I'm currently building an auth server using Identity Server 4 with a spa (react) application that authenticates against it. I would now like to also take another application that is in current existence (this is ASP.NET MVC 5, targets .NET 4.5, currently uses ASP.NET Identity 2 management classes for managing users and signout/sign in using cookie authentication) and update it so that it can log in externally with this new auth server (so a user can log in using the existing authentication, but also use this auth server now - so that a user session could be shared between this existing app and this other spa app). The problem is as I understand it, that we need to use PKCE to authenticate with the auth server, but there doesn't appear to be a way to do this with the MVC 5 app - I can install the Microsoft.Owin.Security.OpenIdConnect package, but it doesn't allow for using PKCE since this is a newer thing (apparently if you target .net 4.6.1 there is a way to make that work with that version of the OpenIdConnect package). I can't change our target, it needs to stay .NET 4.5 (to upgrade to 4.6.1 or higher would cause all kinds of problems with the build and current packages, it would be a larger undertaking than my organization is willing to take on at this time). Is there a way that anyone knows of to make this work using an ASP.NET MVC 5 app that targets .NET 4.5 and an auth server that uses Identity Server 4? Would the only way be to use a GrantType.Implcit flow instead of requiring PKCE with a GrantType.Code, and would that even be advised now?
Thanks!
In this case you are dealing with 2 clients, spa app & ASP.NET MVC app, each client can have its own flow (grant type). We can use authorization code flow with PKCE, for the spa app. And Implicit flow for the ASP.NET MVC.
PKCE is suggested for interactive applications:
a front-channel step via the browser where all “interactive” things happen, e.g. login page, consent etc. This step results in an authorization code that represents the outcome of the front-channel operation.
a back-channel step where the authorization code from step 1 gets exchanged with the requested tokens. Confidential clients need to authenticate at this point.
The MVC app you described, is just doing authentication, then no worries it's fine to use implicit.
I have a post for implementing it here
Related
I have a test project based on the .Net 5 ServiceStack mvcidentity sample. For web-based access, the authentication works as expected.
Accessing the API directly from another app for the hello sample works as no authentication is required. However, if I try to connect to one of the API Methods that requires Authentication, I receive an error message that no auth providers are defined.
Based on this sample, what is the correct way to access one of the authentication required methods from an application on another computer, where there would not be a user to login? I presume we would need to add a basic authentication or something similar in the authentication pipeline?
If you're using the mvcidenity project template you're using ASP .NET Core Identity for authentication (as opposed to ServiceStack Auth) which you'll need to use for any authorization, e.g. you can use a IAuthorizationFilter to implement HTTP Basic Auth.
This question surely have been answered before. We need to develop a SSO solution for a client and until they have installed ADFS (which will take some time)...
Our application runs on 4 different applications/ports on the same IIS. We have tried setting authentication mode="Windows" and disabled anonymous access on all applications but receive a 401 unauthorized when the front end (port X) calls one of the backend Web apis (port Y,Z..). The problem is that the authentication is only valid for the first application (front end).
Can we pass the authentication on in some way? I've read about Intranet Zones, etc. but am struggeling a bit as to how this can be done
I've run into this problem myself and found the answer the article titled Forms Authentication Across Applications on MSDN
Relevant Sections Below:
To configure forms authentication across applications, you set attributes of the forms and machineKey sections of the Web.config file
to the same values for all applications that are participating in
shared forms authentication.
Applications that run ASP.NET version 2.0 or later can share forms
authentication ticket information with earlier versions of ASP.NET if
you include decryption="3DES" in the machineKey element for each
ASP.NET version 2.0 (or later) application.
Within our organization, our applications are registered as RP’s to our organizational ADFS server, which is v2. Traditionally, apps in the org have been built as single, monolithic apps using WS-Federation (passive authentication). Web API’s, also hosted within each app, are secured simply by the fact that the same FedAuth cookie is being sent over the wire when making the ajax calls from the app’s client-side code in the browser.
We are moving towards building a set of backend Web API’s, which we want to secure so that these are callable by any client, not just a web browser and not just by the hosting application itself. As such, we want to move towards using JWT tokens for these Web API’s. We've also started using ThinkTecture's IdentityServer (v2) to help in this regard.
We have just a few questions which I'm hoping the community can help provide us with some answers/pointers:
How should we configure IdentityServer and apps so that the apps use
the existing organizational ADFS login page?
How can we configure/integrate ThinkTecture IdentityServer v2 with
the organizational ADFS so that our API's can be secured using JWT
tokens but without forcing the user to provide their credentials
again (once they have a SAML token via WS-Federation)?
Are there any features in IdentityServer v3 which are compelling
enough to upgrade from IdentityServer v2 to v3?
1 & 2 - You might want to check out how to establish Relying Parties. Here's a whole article from BrockAllen (the genius behind IdentityServer) that walks you through the ADFS/IdentityServer2 integration.
http://brockallen.com/2013/04/14/getting-json-web-tokens-jwts-from-adfs-via-thinktecture-identityservers-adfs-integration/
3 - As far as I know, IdentityServer3 (IS3) was written to support newer authorization frameworks OpenID for the modern stack better than IS2 (which doesn't support OpenID). Either is fine for use. I personally started with IS3, mainly because of the support and documentation involved. It also integrates very well with OWIN/Katana, so it can self host reasonably well with no hiccups during implementation and deployment. One advantage IS2 has over IS3 is that IS2 has an admin UI you can use configure and register sites, IS3 doesn't. More info about this along with the thought process behind IS3 can be found here:
http://leastprivilege.com/2015/01/25/identityserver3-1-0-0/
We are building an application with following attributes:
Consists of a web app, a web API, and mobile apps in future
The web app will contain HTML pages (multiple features that behave
like single pages applications)
The web app will talk to the web API (communicates in JSON, using
JQuery AJAX Calls)
The web app + web API do not follow the standard MVC architecture
Need to support SSO (will be using client Identity Provider) and
forms authentication
mobile will be consuming the same web API
My question is around what approach we should follow for securing the application. Two of the approaches that we are contemplating on are:
Securing the web API only: the web app is purely HTML and all the
data (that needs security) will come from the web API
For this, we thought of using OAuth for securing the web API
Both, the web app and the mobile app will first perform
authentication, generate an access token (follow the OAuth flow)
Securing the web app using forms authentication/SSO, and using HMAC
authentication for authenticating the API consumer (web/mobile app)
This delegates the user authentication to the consumers (web and
mobile app)
The API consumers will use HMAC for authenticating themselves
How can we pass the authenticated user details to the web API? Don’t
want to pass it as a parameter in API calls
Or is there any other approach that is better than the ones we evaluated above? Has anyone handled a similar situation where an HTML web app uses a Web API, and authentication happens using SSO + Forms/custom authentication?
If you have any comments agreeing/disagreeing the two approaches, that would be welcome as well.
We understand that the web app cannot be purely HTML, and some of the SSO authentication part will have to be handled on the server side and that is ok. But the core application will be HTML + Web API.
Here is some additional information related to this:
- Using ASP.Net with Framework 4.0 (with VS2010 IDE)
- Using Web API 1, but open to switch to Web API 2
You may benefit from building an external authentication/authorization identity management component in your architecture. Your current use cases can probably be covered by the tools that come with ASP.NET, but the architecture will be hard to extend as you start adding different types of clients and SSO scenarios. Look at this and this articles for a more detailed explanation.
Azure ID and Access management offering can be a good option. If you don't want to use the cloud, there are some third party and open source identity servers available.
Here is a good free book to help you understand federated identity concepts in the context of Microsoft technologies.
What is the simplest security that could be applied in ASP.NET Web API in MVC 4 to prevent external users from accessing the Web service , is there anything simple enough like authorization of some token which could be maintained for each instance?
It depends, a Http Web API is stateless by nature. If you are invoking the Web API from a web browser using Ajax, you might rely on cookies for maintaining the user identity in the session. Otherwise, other traditional HTTP authentication mechanisms like basic authentication requires the user credentials in every call. You might want to take at the Thinktecture.IdentityModel library, which provides a lot of extensibility points for authentication.
http://leastprivilege.com/2012/10/23/mixing-mvc-forms-authentication-and-web-api-basic-authentication/
Regarding authorization. The framework already ships with a few attributes like AllowAnonymousAttribute or AuthorizeAttribute that you can use to decorate the Web Api methods.
Better you could have search about Authorization in MVC. Yes it does support it. Please check the below links which could be helpful.
Secure MVC 4
Redirect unauthorized Users
Custom Authorize