I'm designing a solution that involves ASP.NET Web API as the service layer plus clients for web, iOS and Android.
Web users should be able to log into the web site and do their stuff. I'm using Forms Authentication for this scenario.
Mobile users should use the REST API and I believe we need a different authentication mechanism here.
Assuming that a given ASP.NET MVC application can support only 1 authentication mode, do I need to create 2 separate applications, one as the web client with Forms Authentication, and one as the API, and host them separately?
Any advice would be appreciated.
You could do basic authentication for the service clients and combine that with your existing forms auth
http://leastprivilege.com/2012/10/23/mixing-mvc-forms-authentication-and-web-api-basic-authentication/
Related
I am developing ASP.Net Core App with Backend For Frontend pattern using Ocelot. For now there will be a single API service but in the future I might migrate to microservices. Let's say it will be an e-commerce system where I will create different web apps for customers and for employees. I may also have Mobile app for customers.
From my research I know that should have my main API, then two API Gateways and two client (angular) apps. There also needs to be separate IdentityServer app.
So my question is - is there a way to configure the IdentityServer and gateways in such a way, that when I log in app for employees I won't be authenticated in customer app? I cannot understand if it should be possible with right configuration of scopes, claims or audiences. I saw many examples where that properties were set completely differently. I can prevent user from accesing some endpoints with the use of Roles but I think that it's not the right way to do this.
Or maybe since IdentityServer has built in SSO I should not use it and move to different authentication provider?
You should let the authorization sub-system in ASP.NET Core decide if the user is allowed or not, typically based on the claims in the access token.
You need to understand that you handle authentication and authorization separately in ASP.NET Core as the picture from one of my training classes show:
For more details:
Introduction to authorization in ASP.NET Core
Policy-based authorization in ASP.NET Core
Claims-based authorization in ASP.NET Core
There seem to be plenty of tutorials on how to use third-party authentication providers for Blazor WebAssembly, but there doesn't seem to be a documented process for using Windows Authentication (on-site Active Directory domain) from an ASP.NET Core hosted server.
Is this actually possible? I would like the Core server to authenticate the user with the roles and policies, and for this information to be accessible from the WebAssembly client also. I understand that the Client can only use authentication to show/hide UI elements, and that any actual securing should be done on the Server, but is there a way to access the Windows authentication/authorization from both sides of the application?
I need to create an application (Mobile) and a Web application. It needs to use the same database so the same user authentication is required.
Can anyone give me such a demo or an idea where to begin.
I have looked into identity but I see that it is not compatible with Xamarin.
Expected result would be a cross platform login provider
my recommendation is to create one web service that can connect to the db and your mobile app and web app make http get/post calls to the web service. This also means you get to keep db logic in one place instead of duplicated across the applications.
The web app and mobile app should get some kind of authorization token (such as bearer) from the webservice to ensure no ones else is hitting the api.
I've seen that Azure App Service mobile apps can implement authentication for multiple identity providers via a single client SDK. If an app hosted on Azure App Service is using ASP.NET Core in the cloud, though, can its UWP or Windows Store client app also benefit from multiple identity providers via a single client SDK?
If yes, then how does that work? Does it use the same mobile client SDK?
If no, then how would I authenticate such a mobile client? Will I have to use individual provider SDKs?
I know ASP.NET Core is still prerelease, but I'm wondering:
What multi-provider authentication functionality is available from a mobile client now?
What such functionality is planned to be available when ASP.NET Core 1.0 is finally released?
What such functionality will likely be on the roadmap for the future?
Azure App Service provides authentication as a service. In other words, the client authenticates to the service, and the service passes on the authentication to you.
Underneath, the app service passes a number of authentication related app settings within environment variables that you can read via the normal method. The original JWT is also passed in via the X-ZUMO-AUTH header.
For your clients, probably the best way is to use the Azure Mobile Apps client SDKs - there are clients for .NET (Xamarin, UWP), JavaScript, iOS and Android. You don't need the data access functionality - just the client creation and login / loginAsync method calls.
For your server, take a look at the Authentication Overview for more information. You may also want to read some of the info in Chris Gillums blog for more technically details.
I have an issue that I am seriously struggling with.
I have a website, and a separate WebAPI which I want to be able to authenticate against each other. I was thinking that forms authentication would be best here. However, on my website, how do I go about calling the forms authenticated webAPI via a jQuery AJAX call?
Does anyone have any links or suggestions?
There is a discussion in this blog post on mixing forms authentication and basic authentication in Web API. You may be able to leverage some the principles in this article although it was tested with the Web API's residing on the same server as the web application.
If you keep the Web API and web application on separate servers your web application will run into cross domain issues and will have to support JSONP in your Web API. A possible work around for your website is to create a Web API locally on your web server which is just a facade to the Web API on the remote server. You incorporate the standard security methods on the local Web API, using AuthorizeAttribute, which in turn just calls your the Web API on the remote server. You can incorporate whatever security method you want to have for external users on the remote Web API.