OAuth2 authorization server with claims - thinktecture-ident-server

I have a Web API application and I want to secure that. I've been reading about ThinkTectures IdentityModel and IdentityServer for authorization (OAtuh2) and I think this is what I need.
I'm just not really sure where to start with this. There are so many solutions available that I'm not sure what to use.
I think I need to add ThinkTecture.IndentityModel to my Web API application right?
Should I then download ThinkTecture.IdentityServer2? Or do I need Thinktecture.AuthorizationServer as well? I'm kinda confused there.
In the end I want my Web API application to be able to login into a identity server which returns claims that belongs to that user.
Could anyone tell me where and how to start with this. I need a push in the right direction.
For starters I already added ThinkTecture.IndentityModel to my WEB Api application. What else do I need to do?

I'd suggest starting with the wikis of each project. They go into details about the purpose of each project and how to get started:
https://github.com/thinktecture/Thinktecture.IdentityServer.v2/wiki
https://github.com/thinktecture/Thinktecture.AuthorizationServer/wiki

Related

ASP.NET Core / Blazor / Web API : how to securely store user data?

I hope its possible someone can point me in the right direction. This is 100% a education issue.
Problem
I need to create a web application at the moment I would like to use with ASP.NET Core MVC or Blazor Server. But I would like to move this to either a Blazor Web Assembly or Angular application in the future.
I am creating what seems to be a very simple web application. Users can sign up and request a licence key. Users can have multiples of these keys. Once a form is filled in this is then awaiting authorization. This part isn't the problem.
I am finding it hard to work out how to and the best way to get this data stored in a database. The licences will be linked to the user stored in the Identity database. I have followed multiple tutorials and tech papers online on how to use authorisation and authentication but none seem to go into details about storing user data. Obviously only the logged in user can view/create their licences and will have no access to anyone else's.
I understand the process will be different for ASP.NET Core MVC/Blazor server and Angular/Blazor WA as these will require an API.
I hope that someone can point me in the right direction as I have been scanning online for 3 days now and kind of need to be put out of my misery.
Thanks in advance.
Below is one of the way to handle.
Create a table with UserId, license, Active, and any other required fields.
Expose a Web API Controller with the Authorize attribute. Only the users with valid JWT tokens will be able to access this Controller.
UserLicensesController will be talking to the table which stores the Licenses.
Use Blazor Web Assembly, OR Angular, OR React JS. Login with valid credentials.
Invoke the Get/Post/Put methods from UI to UserLicensesController Web API, and pass the JWT token.
Please let me know if you need any further assistance.
[19-May-2021] Here is a basic solution.
I have created a basic solution.
UserMgmtStore.sqlproj contains the Database Project.
UserMgmt.API.csproj contains the Web API with JWT authentication.
I am using Auth0 for the authentication and authorization platform.
UserMgmt.Web.csproj contains the Blazor Web Assembly Project.
I have used the Username and Password to retrieve the JWT token from Auth0.
As each individual project with have their own Identity/STS system. I have hard-coded the token just to complete the Proof Of Concept.
I have checked in the POC into my GitHub Repository.
URL: https://github.com/vishipayyallore/mini-projects-2021/tree/master/Projects/UserLicenses

Develop .netcore web api with open id connect security while accessing

we have a website which is accessible after azure AD authentication with Open ID connect.
So now the requirement is, we need to develop a .net core web api and need to access this web api from above website.
Need some guidance on developing this web api and how can we access this web api from website securely. Can we use the token method or the JWT or any other way instead of secret key and api key.
Please share any useful link if possible.
Much Thanks
Anuraj
For dotnet core web API project sample you can see here which build on using openID connect.
Once you have build API you need to register it on azure portal. Beside you have assign permission on your application which you are looking forward to access from out side.
Here you can have a look on how to register app on azure portal
After successful registration make sure you have allowed API permission you need like below screen shot:
Here is same thread for API permission guide line you can have a look on.
This is also helpful for you to test it on postman example.
IF you have any complexities regarding implementation let me know. Thanks
You can rely on Microsoft documentation to understand how to properly create a .NET Core Web API with MVC.
Also yes you can use token or JWT or OAuth2 or any authentication method. Here's an useful link: https://auth0.com/blog/securing-asp-dot-net-core-2-applications-with-jwts/
You can then try to code something and eventually ask a more specific problem about coding here in SO.

Best way to handle User authentication + Push Notifiations in Ionic

Parse? Auth0? Firebase? Ionic Platform?
I'm so lost... Can anyone help me?
If you are looking for a "backend in a box" then If you are creating an API meant to be consumed by an Ionic application, JWT is probably what you are looking for. Parse, Auth0 etc may help. I have not used them. However, if you are building your own backend it will be dependent on what server side framework you are using. It's safe to say that JWT is a good approach on the client side(angular/ionic), but you will need a serverside authentication and account system such as Passport for Node, Devise for Rails etc.. Either of those will handle basic authentication and account management. You will need a JWT layer as well to produce and manage tokens for the client. You can also create a homebrew system if you choose to but the frameworks I mentioned make things quite a bit easier.

OWIN/Katana: Authentication Middleware

I'm almost driving crazy looking for the right way to implement appropriate authentication functionality for my OWIN/Katana project using SignalR.
I already read about writing an own OAuth2.0 Service, I heard about using cookie authentication, and using SignalR's [Authorize] attribute. Yet, I am not quite sure about whether any of these approaches meet my requirements.
I have the following scenario:
I've got a host application that performs a WebApp.Start() for let's say TWO owin hosts.
Each owin host has various middlewares.
What I want to do: At the beginning of each OWIN pipeline I want to add an OWIN middleware that presents a login-page and allows the user to authenticate. If the user has been successfully authenticated, he is able to reach any other middlware in the pipeline. If the user browses to a further pipeline before authenticating, he should be redirected to the login page.
The problem: I found plenty of articles describing how to write an OAuth 2.0 server and so on. What I did NOT found is a step-by-step tutorial showing how to authenticate using JavaScript and after that, share and use the authentication data in each middleware that has to check if the user is authenticated.
Does anyone have a good tutorial of how to achieve something like this?
Or, is it even possible to share the authentication data between multiple OWIN IAppBuilder instances. (Each middleware is a separated DLL, in my case.)
Please don't blame me for not reading any documentation or something, I really did already spend a looot of time investigating in how to approach something like this. IMHO there is no really good article describing how to achieve something like that.
Or, at least, can anyone explain to me how to work something out?
Thanks in advance!
Ronald
Project structure: https://pl.vc/2y86u
I have a project OWIN.Framework that allows you to have multiple OWIN pipeline segments with routing. This would allow you to have some middleware that runs first, and multiple pipelines behind this configured with different middleware in each pipeline.

Use everyauth package for authorizing users to access data via REST api calls

I am developing a google chrome extension that needs to communicate with a nodejs server. I was wondering if its possible to use everyauth package to simplify authentication. For starters, I just wanted to use simple password based authentication. But from the examples and the documentation ,as well according to my trial, it seems to me that everyauth is designed to be used for a webapp and gives me errors if i don't set the getLoginPath. Also i am not sure how to configure everyauth to send the user details or errors after user authenticate in a json payroll rather than redirecting user to a particular page. This is my first project with node.js and I am looking for some advice on how to go forward with this. I am open to using some other package/library that provides such authentication,
Since you are open to using other modules, as the developer of Passport, I'd suggest you look at it: https://github.com/jaredhanson/passport
Passport is designed to be a simple and unobtrusive authentication library, which makes it easy to get up and running quickly. It's also modular and extensible, which allows it to adapt to your applications needs over time.
The examples provided, along with the local strategy ( https://github.com/jaredhanson/passport-local ) are enough to get you started with username/password authentication. Let me know if you have any feedback or questions.
I was able to accomplish a REST-only interface to everyauth by overriding its handler methods: https://gist.github.com/2938492