Have done a lot of search and reading over the WEB but could not come to any conclusion yet.
We are planning to develop a list of API's (planning to use ASP.NET WEB API). One of the business goals is to package the API and selling/licensing the Packages/API to end users.
Some thoughts that came to consideration:
Using Authorisation Filters to do check against database, if the user requesting the API has access to it or not. Not very sure of the implementation details yet even on this approach.
Are there any better suggestions or ideas or any open source libraries that we can go with?
What are the possible recommendation or best practices to achieve this.
Thanks in advance.
Please take a look at the following links. Hopefully, they help.
Web API creating API keys
How to secure an ASP.NET Web API
Related
This link https://developers.googleblog.com/2022/03/gis-jsweb-authz-migration.html says
Your full suite of apps and platforms may be using different methods of authentication and authorization from Google. The following are NOT affected by this deprecation announcement:
Android or iOS native app SDKs,
Backend platforms directly calling Google’s OAuth 2.0 or OpenID services.
I'm currently trying to understand our huge legacy code which might be affected by the GIS migration. Currently, we just redirect to https://accounts.google.com/o/oauth2/v2/auth to start the oauth2 process, once the user clicks the "Sign in with google" button. I've seen this link in the example of the old way from the migration document here: https://developers.google.com/identity/oauth2/web/guides/migration-to-gis#oauth-2.0-endpoints however I'm not sure if it is required to migrate to GIS or not.
From what I understand, only the frontend related libraries should be worried, but I'm dumb so maybe I'm misunderstanding. Can anyone help enlighten me?
Thanks.
You do not need to migrate if you are directly making calls to the Google's OAuth 2.0 endpoints.
The guide you reference recommends using the library with the note use the Google Identity Services library to support a less intrusive popup UX mode and to avoid having to manage complex OAuth 2.0 requests and responses. The intent there is to simplify your implementation not to force a migration.
I wanted to know how can I implement the SSO authentication between multiple applications using the SAML in ASP.NET Core?
Is this a safe and secure way to do it?
If you know the information, better free method or how to implement it, write it down.
Thanks in advance.
I don't think free method exists. Unless you want to implement solution from scratch by yourself, which seems to be a lot of work to do.
So, if it's an option you could use some commercial solutions. I have experience working with ComponentSpace.Saml2. Configuration is pretty straightforward - you need to fill and store a bunch of configuration items such as identity providers' params, certificates data, login and logout endpoints. Then controller needs to be built, containing methods for initiating saml request and processing response from identity provider. That's just infratructure level - of course you'll need to implement authentication service to manage SAML response and to decide how it integrates into your app's architecture.
Well, as you can see, the answer is general, so is the question.
Hope this helps. At least to choose right path to go.
I'm working on segregating the authentication part of my ASP.net MVC4 application using DotNetOAuth 2.0, Which will means that one project will do only authentication and send out response,based on response it will have access to other application.
The Idea is to get any application or project added later on use one common authentication process.
First thing came to my mind was building a service, in the process a read a lot about Web API and think it can help to achieve what I'm looking for.
Please suggest if you guys have implemented something like this or whats's the best practice.
Should i go with API or service, any link or sample to direct is appreciated
ASP.NET Web API is also a service - a RESTful service. The choice of using a "Service" although is good your underlying authentication platform will define what you should be using.
WCF is much more than a web service where as a Web API is pure HTTP service.
If you expect all your "applications" to be web based then there is no reason why this cannot be a Web API.
This article might be something that should help you decide on your authentication model: http://www.asp.net/web-api/overview/security/external-authentication-services
Is there a single sign-on solution with completely RESTful API installable on my server? I have looked at OpenAM, which have some of the API available through HTTP/JSON, but not all (and seems too heavy, but if it had all the API, I'd not care).
Do you know of solution for authorization, authentication and identity management that can be used for single sign-on and has all (maybe without setting admin password and such critical issues) its API available though HTTP(S)/JSON?
I have no need for Java API etc., HTTP(S)+CLI for setup is only thing I look for. That is, I doin;t realkly care what the solution is implemented in (no need for Java EE etc.) as far as it does its job and it is secure.
Have you seen Mozilla's new Persona solution built on BrowserID? It does a lot, but it's hard to know if it's sufficient for you without more details about how integrated you need the authorization to be.
You might want to look at Stormpath. They're the largest identify management service (for developers) -- and they are all REST + JSON API backed.
I am using MVC and Nhibernate in my application. How can i improve security of my application using proper authentication and authorization?
Right now i am using asp.net mvc authentication.
The question is frankly too open. "Proper" authentication and authorization depends on what your application is doing and the data it accepts, stores and outputs. For example twitter's authentication strategy is very different to that of your bank's on-line banking service.
There's also more to it than authentication and authorization, there's XSS, CSRF, Cryptography, Information Leaks and more. Start with the OWASP Top 10 and go from there. However this will not show you the code, because you can't be generic about this, it always needs tailored to the application being secured.
I would suggest you to scan your site for vulnerabilities using some of these great solutions.
Personally, i find this extremely useful.