I am using asp.net web api 2 and developing an app which is to be hosted on intranet. So the authentication needs are very basic / minimal. I have some custom table where I store registered user's username/password. Using that I need to validate user.
As far as I understand OAuth is for using authentication from google/facebook/etc. Forms authentication is used with asp.net mvc. So what kind of authentication should I implement.
I have googled around but all I found are OAuth example. But how can I do very basic/minimal authentication implementation.
I know its a duplicate question, but it would be great, if someone can guide me to a link which can start from basics like how to read Authorize header, how to create/when to set IPrincipal, etc...
EDIT
there is no legal/regulatory requirement. also single sign on or windows login is not a choice. so just need to stick with a simple table with username/password fields.
just want to know the most basic way to include authentication/authrization in web-api app.
I recently answered a simliar question, see here: https://stackoverflow.com/a/26757636/849507
Since you already have your own table with username and password, the first two parts are for you. You can ignore the angular parts.
for the future users, if you are looking at the most basic & simple implementation, please have a look at SimpleOAuthProvider as shown in here. Its the most basic and simplest one to implements and uses token auth, which is good enough of most of the use cases.
Please do replace the AccountsController and AuthRepository with your custom implementations.
Related
Good day everyone,
I have a conceptual question regarding the feature in the title. I've been searching around but cannot find any useful information because I am either missing the concept completely or there is an overflow of examples on the internet.
The problem is fairly simple:
We have three web applications. All of these are aspnet core based and use IdentityFramework along with JWT for authentication as well as authorization. Each have their own database. Recently, a request has come up to rip out the JWT token issuing code and place it in a single separate application to be able to implement SSO. All fine and dandy.
But: each application has an extended user object that is app specific, along with claims that are app specific and stored in each individual database. We'd like to keep the basic info on the new login server (email, password, phone number... the standard IdentityUser model), while the extended info would need to come from each individual app. This way (I suspect) we could enable google log on our apps as well.
Could someone kindly either explain to me the core concept of SSO using JWT for multiple apps or at least direct me to a book/extensive article about the subject? I need a starting point.
Thank you in advance.
I want to create a custom API that behind the scenes, call number of other APIs which use OAuth 2.0 for authentication. I want to manage this internally so that my custom endpoint somewhat abstract this.
Or to begin with I want to do what app like buffer (https://buffer.com) do - where you connect to different social services and than post your status.
How can I achieve this in .NetCore ?? I don't want to login with these (a lot of samples are catering this scenario), user login is different than this. I just want to establish these connections (like API Connections if you look at Azure API Management) and then perform some operations against those endpoints.
I hope i convey my point. please let me know if this isn't clear.
Thanks
Sanjay
OAuth2 systems are all based on the same workflow.
here's an authorization url, you pass some ids in an authorization header, if everything is correct you get a token, you then use the token to do whatever you are allowed to do. What changes are the credentials you use for authentication and the urls you hit for the various parts of this workflow.
You could write your own OAuth2 library which deals with all this, that's pretty much what I did and simply changed the details for every specific system I had to interact with.
This being said you can always use one of the existing implementations to connect to the various systems you care about, they all have an API you could use, all you have to do is make sure you follow the OAuth2 flow correctly.
I have a JSON REST API written in Symfony 2.7, and I want to authenticate & authorize users. This is my first time doing this, so I have some doubts/questions.
For that, I thought several methods:
User & password, and then save a session in the back end
Same as 1), but add an "apiToken" (randomly generate when user register) and then sending back & forth the apiToken in every single request to check user identity.
Use OAuth (which I'm currently reading about it).
I read that using OAuth for a simple API is like an "overkill", but on the safe side it sticks to standards and also allows me to use it when using my API with mobile devices and different platforms.
Also, I don't know too much about security flaws of using method 1) or 2).
I know this is maybe based on opinions, but I don't know any other site to post this question, as Symfony official mailing was shut down and migrate here it seems.
As you seems to know, your question is too opinion based.
If I can give you some advices (too long for a 600chars comment),
OAuth is powerful, but so much free.
I mean that you can easily implement it sort as everything works well while having a set of potential security issues without being aware of their existence.
Libraries and bundles providing OAuth are hard to maintain because of the new security issues regularly found.
On the other hand, if you need the benefits of OAuth (be a client and/or a server, compatible with the most part of social networks), go learn OAuth and do your experience with it.
Otherwise, use a simple credentials/request token two-step authentication.
See the JWT Authentication tutorial by KnpLabs,
Symfony Guard Authentication by Ryan Weaver,
and the great LexikJWTAuthenticationBundle, easy to implement and to use.
I'm building a single-page web application, fully based on RESTful API. I've seen several topics in that matter, but some things remain unclear for me.
I will need users to log in. Here are some of my ideas:
I can send e-mail and password to API and use basic auth. I'm not sure where should I keep password, should it be encrypted and if so: how?
Can I use built-in session system instead? Is it wrong to use cookies directly in the RESTful API? Why is it so popular to send credentials/keys to API itself instead of using cookies?
I thought about having one API key per user, return it in login action and keep it in localStorage. I guess it's not the greatest idea to have just one key per user?
Then, I came up with idea to have separate keys table and add random keys each time somebody logs in. On logout, the key would go away and no longer be valid. This is more secure than previous idea.
How is it solved in simple projects? I'd like to make it simple but not ridiculously inserure.
Please help.
The commonly approach is to use the header Authorization in REST. The state of the application must be on the client side with REST and shouldn'a be tied to a particularly client kind (browser with cookies)
I think that this link could be helpful:
Implementing authentication with tokens for RESTful applications : https://templth.wordpress.com/2015/01/05/implementing-authentication-with-tokens-for-restful-applications/
There is also à great question to à similar question here : https://softwareengineering.stackexchange.com/questions/141019/should-cookies-be-used-in-a-restful-api
Hope it helps,
Thierry
Not sure if the title of the question expresses good my problem, so I'm going to do my best to explain it here:
I'm writing a RESTful api using php and Restler. Now here comes the problem:
There are some services that I'd like to protect, that is, know if the user requesting that service has enough privileges.
All the services that I'm implementing have to be consumed using javascript, so the traditional method user/password won't work beacause everyone will see that!
I'd also like to limit the amount of requests an anonymous user can do, like twitter does with the search service.
What can I do to expose my api to everyone, but only let users with priveleges complete their requests?
I stumble with this post: REST authentication and exposing the API key but at the end, no solution was provided.
I'm very open to any alternative: like OAuth. I would like to use something that integrates well with restler though, but if that is not the possible, then its ok.
I've seen a lot of info, saying that an api key would do the work, but since I'm using javascript, how can I protect those keys from being used by other users?
Update: Restler 3 is released with hybrid access support using #access hybrid comment and is available here!
Just in time with the right question :)
Your question has two parts
1. How do I do hybrid access (both public and protected access) with Restler
Restler 2 does not support hybrid access, but Restler 3, which will be released in August 2012 (this week) will support hybrid access, exactly built for your use case
You can follow the development at twitter and/or facebook
2. How can I protect my API when the primary consumer is JavaScript
For simplicity you may use HTTPS with Basic Authentication or HTTP with Digest Authentication
Another alternative is described in this article. It is not written specifically for Restler but it is easy to adapt to Restler. Let us know if you need help on that