Sample HTTPClient code to authenticate against Embedded STS - thinktecture-ident-server

We are using Embedded STS locally to test our ASP.Net web application. I'm creating a console app to call some of the WebAPI methods and to do some load testing on our app. I'd like to test using a set of users with certain permissions. For our local instance, that means authenticating against EmbeddedSTS.
How do I write an HttpClient to authenticate against EmbeddedSTS to receive this token and auth against my WebAPI endpoints?
Edit: bonus points if I can get the SAML Token while running the app in HTTP mode (not HTTPS).

I figured out how to do this.
Caveat: this is just used for a one off console app that lets us auth against EmbeddedSTS and do the WebAPI calls for stress testing purposes.
Essentially, we simulate what would happen on the browser. This uses the HttpClient and HtmlAgilityPack to parse through the HTML responses, select a user, POST it back to EmbeddedSTS, then POSTs the WS Fed token result and finally receives the FedAuth cookies. After that, the HTTP Client can be used to call any WebAPI or MVC pages in the app.
public static Task<HttpClient> BuildClient(string authurl, string username)
{
var task = Task.Run<HttpClient>(async () =>
{
// setup http client an cookie handler
var handler = new HttpClientHandler();
handler.AllowAutoRedirect = true;
handler.CookieContainer = new System.Net.CookieContainer();
handler.UseCookies = true;
var client = new HttpClient(handler);
client.MaxResponseContentBufferSize = 256000;
client.DefaultRequestHeaders.Add("User-Agent", "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)");
client.DefaultRequestHeaders.Add("Connection", "Keep-Alive");
client.DefaultRequestHeaders.ExpectContinue = false;
// this is the html of the page that has the user dropdown
var userSelectionPage = await client.GetStringAsync(authurl);
string actionPathAndQuery = GetAction(userSelectionPage);
// for the purposes of this sample, we just choose the user called admin
var postData = new List<KeyValuePair<string, string>>() {
new KeyValuePair<string, string>("username", username)
};
// now we post the user name and expect to get the ws fed response
var wsfedresponse = await client.PostAsync(authurl + actionPathAndQuery, new FormUrlEncodedContent(postData));
var wsfedcontent = await wsfedresponse.Content.ReadAsStringAsync();
var namevaluepairs = GetHiddenInputNameValues(wsfedcontent);
var finalpost = await client.PostAsync(authurl, new FormUrlEncodedContent(namevaluepairs));
// at this point, the fedauth cookie is set, we are good to go
return client;
});
return task;
}
private static string GetAction(string htmlContent)
{
var d = new HtmlDocument();
d.LoadHtml(htmlContent);
var node = d.DocumentNode.SelectSingleNode("//form[#action]");
var result = node.GetAttributeValue("action", string.Empty);
return result;
}
private static IEnumerable<KeyValuePair<string, string>> GetHiddenInputNameValues(string htmlContent)
{
var d = new HtmlDocument();
d.LoadHtml(htmlContent);
var nodes = d.DocumentNode.SelectNodes("//input[#type='hidden']");
return nodes.Select(p =>
new KeyValuePair<string, string>(
p.GetAttributeValue("name", string.Empty),
System.Web.HttpUtility.HtmlDecode(p.GetAttributeValue("value", string.Empty))
));
}

EmbeddedSts does ws-federation. This is not designed for web Apis. You rather want Oauth2.

Related

Refresh token on asp.net web api and Blazor server side

I have an application where the backend is an asp.net web api and the front-end is a Blazor server side. Both projects are using net6.0.
I have implemented jwt token authentication, so users can register and login from the front-end.
My problem is that if the user refreshes a page, he automatically gets logged out. My understanding is that this can be solved using refresh token (I'm not sure if this understanding is correct).
I have tried to follow this guide: Refresh Token with Blazor WebAssembly and ASP.NET Core Web API
However since I'm using Blazor server side I cannot intercept HTTP Requests using the approach in the article.
My question is: in my Blazor server side application how can I prevent users automatically getting logged out due to page refresh and how can I intercept the http request?
UPDATE: Notice I already have everything working in regards to token and authentication between the back and frontend. The part that I'm missing is inside the blazor server side application in the program.cs file. I basically want to intercept all http request and call a method.
In program.cs I have:
builder.Services.AddScoped<IRefreshTokenService, RefreshTokenService>();
I want RefreshTokenService to be called on every http request. I have tried creating a middleware (which calls the RefreshTokenService), inside the program.cs like:
app.UseMyMiddleware();
But this only get called once.
Here's a very simplified version of an API client I'm using in my app that's also split into an ASP.NET Core API backend and a Blazor Server frontend.
The way it works is that the accessToken gets retreived from local storage and added as an authentication header to the HttpRequestMessage in my API client before each API call.
MyApiClient.cs
public class MyApiClient
{
private readonly IHttpClientFactory _clientFactory;
private readonly IMyApiTokenProvider _myApiTokenProvider;
public MyApiClient(IHttpClientFactory clientFactory, IMyApiTokenProvider myApiTokenProvider)
{
_clientFactory = clientFactory;
_myApiTokenProvider = myApiTokenProvider;
}
public async Task<ApiResponse<CustomerListResponse>> GetCustomersAsync()
{
//create HttpClient
var client = _clientFactory.CreateClient("MyApiHttpClient");
//create HttpRequest
var request = CreateRequest(HttpMethod.Get, "/getCustomers");
//call the API
var response = await client.SendAsync(request);
//if Unauthorized, refresh access token and retry
if(response.StatusCode == HttpStatusCode.Unauthorized)
{
var refreshResult = await RefreshAccessToken(client);
if (refreshResult.IsSuccess)
{
//save new token
await _backendTokenProvider.SetAccessToken(refreshResult.NewAccessToken);
//create request again, with new access token
var retryRequest = await CreateRequest(HttpMethod.Get, "/getCustomers");
//retry
response = await client.SendAsync(retryRequest);
}
else
{
//refresh token request failed
return ApiResponse<CustomerListResponse>.Error("Token invalid");
}
}
//parse response
var customers = await response.Content.ReadFromJsonAsync<ApiResponse<CustomerListResponse>>();
return customers;
}
private HttpRequestMessage CreateRequest<TRequest>(string command, HttpMethod method, TRequest requestModel = null) where TRequest : class
{
//create HttpRequest
var request = new HttpRequestMessage(method, command);
//add body if not empty
if (requestModel is not null)
{
request.Content = JsonContent.Create(requestModel);
}
//set the Auth header to the Access Token value taken from Local Storage
var accessToken = await _myApiTokenProvider.GetAccessToken();
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", accessToken);
return request;
}
private async Task<ApiResponse<RefreshTokenResponse>> RefreshAccessToken(HttpClient client)
{
var refreshToken = await _backendTokenProvider.GetRefreshToken();
if (refreshToken is null)
{
return ApiResponse<RefreshTokenResponse>.Error("Refresh token is null, cannot refresh access token");
}
var refreshRequest = CreateRequest(HttpMethod.Post, "/refreshToken", new RefreshTokenRequest(refreshToken));
var refreshResponse = await client.SendAsync(refreshRequest);
var refreshResult = await response.Content.ReadFromJsonAsync<ApiResponse<RefreshTokenResponse>>();
return refreshResult;
}
}
MyApiTokenProvider.cs
public class MyApiTokenProvider : IMyApiTokenProvider
{
private readonly ProtectedLocalStorage _protectedLocalStorage;
public MyApiTokenProvider(ProtectedLocalStorage protectedLocalStorage)
{
_protectedLocalStorage = protectedLocalStorage;
}
public async Task<string> GetAccessToken()
{
var result = await _protectedLocalStorage.GetAsync<string>("accessToken");
return result.Success ? result.Value : null;
}
public async Task<string> GetRefreshToken()
{
var result = await _protectedLocalStorage.GetAsync<string>("refreshToken");
return result.Success ? result.Value : null;
}
public async Task SetAccessToken(string newAccessToken)
{
await _protectedLocalStorage.SetAsync("accessToken", newAccessToken);
}
public async Task SetRefreshToken(string newRefreshToken)
{
await _protectedLocalStorage.SetAsync("refreshToken", newRefreshToken);
}
}

How to get Sharepoint authorization cookie from selenium and use it in Rest API?

I'm using selenium browser to automate the log-in process for Sharepoint(my tenant does not allow easy access so this is the only way). I want to get the auth cookie from the selenium browser and use it in a seperate sharepoint API.
I'm not sure if just the FedAuth cookie will be enough for the authorization but I can't seem to test it since my console app has some issues with using ASync. My console application stops without finishing the entire function.
My code:
static async Task Main(string[] args)
{
async Task collectDataWithCookie()
{
{
string FedCookie = Sharepointdriver.Manage().Cookies.GetCookieNamed("FedAuth").ToString();
var baseAddress = new Uri("https://-my.sharepoint.com/personal/_api/files");
var cookieContainer = new CookieContainer();
using (var handler = new HttpClientHandler() { CookieContainer = cookieContainer })
using (var client = new HttpClient(handler) { BaseAddress = baseAddress })
{
var request = new HttpRequestMessage(HttpMethod.Get, "https://tenant-my.sharepoint.com/personal/tenant/_api/files");
request.Headers.Add("Cookie", FedCookie);
var result = await client.SendAsync(request);
string response = request.Content.ReadAsStringAsync().Result;
}
}
}
}
How do I get Sharepoint auth token/cookie from selenium webbrowser and use it for Sharepoint rest API?

Using PublicClientApplicationBuilder and AcquireTokenSilent for chaining Web API calls

I'm working on an AD proof of concept using a console application and PublicClientApplicationBuilder to call Web API A and to call Web API B which also calls Web API A. (API A is just the "Weather" example, and API B just wraps API A.)
My call in API B to HttpContext.VerifyUserHasAnyAcceptedScope(ApiAyeScopes.AccessAsUser) keeps throwing:
IDW10203: The 'scope' or 'scp' claim does not contain scopes 'api://A0000000-1111-2222-3333-444444444444/access_as_user' or was not found.`
How can I resolve this and get the call from API B to API A to work?
I have the direct call to Web API A working. Here's how I authenticate:
static Boolean Authenticate()
{
// See the answer to https://social.msdn.microsoft.com/Forums/en-US/d4b2aff3-eeb1-4204-82ed-ca80232c2523/error-aadsts50076-due-to-a-configuration-change-made-by-your-administrator-or-because-you-moved-to?forum=WindowsAzureAD.
__identityApplication =
__identityApplication
?? PublicClientApplicationBuilder
.Create("000000-1111-2222-3333-444444444444")
.WithAuthority("https://login.microsoftonline.com/me.org/v2.0")
.WithRedirectUri("http://localhost:11596")
.Build();
string[] scopes = new string[] { "api://A0000000-1111-2222-3333-444444444444/access_as_user" };
__authenticationResult =
__identityApplication
.AcquireTokenInteractive(scopes)
.WithExtraScopesToConsent(new String[] { "api://B0000000-1111-2222-3333-444444444444/access_as_user" })
.WithUseEmbeddedWebView(false)
.ExecuteAsync()
.Result;
Console.WriteLine("Logged in as {0}.", __authenticationResult.Account.Username);
return null != __authenticationResult;
}
Here's how I call Web API A from the console, which works:
static List<WeatherForecast> GetWeatherForecast()
{
HttpClient httpClient = new HttpClient();
httpClient.Timeout = Timeout.InfiniteTimeSpan;
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(JwtBearerDefaults.AuthenticationScheme, __authenticationResult.AccessToken);
var response = httpClient.GetAsync("https://localhost:1001/weatherforecast").Result;
var jsonString = response.Content.ReadAsStringAsync().Result;
return Newtonsoft.Json.JsonConvert.DeserializeObject<List<WeatherForecast>>(jsonString);
}
Here's how I call Web API B, which partially works:
static List<WeatherForecast> GetAugmentedWeatherForecast()
{
string[] scopes = new string[] { "api://B0000000-1111-2222-3333-444444444444/access_as_user" };
var apiBeeAuthenticationResult =
__identityApplication
.AcquireTokenSilent(scopes, __authenticationResult.Account)
.ExecuteAsync()
.Result;
HttpClient httpClient = new HttpClient();
httpClient.Timeout = Timeout.InfiniteTimeSpan;
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(JwtBearerDefaults.AuthenticationScheme, apiBeeAuthenticationResult.AccessToken);
var response = httpClient.GetAsync("https://localhost:1101/weatherforecast").Result;
var jsonString = response.Content.ReadAsStringAsync().Result;
return Newtonsoft.Json.JsonConvert.DeserializeObject<List<WeatherForecast>>(jsonString);
}
In Web API B, I have the following:
public class ApiAyeScopes
{
public const String WeatherRead = "api://A0000000-1111-2222-3333-444444444444/ReadWeather";
public const String AccessAsUser = "api://A0000000-1111-2222-3333-444444444444/access_as_user";
}
[AuthorizeForScopes(Scopes = new[] { ApiAyeScopes.AccessAsUser })]
[Authorize(Policy = ApiBeeAuthorizationPolicies.AssignmentToReadAugmentedWeatherRequired)]
[HttpGet]
public async Task<IEnumerable<AugmentedWeatherForecast>> Get()
{
var apiAyeScopes = new String[] { ApiAyeScopes.AccessAsUser };
// See https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-api-call-api-acquire-token?tabs=aspnetcore#code-in-the-controller
HttpContext.VerifyUserHasAnyAcceptedScope(apiAyeScopes);
var originalResult = await _apiAyeClient.GetWeatherForecasts();
return originalResult.Select(wf => new AugmentedWeatherForecast(wf));
}
The code to get the access token is:
String accessToken = await _tokenAcquisition.GetAccessTokenForUserAsync(new String[] { ApiAyeScopes.WeatherRead });
It looks like you are looking to resolve your code from API B to API A to work and API B and API A. On-Behalf-Of flow (OBO) serves the use case where an application invokes a service/web API, which in turn needs to call another service/web API.
Learn more here:
https://github.com/AzureAD/microsoft-authentication-library-for-dotnet/wiki/on-behalf-of
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow
The OBO flow is represented by the steps that follow, which are illustrated in the diagram below.
More guidance can be found here: https://github.com/Azure-Samples/ms-identity-aspnet-webapi-onbehalfof

How do I authenticate OneDrive for Business with Service to Service oauth2 authentication?

The tutorial for OneDrive for Business (here: https://dev.onedrive.com/auth/aad_oauth.htm)
However, I don't want the user to have to login as I'm building a web API - I want the app to login. So, I have followed the tutorial for service to service authentication (here: https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx) which gets me an access token.
However, when I try to authenticate with the service I get an error saying "unsupported app only token". The code I'm using is below (btw, I'm using RestSharp):
public string GetAccessToken()
{
var client = new RestClient("https://login.microsoftonline.com/<tenant>/oauth2");
var request = new RestRequest("token", Method.POST);
request.AddParameter("grant_type", "client_credentials");
request.AddParameter("client_id", <client_id>);
request.AddParameter("client_secret", <client_secert);
request.AddParameter("resource", "https://<tenant>-my.sharepoint.com/");
var response = client.Execute(request);
var content = response.Content;
var authModel = JsonConvert.DeserializeObject<AuthResponseModel>(content);
return authModel.AccessToken;
}
this gets me the access token
This is how I try to access my drive:
public string GetDrive()
{
var accessToken = GetAccessToken();
var client = new RestClient("https://<tenant>-my.sharepoint.com/_api/v2.0/");
var request = new RestRequest("drive", Method.GET);
request.AddHeader("Authorization: Bearer", accessToken);
var response = client.Execute(request);
var content = response.Content;
return content;
}
Does anyone have any tips? This is getting slightly maddening.

How to consume REST service from a MVC 4 web application?

Can someone give me pointers on how to How to consume an external REST service from a MVC 4 web application? The services rely on an initial call with credentials base 64 encoded, then returns a token which is used for further web service queries.
I cannot find an easy primer on how to do this kind of thing, could someone help please?
I have all this working in classic ASP & JQuery but need to move over to an MVC 4 web application.
You could use the HttpClient class. Here's an example of how you could send a GET request and use Basic Authentication:
var client = new HttpClient();
client.BaseAddress = new Uri("http://foo.com");
var buffer = Encoding.ASCII.GetBytes("john:secret");
var authHeader = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(buffer));
client.DefaultRequestHeaders.Authorization = authHeader;
var response = client.GetAsync("/api/authenticate").Result;
if (response.IsSuccessStatusCode)
{
string responseBody = response.Content.ReadAsStringAsync().Result;
}
Once you have retrieved the access token you could make authenticated calls:
var client = new HttpClient();
client.BaseAddress = new Uri("http://foo.com");
string accessToken = ...
var authHeader = new AuthenticationHeaderValue("Bearar", accessToken);
client.DefaultRequestHeaders.Authorization = authHeader;
var response = client.GetAsync("/api/bar").Result;
if (response.IsSuccessStatusCode)
{
string responseBody = response.Content.ReadAsStringAsync().Result;
}