Microsoft Account Authentication on Azure websites - authentication

I have a C# MVC5 website on Azure in which I'm trying to add a variety of identity providers (e.g. Google, Twitter, Facebook, Microsoft).
Having followed a simple guide on the asp.net site on adding Microsoft Live as an authentication option, I'm finding that when I try to authenticate with a Live account, I'm always bounced to my login page. My site users should instead be directed to the "Register" (MYSITE.azurewebsites.net/Account/Register) page upon first successful authentication from a new provider, or to the home page as an authenticated user if previously registered. However, I seem to always be sent to the login page.
I'm not encountering any authentication errors from the Live provider - username and password are being accepted and the provider does seem to be redirecting as if an authentication was successful.
I haven't encountered this problem when integrating with Facebook, Google or Twitter.
In the Live Connect Developer Center, where my authentication app is configured, I'm required to provide a "redirect domain":
You only need to enter the domain, for example http://www.contoso.com
For this I've entered the URL for my Azure site http://MYSITE.azurewebsites.net
The field doesn't appear to acknowledge any routes such as /Account/Something/ on the end of the URL, but I'm not clear that it should need to.
Does anyone know if I require some additional configuration in my site to work with Microsoft Live or is there some restriction on using the Live provider on free Azure sites?

I've fixed this. Unfortunately it transpired that I was missing a preceding hyphen character from my clientSecret which I had specified in my StartUp.Auth.cs
I'm surprised an error wasn't thrown to say that the client secret was invalid, as I was going on the assumption that any incorrect clientId or clientSecret values would have rejected my request when clicking the 'login with Microsoft' button.

Related

Is it possible to authenticate a user using google identity without provider's sign in page

Background
I have a web application "APP1" (front-end: Vue.js & Back end:Azure function) deployed in azure app service. I have implemented client directed sign in (easy auth using this), after that I can authenticate user using provider's sign in page [both AAD & google].
Target
I have another web application "APP2" deployed in on-primes server. I want to redirect to APP1 from "APP2" and automatically sign in without provider's sign in page. I will read credentials from environment variable.
Tried solutions
I have found a similar issue here, however I am unable to use the solution because the DB between AAP1 and AAP2 can't be shared
I have also checked the google identity providers documentation, however I am unable to find how to programmatically sign in without provider's sign in page
Question
Is it possible to programmatically sign in to google identity to get token without provider's sign in page
The whole point of google identity is to prove the identity of the person behind the machine.
OpenID Connect is an open standard that companies use to authenticate (signin) users. IdPs use this so that users can sign in to the IdP, and then access other websites and apps without having to log in or share their sign-in information. (id_token)
OAuth 2.0. This standard provides secure delegated access. This means an application created by a developer, can take actions or access resources from a server on behalf of the user, without them having to share their credentials (login and password). It does this by allowing the identity provider (IdP) to issue tokens to third-party applications with the user’s approval. (access_token, refresh_token)

Identity Provider-Initiated Single Sign-On - get user informaion

I have a web application. Currently we have a portal that authenticates the user and then redirects to our webpage. I know the issues with identity provider initiated single sign on, however this is the path the site owner wishes to go.
The site is successfully authenticating the user, and redirecting to my ASP.net core application. However I cannot seem to get any of the authentication data. I have checked contacts.user.claims as well as security principal all appear to be null. I do know sample information is being returned in the request by using the Google tool saml tracer.
I am looking for any samples retrieving the sample information from my application after it has been redirected from a identity provider.
In the end I am trying to get the userid once the identity provider sent to me.
Thank you for any assistance or suggestions.

Log into my app using WSO2IS login page

I'm working with WSO2 Identity Server 5.3.0 (it's installed on a VM in a server).
So, I would access to my application using WSO2IS login page.
I've already set the Service Provider by Management Console.
I've not set the IdP because I've thought that must be the Resident one.
It's enought like thta? Should I modify some files?
I cannot find the related page on the Documentation.
Hope to be clear.
After doing all, the /authenticationendpoint/login.do doesn't returns the possibility to introduce username and password.
Edit:
#Bee I add here the screenshot
and this is my url:
http://myurl:9763/authenticationendpoint/login.do?response_type=code&scope=openid&client_id=my_clientID&redirect_uri=/myuri/
Here you have multiple options. You can use either basic auth, OpenID Connect, SAML SSO, Federated authentication etc to authenticate to your app. Some useful links are below.
https://docs.wso2.com/display/IS530/Authentication
https://docs.wso2.com/display/IS530/Basic+Client+Profile+with+Playground
https://docs.wso2.com/display/IS530/Writing+a+Web+Service+Client+for+Authentication+and+User+Admin+Services
https://docs.wso2.com/display/IS530/Authenticators+and+Provisioning+Connectors

Is it possible to have SPA authentication without redirecting to an outside login page

I am currently developing an SPA application that connects to a bunch of webAPI's. These API require that the user is logged in, so I started digging into Openid Conect and OAuth2 examples, mostly using IdentityServer.
They all require, for SPA reasons, that the implicit grant should be used for retrieving access_tokens. Token refreshes are handled connecting to authentication server using hidden iframe.
What I understand from this approach o renewing your access_token is that, sessions is maintained at authentication service. Hidden iframe goes to the authentication server, sessions is still active, new access_token is provided.
All that looks good for me, except (for UX reasosn) the fact that my user needs to be redirected to authentication server page for providing credentials.
Isn't it possible to have my SPA application send credentials to authentication server, getting the access_token, and then do the refresh using the hidden iframe for silently renewing (we, obviously dont want the user to keep informing credentials every 15 minutes or every hour..).
If this is not acceptable for security reasons, could you please explain why?
Technically it is possible with "resource owner password flow", but in that model identity provider can not trust your application and will not create a session for your user (to use silent renew later on). Thus such non-interactive approach is not truly SSO. For 2019 the recommended flow for any web app such as Angular SPA is Code flow with PKCE extension, as described here or there.
EDIT:
Editing this answer to correctly reflect the requirement.
If the requirement is not to show authentication server page and use your own SPA, the only possible way to do it is using "Resource owner password flow" with the constraints mentioned in the previous answer
This is discouraged for two reasons:
Security - Will the SPA have the same security controls as the "Authentication server" has in handling passwords of the user. Right from collection to management of the user password (safely securing for future calls ?). This will massively impact the scope of SPA and it is one of the main reasons why people prefer federated logins (outsourcing login complexity to the third party - in your case authentications server)
Trust - How would you convince the user to handout the "authentication server" password to a relatively new SPA app. Imagine if Google / Facebook allows this pattern for a SPA to collect password instead of redirecting to the Google / Facebook login page. This is a recipe for disaster.
This is exactly what oidc-client-js library does. Have a look at automaticSilentRenew settings in their wiki page. Understandably this only works as long as the session at the authentication server is still active.

Authenticating AD user automatically and manually - WebAPI 2 server and SPA client

I'm developing an Enterprise/Internet Application with WebAPI 2 RESTful server and SPA web client (Angular2) —So I have two separated projects created using ASP.NET 4.6 Empty template and both use OWIN and are IIS hosted.
The requirement for Authentication is:
Active Directory user which is logged in to the workstation will authenticated automatically once she opens any page from app in the browser if user id/name found in the database, with no need to enter her user/pass. Let name this as auto-login. Else if it's not found in the DB it will redirected to the login page.
Also there should be a logout option which redirects user to the login page after logging she out.
In the login page any AD user can enter her/his AD user&pass and after successful check against database (existed) and AD (valid credential) she/he will logged in to the system (Obviously it may be different than user currently is logged in to the workstation)
In addition to the web client it will have other clients such mobile apps which will connect and be served by the WebAPI back-end. Users will login there using their AD user & pass too. Let name it manual-login.
According to the REST architecture and having both AD enterprise and internet/mobile users together, the authentication should be token based —this is what I found till now but I'm not sure.
I read about OWIN Authentication architecture and Windows Authentication and I checked MixedAuth, Now I think it is the nearest solution for this requirement as it lets app-defined users to authenticate side by side of windows/AD users. But even after dig into it and its SPA sample I didn't found my way yet and confused.
Anyone can help?
What should I actually do on the WebApi server and SPA Client to accomplish those authentication requirements?
Which middlewares should I add and how should config/manipulate them?
UseCookieAuthentication ?
UseExternalSignInCookie ?
UseOAuthBearerTokens ?
Can I rely just on Bearer tokens (using OAuthBearerTokens MW) and get same token for authenticated windows users to unify authentication model based on bearer tokens? If so, how?
How and where should I put my code for checking that AD user exists in the DB and if not so reject the authentication?
Thanks a lot.