceed to check our own OAuth authentication.
Thinking maybe I don't need to do it there, I am modifying the class Application OAuthProvider and in "GrantResourceOwnerCredentials" I am trying to just manually connect to ADFS in there, send the verification details there, grab a response, and proceed based off of the response.
Am I proceeding about this the wrong way? Are the two attempts I'm trying on the right track, and if so, how do I connect that way and return to complete the necessary steps?

Take a look at IdentityServer - in particular version 3 and documentation.
You'll see how it handles multi-auth.
You authenticate with ADFS and get a set of claims back. If the user is not in AD, you will stay on the ADFS login screen with error.

Related

Does Keycloak support some form of middleman authentication?

I'm using keycloak to let my users authenticate with my application. And i am trying to migrate some functionality to a few plugins, e.g. a wordpress plugin. For these plugins i want to use a generic solution so I found the following authentication process from Microsoft (https://learn.microsoft.com/en-us/office/dev/add-ins/develop/auth-external-add-ins#middleman-services) and Adobe ( https://adobexdplatform.com/plugin-docs/tutorials/how-to-integrate-with-OAuth/).
I managed to hack my way around the process to get this working with keycloak. But at this moment I'm a bit concerned about the security risk that go with this process.
The process in steps
the (plugin) client asks to backend server to generate a code to identify the user.
the (plugin) client start polling the backend for an authentication code (no response yet, since the user is not logged in yet).
the plugin opens a browser window or tab with the keycloak loginpage. Everything is the same as the normal process, but this time we add an redirect uri with the code generated in step one, which identifies the user.
once the user is logged in the user gets redirected in the browser to an endpoint where the code from step one is linked to the access token retrieved in this step.
the polling from step 2 now returns the access token to the (plugin) client.
The reason I need to poll for the access token is because I want to make a generic login process for all client.
In short, I want to know what the security risks are, given the steps above. Also I can not seem to find any information of keycloak that they want to implement such feature. Does anyone know if they want to implement this, since many other plugins do offer tis feature to authenticate outside the plugin with a popup window and retrieving the accesstoken by "polling" the server.
Thanks for the help.

MVC authorize not authenticate using AD

I have scoured this and many other sites to find an answer but have come up short every single time. If this is a duplicate, I am very happy to accept direction to the original question with an answer:
I have built an MVC 4 site and I am using the Authorize tag where needed and this is working as expected.
My issue is that I require a mechanism by which to prompt the user (already logged in or some other valid user in the domain) to enter their windows credentials on one page in order to confirm/authorize that user. This is not what the authorize filter is doing. The authorize filter is actually authenticating the user. Thus changing the User.Identity information accordingly.
Is it possible to just authorize a user (not authenticate) without actually changing the User object?
Just returning the 401 response forces the windows prompt but that, in turn, does an authentication, not an authorize.
While a solution could be achieved with a custom action that accepts username/password input, my requirement specifically calls for the native browser windows prompt to be displayed.
The site is using IIS Express and is set up for windows authentication and every aspect of this does what I need. Except for the issue of "true" authorization mentioned above. The browser has to be IE9. Currently running on Windows 10.
No. You're currently using Windows Authentication, and this is how it works. There is no need to login because the user is already logged into Windows, that's the point.
To do what you want, you would need to use an individual auth library like Identity. Which will give you the login capability. However, that doesn't work with AD out of the box, but you can add that in yourself. In otherwords, instead of using the Identity functionality to look a user up by username and password to authenticate, you'd connect to AD over LDAP, and verify the credentials there. You'd also need to use the LDAP connection to add the user's groups in AD to the their roles in Identity. Then, you can utilize the Authorize attribute as normal.
Long and short, if you want to actually allow the user to login as any AD user, then you're pretty much on your own. There's no builtin functionality for that. It's relatively straight-forward, if not entirely easy, to set something up yourself for that that, but again, that's on you.

How to pass an authenticated identity across web sites?

I have a web site with an initial login page, on this page I'm using a claims based identity which is authenticated when a user successfully logs in.
This all works fine, from this main site I have a number of 'sub sites' (that also require logins), and I'm looking to use the same authenticated identity to log into these (e.g. so a user does not have to enter login details every time).
Is there a way to pass the initial authenticated claims-based identity to these sites securely? If so could someone point me in the direction of any useful material on this?
EDIT
Just to clarify in response to the answers below, I am currently using Single Sign On and have this working as follows.
User logins in to https://mywebsite.com/loginsite with Single Sign On. Claims-based identity is authenticated.
What I'm wanting to do is use this same authenticated Claims to log in to the following url in the same domain:
https://mywebsite.com/website1
But whenever I try to access the Identity the authentication is false. Is there a way to achieve this?
What you mentioned is generally referred to as SSO (Single Sign On). See the Auth0 page How to Implement Single Sign On for one way to achieve this.
Single Sign On works by having a central server, which all the applications trust. When you login for the first time a cookie gets created on this central server. Then, whenever you try to access a second application, you get redirected to the central server, if you already have a cookie there, you will get redirected directly to the app with a token, without login prompts, which means you’re already logged in.
(emphasis is mine)
Disclosure: I work at Auth0.

In a REST API, handling authentication for multiple users

One of requirements for implementing a REST Api is that the client has to send the required state information every time to the server to handle a specific request. Assume authentication is in place and I'm successfully authenticating users to use the rest api, which means with every request i'm verifying that user has rights to access the api.
What if I have multiple users and each user has a different access right. So each user can only call a different set of webservices. I'm wondering how this is normally handled by the server. I figure the only way to do this is to check the authentication of each user(via a password hash code,etc) with each request to verify that he has access rights to the requested service. If that is correct then what are the recommended ways of handling authentication of multiple users in such a scenario?
I'm using flask to develop my api, so any specific suggestions will be much appreciated :)
Thanks in advance.
Authenticate a user first by username and password. Return back a token or hashcode.
Prior to any action you take on the servers api, check the users permission by using the token.
You always want to check permissions on the rest api. They can all make the call to the api. Their permissions is what will determine if they can or can't do the request.

WCF Authentication -- Authenticate user/pass one time, then authenticate some other way afterwards?

Basically, I have the following scenario and information:
We're using HTTPS.
We want to authenticate a user by user/pass when they first log in.
After they are authenticated, I want any future calls to OTHER services (not the login service) to use the username and some sort of session (in case the password changes in the middle of a session).
I want to make sure my sessions can timeout and control them in a way that if a user tries to call a service and they don't have a session they get an error (cause they haven't logged in). Not sure if there's a WCF built-in way to do sessions this way or if I'll have to do something customized with a database.
I think we want to use WSHttpBinding (not BasicHttpBinding), 90% sure on this.
I just can't seem to figure out how to do this. Often time's I'll find information on the client code doing client.ClientCredentials.UserName.UserName = username and client.ClientCredentials.UserName.Password = password. But, that just doesn't work because what is my server checking against? I'm trying to grab that info and validate it against a database of user/passes. I'm not looking to use Windows Authentication or that sort (because I don't care who is logged into the computer, just who is logging into the app).
You want to use a Secure Token Service (STS) to authenticate and get a Security Token (maybe SAML) back that identifies the user which can then be passed to your other services and they can just use the identity information to identify and authorize because they trust the STS has verified the user's identity up front.
This is a large subject to discuss, so I suggest searching for WCF STS and doing some more research, but that's definitely the direction I'd recommend going. If you're going to build your own STS implementation, I also recommend looking into using the Windows Identity Foundation (WIF) components to ease your development efforts.
Here's the download link for WIF v1.0 which is the latest version at the time of this answer.