I have implemented web APIs using ado.net and uploaded in hosting, but those web APIs are not secured, anyone can access without login, and now I want to secure them with the role-based authentication how can I secure? I want to do that only a login user can access them.
You can protect your api with token authentication ,In order to acquire a token user would have have to first login in the authentication server ,acquire a token and then call the api.You can assign roles to the user so that the roles are included in token and can be validated when the token validation occurs at api level.
You can use identity server as an identity provider if you dont have a identity provider set up.
Related
The current authorization is implemented as:
The Single Page Application (SPA) developed in react.js, posts username/password from the Login page to Web API and waits for the authentication token.
The Web API doesn't implement a standard identity provider, the username/password is validated from LDAP if the user is valid it creates an encrypted authentication token, saves it in the database, and returns back to SPA.
The SPA once gets the token then moves to the home page and further makes all calls by using the authentication token.
The Web Api validates the token first for each call, if it is valid then proceeds otherwise rejects as an unauthorized user.
All this is working fine but now we have got a requirement where we have to use the Azure Active Directory along with LDAP. Is there any way that the Web API validates the username/password from AAD, and if valid then creates the same token as creating now and returns back to SPA?
Please help me in this scenario.
Thanks.
You got 3 solutions.
OAuth Resource Password Credentials - This solution comes with a lot of limitations, like no support for MFA, and no support for authenticator apps.
Azure Active Directory Domain Services. (Pretty much a managed Active Directory that is a mirror of your Azure AD, and supports LDAP)
The correct solution, using OpenID Connect/SAML/OAuth2
I am using Azure SSO Login to get authenticated to our own application.
Everything works fine except the fact that I would like to have JSON Web Token (JWT) which I could use in order to make some API calls to Microsoft Azure after login.
Azure SSO does not return JWT after login, is there any way to obtain it?
Mirko
Scenarios that you may refer to get idea in addition with #juunas suggestion:
This Microsoft docs tutorial of JavaScript single-page
application (SPA) signs in users and calls Microsoft Graph by using
the authorization code flow with PKCE. The SPA uses the Microsoft
Authentication Library (MSAL) for JavaScript v2.0.
This scenario uses js frontend and php backend with azure ad which might give an idea
Its Flow :
A user accesses front end
If the user is not authenticated, he will be redirected to Azure Active Directory (AAD) to login
AAD will redirect (on success) with an authorization token
We’ll inject this authorization token into the calls made to the backend (to prove your identity)
The backend API will validate the authorization token and verify it against the issuer (AAD)
Protect an API by using OAuth 2.0 with Azure Active Directory> This case registers two apps for azure AD - backend app and front end app ,uses validate-jwt policy to validate the OAuth token
I have 3 applications, one is desktop application and this is my client, second is my Web Api to secure and the last one is api which checks if the user with password exists.
In my case I want to connect this flow with Azure AD.
I think this should work like this:
1.DesktopApplication sending request with clientid,clientsecret, username and password to AZURE
2.Azure sending request with username and password to my api where I can check this user exist if exist I will return "true"(or somthing like this)
3. If api return "true" Azure can return to DesktopApplication token
4. DoesktopApplication will send request ot secure Web Api with token
5.DesktopApplication recive content from secure Web Api
Api in 3 point is not same api in 5 point.
Is it posible to do this flow with Azure AD or not? And if not can I do something with my flow something to secure Web Api by Azure and still store users in my old db(oracle)?
It would be better to use OpenID Connect authentication flows to authenticate the user and acquire a token that way.
The approach you are suggesting has a few downsides:
You are storing a client secret in a desktop application, which can be easily extracted by anyone.
The authentication flow that allows you to do this will not work with users who have MFA enabled / are federated users (on-prem AD/MS account/Guest account) / have expired password.
It trains users to be phished as they really should only enter their password to the actual login page.
So it would be better to use a flow like this:
Your desktop application uses Azure AD Authentication Library (ADAL) or Microsoft Authentication Library (MSAL) to authenticate the user, requesting an access token for your API
Desktop app calls API, API validates token signature, issuer, validity time etc.
It will show the user a pop-up window where they can login, and as a result you'll get an Id token (which tells your desktop app who the user is) and an access token for the API.
I secure my nodeJs API with Azure B2C. I have two web application which accesses my API.
the two Web application has its own application Id in Azure B2C. Also, those can generate access_token with B2C.
But when I validate those access_token in my API I have to put application id of the web application witch generate the access_token as an audience.
But the audience does not support array. I can only put one application id.
How do I solve this?
If I secure an API with B2C I only can make requests from one web application?
The audience (aud) claim for an access token identifies the intended recipient (i.e. the API application) of the access token.
At a high-level, you must:
Register the API application in order for any client application to acquire an access token for use with the API application.
Grant access by one or more client applications to the API application.
Configure the application identifier for the API application as the expected audience for the API middleware.
The Azure AD B2C: Requesting access tokens article describes how a client application can acquire an access token for use with an API application.
I need my mobile application to allow authenticating either to 3rd party vendor (facebook, google, etc) or to my own WS-Federation identity provider (I'm using Thinktecture). Now, when logging in to my own WS-Fed idp I want to authenticate directly and pass the security token to Azure ACS (and not by using a dedicated login page). I need that because I don't want my users to authenticate using my provider by using a dedicated web page (and moving out of the context of the application).
Your help will be appreciated.
From your ACS management portal get list of identity providers of your realm from below link
https://YourNamespace.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?
protocol=wsfederation&
realm=YourAppRealm&
reply_to=YourAppReturnURL&
version=1.0
Now try this:-
HTTP GET on the above identity providers link.
Parse login link of desired identity provider from the json response of above request.
Authenticate user with login link received in last step.
You'll receive your ACS Token
Note:
After step 3 user will be asked to authenticate himself and the identity provider will automatically send the authentication token to ACS, finally ACS will convert that token into new ACS token and return it as in step 4.
In this way you'll by-pass the login page and can grab ACS token in mobile application without moving out of the context of the application.