I am trying to write an app with WCF as back end service and using Xamarin. I want to use token based authentication and i am evaluating https://auth0.com. I succeded in getting the token from auth0 in my Xamarin android app. Also looking at the tutorial I can setup the WCF web service. I am stuck at understanding how the whole thing works together? How do i use the Auth0 token received to communicate with my WCF service? Or rather how does the server know that it is the authenticated user from the token? How to use the token in my app when accessing the web service. Any one has similar arrangement before?
if you have done everything mentioned here to setup your behavior on your services then you should be able to add the token to the request header.
If you are using the webhttpbinding like they suggest then you should be able to intercept the message in a BeforeSendRequest
var header = new HttpRequestMessageProperty();
header.Headers.Add("Authorization", "Bearer " + this.token);
request.Properties.Add(HttpRequestMessageProperty.Name, header);
or if you are using WCF with soap and a wsHttpBinding or similar then you can
((HttpRequestMessageProperty)request.Properties[HttpRequestMessageProperty.Name]).Headers.Add("Authorization", "Bearer " + this.token);
Once the behavior is on your WCF service it will authenticate the token for every call made to a service that has that behavior attached to it. You can add a breakpoint in ValidateJsonWebToken.cs (which installed as part of the NuGet package from auth0) to see where it authenticates.
Related
I have followed all the steps mentioned in the following link to implement oAuth authentication for connecting to VSO:
https://www.visualstudio.com/en-us/integrate/get-started/auth/oauth
It involves creating a azure web site and the token in returned to it which is used for further processing.
My requirement is to create a service which will connect to VSO using oAuth authentication and fetch/create the work items.
I want to know how to configure the call back url in case of using a service.
Firstly, please take note that: Right now, it is only supported to register web application, it is impossible to register a WCF service project.
If you would like to register a web application and would like to get the call back URL, please check my reply in this link for the detailed steps: callbackurl while connecting to vso using oAuth
There's lots of info on how to do Forms authentication or Windows authentication with SignalR. I am interested in using my own authentication DB. I use a .NET client because the connecting agent is a service, not a web browser with a human behind it. I'd ideally like my client code use:
hubConnection.Credentials = new NetworkCredential(userName, password);
And my server code to use [Authorize] on the hubs and to have Context.User available to me. All comms are over https so I don't care about plain text.
I've read the asp.net basic authentication guide which shows how to override the authentication mechanism using an IHttpModule. However, the 'Authorization' header never seems to get set in the requests coming from the .NET SignalR client when I breakpoint the code in the HttpModule.
All I want to do is trivially pass a username and a password from the client and code up how authentication happens on the server. Is that so hard? No magic. No Active Directory. Just authentication by me.
My current, working, approach is to set custom headers which are interpreted at the SignalR level (using a custom AuthorizeAttribute), however apparently 'the right way to do it' is not to do authentication at the authorisation level and instead have the webserver do that before any SignalR stuff happens.
Can anyone please describe a good procedure for full, but dirt-simple, custom authentication?
Client
var connection = new Connection(url + "/echo");
connection.Credentials = new NetworkCredential("user", "password");
await connection.Start();
Server
app.Map("/basicauth", map =>
{
map.UseBasicAuthentication(new BasicAuthenticationProvider());
map.MapSignalR<AuthenticatedEchoConnection>("/echo");
map.MapSignalR();
});
NuGet Package required: Microsoft.Owin.Security.Basic
You can see a full sample here
When i try to invoke a WCF service from an asp.net application (RP) which is authenticated by another asp.net application(IP) , I'm getting an error message with content of Login page (It is trying to reach the login page because it could not authenticate the request).
Identity Provider : _http://localhost/AuthenticatonWS/Login.aspx
Relying party Website : _http://localhost/RPWebsite/Default.aspx
WCF Service : _http://localhost/RPWebsite/Service1.svc
(In my solution I'm calling service1.svc from default.aspx.cs)
I don't want the service to be anonymous. Currently the site (RPWebsite) uses STS and trusts local Identity provider, but in production it can trust any external identity provider thru ADFS.
Can any one guide me how i can pass the token information to the service from aspx page, I did try several examples from internet but i could not get it working.
The problem could very well be that the RPWebsite uses ClaimsAuthorizationModule in <system><httpModules> or <system.webserver><modules> in web.config. This causes any web service call to be redirected to the STS for authentication, as if it were an interactive browser request, as you observed.
Alternatively, this module can be added in the WIF-specific section of web.config, that is, in <microsoft.identityModel><service>, and in this case this module is only used for claims-based WCF web service calls. You add it in the following form: <claimsAuthorizationManager type="MyNamespace.CustomClaimsAuthenticationManager, MyAssembly"/>. (This type must extend ClaimsAuthorizationManager, as described in the WIF documentation page "ClaimsAuthenticationManager, ClaimsAuthorizationManager, and OriginalIssuer".)
Reference: Vittorio Bertocci, "Programming WIF", p. 43.
I think there are several options:
Using Persistent Authentication Cookies that support multiple client sessions. Or support sharing session between your RP and WCF service, so that WCF can re-utilized the authentication cookies issued for RP when RP makes a call to WCF service. To be honest, I have never tried to implement this in action. It is just my theory.
Create an separate authentication service which require no user-interaction (such as entering username/password). And then you have plenty of way to call WCF from your RP:
From your RP, ask the authentication service to issue a token for WCF; attach the token into request header of WCF call (e.g.: Authorization); then call WCF service. This requires a custom HttpModule to accept custom request header containing token at WCF service.
From your RP, you can also store UserName/Password, or an unique user identity claim which could identify the user; attach those information into request header of WCF call (e.g.: Authorization); then call WCF service. This also requires custom HttpModule to accept custom request header at WCF service.
I would recommend the second option, which you could find more useful information and guideline from Dominick Baier's blog.
Just my 2 cents.
I have this existing environment:
1) ASP.NET 3.5 web application
2) forms authentication with the SqlMembershipProvider
I need to add the following:
1) a Silverlight charting object embedded in a web page.
2) a WCF service to be consumed by:
a) the Silverlight component embedded in an authenticated
web page, as mentioned above
b) server-based WCF clients with certificate based authentication
My question is - what is the easiest/best way to configure the WCF endpoints for the Silverlight object to authenticate to the WCF service using the security context of the already logged-in user (via the page that’s hosting the Silverlight object) without having to use the user's username/password again?
I've researched a lot of the MSDN and Patterns & Practices material and I thought I had a decent grasp of many of the potential authentication scenarios. But I can't seem to figure out a way to tie them together for the scenario I've outlined. I've found other people posting similar questions to mine but none of the answers I've read seem to fully answer their questions either. (Maybe I'm making this harder than it needs to be?)
I would think that the solution would be to somehow use the authentication token/cookie generated in the asp.net form login and somehow pass that to the Silverlight object which then includes it in the WCF request. But I don't see how to configure the WCF endpoint to use that token.
(In some of my other projects I've implemented the server-to-server scenario in 2.b above using certificate-based authentication, so I'm not too worried about adding that to the current mix I've outlined.)
Thanks in advance for any insight or pointers to the path forward.
Terry
Thanks codemeit for trying to help but I finally figured out what I was doing wrong - it was pilot error.
In trying to configure the endpoints for my Silverlight app I was testing with an asp.net page. I finally realized that when I test that way, the client endpoint is no longer originating from the authenticated browser - the client endpoint is the IIS server which in turn executes the request against the WCF server endpoint. So the security context changes and HttpContext.Current.User.Identity is always empty at the WCF server endpoint.
Once I got my test SL app running in the browser, it automatically inherited the security context of the authenticated browser and then HttpContext.Current.User.Identity was correct and authenticated at the WCF server endpoint.
Have you tried to enable your WCF services with aspNet compatibility, then see if the following is true.
string currentUserName = HttpContext.Current.User.Identity.Name;
bool isLoggedIn = HttpContext.Current.User.Identity.IsAuthenticated;
if these properties are being populated with the expected values, then this is the one you are after.
To enable aspNet Compatibility
add to web.config
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" />
add to the service impl class
[AspNetCompatibilityRequirements
(RequirementsMode=AspNetCompatibilityRequirementsMode.Required)]
In this case, the endpoint would be using basicHttpBinding, and you could check the authentication at run time within WCF.
I recently wrote a webservice to be used with Silverlight which uses the ASP.net membership and roles.
To validate the client in the service I look at the HTTPContext.Current.User (Which works when the service is called from Silverlight)
However, I've been trying to call the same service from an asp.net postback. But when I step-thru to the service the HTTPContext.Current has an emplty string for the username.
I'm guessing there is something that I'm not doing in the web.config file which is causing the httpContext to not be sent through the proxy to my service?
Any ideas would be appreciated. I need to be able to validate the client somehow using asp.net membership and roles and have it work from both an asp.net client and a silverlight client.
I have solved it!
Looks like by default the Silverlight application was sending all the browsers cookies to the service. One of these cookies is the ".ASPXAUTH" cookie to authenticate against the membership and roles.
The asp.net application however was not sending the cookies to the service. To send the authorisation cookie I used the following code before calling my webservice method.
using (OperationContextScope scope = new OperationContextScope(ws.InnerChannel))
{
HttpRequestMessageProperty httpRequest = new HttpRequestMessageProperty();
OperationContext.Current.OutgoingMessageProperties.Add(HttpRequestMessageProperty.Name, httpRequest);
HttpCookieCollection cc = Page.Request.Cookies;
if (Request.Cookies[".ASPXAUTH"] != null)
{
HttpCookie aCookie = Request.Cookies[".ASPXAUTH"];
String authcookieValue = Server.HtmlEncode(aCookie.Value);
httpRequest.Headers.Add("Cookie: " + ".ASPXAUTH=" + authcookieValue);
}
// Webservice call goes here
}
Instead of HTTPContext try ServiceSecurityContext.Current.PrimaryIdentity
Not sure how it is working from Silverlight but not ASP.Net, but for starters here is a good blog post on how to setup WCF to work with ASP.Net membership providers. There are quite a few steps so this could be pretty easy to miss a setting.
Once you get that working correctly then I imagine both should work correctly.
I think it may be because my wcf service is in my silverlight.web project, and perhaps they are more friendly when it comes to sharing.
I may need to read up more on wcf and create a greater seperation of concerns by setting up a seperate webservice project?
Update:
Ok I've taken a look at the HTTP Post request using Fiddler
Looks like the Silverlight App is sending a 'State' with an authorization cookie and my asp.net app isn't.
Looks like I need to send the state + my authorization cookie when I call the service. I may need to formulate a new question soon...