I've been searching high and low for an example of using an Azure API App with authentication with a javascript client. Specifically I am interested in how something like an Angularjs app can authenticate with an Azure API app.
The closest I've got is this example http://azure.microsoft.com/en-us/documentation/articles/app-service-api-javascript-client/
but unfortunately this does not use authentication.
Given many users with be using SPA applications with Azure API Apps I would think there will be a lot of demand for this.
Does anyone have any pointers?
http://azure.microsoft.com/en-us/documentation/articles/app-service-api-dotnet-consume/#authenticated-call-from-a-windows-desktop-application shows how to authenticate for scenarios where we don't yet have an SDK. You should be able to follow the same steps from a JavaScript client. Hope that helps!
Thanks,
Mohit
Related
I'm trying to configure a SAML Authentication with Azure in a Flask web service.
Is the first time I'm doing this and I'm bit lost.
I'm trying to use the 'SAML_METADA_URL' provided in AZURE but I don't know what to configure in python side.
In Azure seems to be all setup, the app was added, have the client ID and CLIENT SECRET, ETC.
Anyone knows a good and specific tutorial for this?
Thanks in advance
You can refer to the SAML-enabled Python application guide, which explains how to use PySAML2 to add Okta support (via SAML) to an application written in Python, And refer to the steps for implementing a SAML SP in Python/Flask.
In addition, OneLogin also provides a SAML Python toolkit, I believe it will also be helpful to you here.
I am trying to login clients using their email and password through Auth0 with a Node.js backend on the Azure app service and a Xamarin.Forms client. The problem is that I can't create a custom authentication on Node.js since the tutorial I was following used a .NET backend. I also followed this tutorial for Node.js backend both by the awesome Adrian Hall, but it seems to override the already exisiting Facebook login system, and I can't find enough material on that problem. Is there any other tutorial on doing that or am I getting something wrong?
You are doing something wrong. You can use Auth0 with no problems - Auth0 will be used for all the providers, and their client SDKs will allow you to choose Facebook, Google, Username/Password or anything else you need.
The mechanism for the process is as documented - I think you just need to re-read the blog post and understand the transaction - you use the Auth0 libraries to get the Auth0 token, then submit your Auth0 token to your custom login API (/.auth/login/custom) to mint an App Service token that is used by the Azure Mobile Apps client SDK.
I would like to develop a system that can help any developer to create an application based to my API.
My problem is authentication.
I have see (for example) as work google with your services; I would like create an system of oauth (private) such as google (concept) that an developer, after sign to my portal, get APP ID and APP SECRET.
When developer self create these credentials, can use for call API based to https.
My API are developed by nodejs and express system.
I say which way is more stable for create an system robust for this scenario.
Thanks for any support. Any idea is appreciate
You can try http://passportjs.org/, it can work as a middleware with express.
I'm currently developing a Xamarin.Forms Mobile Application.
I use Azure with Azure Mobile App Backend to store my data.
For example when a user sign in, i would like to be able to send different error messages on the same method. For example if the username is not found, or if the username is found but doesn't match the password.
I also would like to send those message on the culture used by the client application. How can i achieve that ?
Thank you,
Best regards,
Guillaume
Regardless of whether your consuming an Azure service or not you can consume resources for internationalization.
There is an article here that goes into some depth of how to do this that will be of use to you.
At the moment we are building a web shop as a SPA application. All the SKU information is provided by a Web Api 2 service.
Of course the web shop is publicly available to every visitor, and currently there is only one user who can log in to manage the web shop: the administrator.
For the administrator we built in the basic authentication with the bearer token, as a lot of samples on the internet shows us, but now we need every user to log in before they can see any product. Not really what we have in mind for a web shop ;-)
What we would like to implement is that our Web Api is not available to the world but only for our SPA application. Every blog post or tutorial on authorization seems to assume that there is always a user that needs to log in, in our case there is only one user: the administrator.
The AllowAnonymous attribute makes specific API calls available to the world again, so that's also a dead end.
Basically it comes down to preventing any other apps (web or mobile) to fetch the data from our Web Api.
What would be the best and most secure approach to secure our Web Api without having the anonymous visitors of our web shop to log in?
Solution for now: Altough I'm not 100% happy with this solution, it will work for now. We implemented the OAuth Implicit flow with CORS enabled for specific domain.
You should take a look at the OAuth 2.0 client credentials flow. The client in OAuth speak is the application and not the user using the application. This way you can make sure only your SPA app can access the backend API.
The parts that only should allow access to the administrator, you can decorate with the [Authorize(roles = administrator)] attribute, which prevents any other roles from having access.
I think Json Web Token could help you with this. This article has more information about using Json Web Token for granular authorization of your web api.
OAuth 2.0 is inherently insecure, and solely relies upon SSL. It has no encryption, and most of the latest web api gurus are suggesting that it's dead. This again is relative to what you need the security for. If it's for a social SPA where the data isn't financial or medical, for example, and good enough SSL security is ok, then perhaps OpenID or OAuth2 is suitable.
A much better solution is to implement Identity 2.0 for the Web API authentication flow, and then utilize something like Hawk Protocol for HTTP MAC implementation. Check this out : https://github.com/webapibook/hawknet for an example.
For OAuth2 framework and a extensible solution, check out Thinktecture.IdentityServer3 on GitHub
For a lightweight .net 4.5 Web API Tokenization solution, check out Thinktecture.IdentityServer2 on GitHub.
Hope it helps.