Adfs 2.0 - . Net 4.0 application query params - adfs2.0

I have a .net 4.0 MVC 4 application that is federated to an ADFS 2.0 server. I set this up using the "add STS reference" option.
Now every time I hit a controller with the [authorize] attribute on it, it takes me to the adfs sign in page (the first time). My questions are
How do I tag on extra query params for adfs from my application
How do I read these query params in adfs so I can style the forms sign in page according to the relying party it's being called from.
I hope this makes sense. If not please let me know so I can explain better

Answer for 2: You can request the Server.RawUrl and extract the "returnUrl" (where the browser is redirected after login) or the RelyingParty from it. Based on the values in the URL you can do your magic....

Related

How to obtain basic authentication username/password in Controller for .NET Web API 2.0

I've read through the documents on how to create a Basic Authentication filter for the Web API 2.0, and it doesn't seem too bad. However..
The issue I have is that I also need the username and password information within the Controller itself (on a POST / PUT / DELETE) to be able to pass through to a 3rd party .NET API for authentication/authorization of an action taken by the Controller.
Is there a 'proper way' to do this?
I can see that the RequestContext (in the Controller) includes info on the Principal. But this only seems to go so far as the Name... so it doesn't have the password that I'd need to pass through to the 3rd party interface.
Basic authentications converts username:password into base64, so all you need is to extract Authorization header and decode it's value:
AuthenticationHeaderValue authenticationHeaderValue = Request.Headers.Authorization;
var userNamePasswordString = Encoding.UTF8.GetString(Convert.FromBase64String(authenticationHeaderValue.Parameter));
//username:password

ADFS 2.0 - How to know on the STS which RP sent you there

We are trying to configure and develop a solution to properly brand the login site accordingly to where the user is coming from. The users are coming from relying parties, but they all use the same login site (STS).
Is there any way I can set a property from the RP that will be accessible from the STS? The wtrealm property is changed once it passes through the ADFS webservice. The RU parameter of the wctx is relative to the site it is redirected to, so it wont help.
I just need the STS to be aware of where the user is coming from, that way I add the necessary style sheets necessary.
Ended up baking an additional parameter into the query string via the ADFS webservice. Just edited the global.asax file and added the necessary parameter from there, then told the STS to pick up on this variable.

How to authentificate on SoundClound using OAuth 2.0 without using redirect uri on a desktop application?

I would like to develop a desktop application.
Sadly I got stuck at login. I want to use a web view which be SoundClound login end point.
https://soundcloud.com/connect?client_id=my_client_id&response_type=token_and_code&scope=non-expiring
Using the above I received error : "invalid_client: The configured redirect_uri of the client application is invalid."
Would be nice if API would tell you which parameters are required and which are optional. As I read about OAuth 2.0, redirect uri is optional. This caused me confusion when received this error. I also tried curl version, same kind of error.
If I tried to add a random redirect_uri won't pass either. (I'm aware this is about security.)
I found this answer, but I doesn't work and I think is error-prone: it requires 2 text fields and you're asking the user to provide their credentials (then you're able to do what you want with them...)
Soundcloud API authentication without a web browser
I would like to do the flow this way:
Open a web view with SoundCloud login end point.
User is providing his credentials to SoundCloud Server.
SoundCloud Server is sending me a token.
Something similar to OAuth 1.0.
Is possible or is there something similar to achieve my goal?
After another few hours of research and keep trying to login I figured it out.
It works with redirect_uri after I did the setup for it on page "Your apps" on SoundCloud.

ASP.NET Identity using WebApi & External Login

Once again I am stuck! I am trying to implement a secure WebApi service with ASP.NET Identity using Individual Account. The WebApi service will be consumed by a mobile app developed with phonegap. My phonegap app uses facebook and twitter for login and I have implemented that on the client perfectly.
I have created a SPA project form the visual studio template and I have tested the login process monitoring the HTTP requests with fiddler and chrome dev tools. I have tried the following requests using postman
GET: http://localhost:49577/api/Account/ExternalLogins?returnUrl=/&generateState=true
RESPONSE:
[{
"Name": "Facebook",
"Url": "/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49577%2F&state=jpePf27F3ufkCCEldFdoOVMEGBGTEO1CrRdUQ3bHEP01",
"State": "jpePf27F3ufkCCEldFdoOVHSGBGTEO1CrRdUQ3bHEP01"
}]
and then I call
GET: http://localhost:49577/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49577%2F&state=jpePf27F3ufkCCEldFdoOVMEGBGTEO1CrRdUQ3bHEP01
which calls GetExternalLogin method of AccountsController. This then returns an instance of ChallengeResult when the user isn't authenticated.
This is where I an stuck.
Q1: ChallengeResult forces a 301 redirect to facebook login page with some querystring parameters. I don't want this, I want it to give me the parameters but let me handle the logging in my ajax request. I have tried commenting out this line of code
Request.GetOwinContext().Authentication.Challenge(LoginProvider);
but I end up getting a 401 with nothing else, how can I control what the response from ChallegeResult?
Q2. Also, I cannot quite figure out what next from here, after I get an access token from facebook, what webapi end point should I call for instance if I have already obtained the access token, what should I be passing to it?
I have googled all day but I cannot find anything that answers my question. Any help would be appreciated.
Thanks
UPDATE:
Regarding Q2; I have figured out the next step and that's
GET: http://localhost:49164/signin-facebook?code=...&state=...
This returns another 302 which redirects to
http://localhost:49164/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A49164%2F&state=7oGPd37EA-nmtXPtYEQ40qnretDeKjbPEM1gNkb2DuM1
which in turn returns another 302 which then redirects to
http://localhost:49164/#access_token=...
So how do I handle all there redirects from a mobile non browser client?
UPDATE
I am trying to find the controller action that handles
http://localhost:49164/signin-facebook?code=...&state=...
Can anyone help?
UPDATE
I have since posting this question learned alot about the facebool login flow, which maybe I should have done before!
I still have one question but I have created a different question for that here to keep down the clutter
The answer to this question is a very detailed one. So to make it easier, I am going to point you to a sample which shows you how you can have a SPA app and connect different clients (phone, tablets etc) and login with Social logins such as Facebook etc
https://aspnet.codeplex.com/SourceControl/latest#Samples/WebApi/Todo/ReadMe.txt

How to test Basic Authentication in an MVC.NET application using a browser

I am trying to setup basic auth on my mvc.net web application. I configured my controller using this example: asp mvc 3 ActionFilter for basic authentication
I set a breakpoint where it checks for the Authorization Header, however the header is not present in the HttpRequest. I am accessing the site like this:
http://user1:pass1#localhost/{AppName}/Client/Authorize
If I remove the [BasicAuthorization] attribute from my controller, I am able to access the page.
I am debugging this using IIS 7.0 on a Windows 7 machine.
I think it might have something to do with default authorization settings in IIS. When I throw a HttpUnauthorizedResult() exception, a username/password box pops up in Chrome... I'm not sure how to tell IIS to use my custom code to authenticate the user.
This application won't be accessible by a human user, so the username/password needs to be passed in in the URL like shown above.
I had also found this post: No browser is sending Authorization info in header. I tried sending the request twice after IIS sends the UnauthorizedRequest to the browser, but that's when the username/password dialog pops up. I'm also not sure how to test using that Curl command... Is that through CMD?
I found this post here: SimpleMembership in MVC4 app + WebApi using basic HTTP auth
I was able to refer to the test page used on this tutorial: http://kevin-junghans.blogspot.ca/2013/02/mixing-forms-authentication-basic.html to setup a simple testing page to test that basic authentication was working properly.
I'm not entirely sure on the reason, but I believe that the browser doesn't automatically add an authentication header to the HttpRequest when you try sending the credentials like so:
http://user1:pass1#localhost/{AppName}/Client/Authorize
It must have something to do with the browser requiring a 401 response from the server first before sending the authentication header. I just couldn't figure out how to do it. If anyone knows how to configure IIS/browser properly so you can easily test basic authentication using the above URL format, please let me know.