I am exposing a WCF Data Services hosted on IIS through Service Bus Relay using webHttpRelayBinding. While I could find out how to authenticate the service identity using username/password or shared secret. However, I could not find a sample how to use a certificate based credential for the service identity. I googled a lot, but in vain. All of them are based on shared secret primarily.
Could anyone please provide a sample on how to use the certificate based authentication of service identity for a REST OData service.
Currently, there are four options for authentication (according to the Service Bus docs):
•SharedSecret, a slightly more complex but easy-to-use form of
username/password authentication.
•Saml, which can be used to interact with SAML 2.0 authentication
systems.
•SimpleWebToken, which uses the OAuth Web Resource Authorization
Protocol (WRAP)and Simple Web Tokens (SWT).
•Unauthenticated, which enables interaction with the service endpoint
without any authentication behavior.
It does not look like you are able to authenticate using a certificate through Service Bus natively.
Related
Intro:
Microsoft Authentication Library (MSAL) provides an identity server and management services to issue, cache and validate access and id tokens for a range of types of applications using OAuth2.0 and OpenIdConnect protocol.
The problem:
Our requirement is to use OAuth2.0 and OpenIdConnect protocols and an open-source identity server platform to issue and handle access and id tokens "offline" because the system (.NET Core webapp with angular) is often deployed on-premises in internal networks and doesn't have access to the internet. I tried to use MSAL but it always gets to the point where in production it needs the client & tenant id of AzureAD registered app.
Anyone knows a way to get around that? Or knows another library that meets the requirements?
Side notes:
Duende Identity Server4 is unfortunately not an option for us due to a collision with their new policy that will apply dec22.
Okta and similar are paid and are out of the scope.
Can someone tell me if it's possible with the "Microsoft.Identity.Client" to do OpenIdConnect and get an access token which doesn't come from Microsoft/Azure but from another Identity Provider.
Thanks in advance.
Can someone tell me if it's possible with the "Microsoft.Identity.Client" to do OpenIdConnect and get an access token which doesn't come from Microsoft/Azure but from another Identity Provider
No, it's not possible to get an access token from third party identity provider if you are using Microsoft.Identity.Client with OpenIdConnect.
As per documentation:
With OIDC, this flow does authentication and authorization for most app types. These types include single page apps, web apps, and natively installed apps. The flow enables apps to securely acquire an access_token that can be used to access resources secured by the Microsoft identity platform.
All confidential clients have a choice of using client secrets or certificate credentials. Symmetric shared secrets are generated by the Microsoft identity platform.
You can refer to Microsoft identity platform and OpenID Connect protocol, Validating access tokens and Request an access token with a client_secret
I have an ASP.NET Web API with no user authentication serving two client apps.
The only reason this has been fine is because the API is not open to the public but only accessible to the IP addresses of those two apps.
Now there's a plan to open up the API to the internet. This means I need to secure it properly. Looks like OAuth2 and OpenID Connect are the way to go.
The problem is the client apps are authenticating against different identity providers, one is using Azure AD, the other using Azure AD B2C from a different directory.
Can this work with OAuth2?
Yes, have a look at this API sample which accepts AAD and AAD B2C tokens.
https://github.com/azure-ad-b2c/apps/tree/master/apps/spa-hellojs/source-code/.Net-Core-API-RBAC
I am looking at Windows Azure ACS as an alternative to implementing my own username / password scheme in my app. This will be a publicly available website.
In addition to using SSO providers such as Google or Facebook, can I use Windows Azure ACS to support username/password authentication?
I see that it supports Active Directory as a provider. I am not sure this is the right thing as I have always thought of Active Directory as an "enterprise" provider.
Windows Azure ACS does not support username/password authentication in the form you need. Shahin outlined it in details.
Your options really are:
Windows Azure Active Directory (WAAD)
Identity Server (IdSVR)
While classic on-premises Active Directory deployed with a Domain Controller option is indeed quite enterprisy, WAAD is not exact copy of the same in the Cloud. I would actually recommend that you give a shot and try out. Using the WAAD Graph API you can fully automate user management in WAAD.
Your second option is based on IdSVR. This is full-featured Identity Server and Security Token Service. It is developed against the best practices in security and is quite easily extensible! While it does not provide out of the box support for user management (user registration, password reset, etc.) it is ASP.NET MVC 4 application. So you can very easily add this features yourself. There actually is an open enhancement planned for User Management API and UI.
Both WAAD and IdSVR integrate well with ACS, so you can provide seamless support for social identities along with own login.
Another service that is still in Beta/Preview is the SocialSTS project. It is kind of extension to Azure ACS and is designed to help you add more identity providers (such as LinkedIn, Twitter, GitHUB, Amazon Login, etc) to your Access Control Service.
You can authenticate directly with the ACS by using Service Identities, but they are not intended to be used for end-user authentication, as the page explains:
Service identities are not intended to be used as end-user credentials. In ACS, service identities are most commonly used in REST web service scenarios, over the OAuth WRAP protocol, where a client requests a SWT token directly from ACS to present to the web service.
I believe this is the only way to directly get a token from the ACS.
I know this question seems similar to other son here, but I have tried the answers posted Here: Securing WCF 4.5 service using Azure ACS 2.0
And Here: Federated authentication (single-sign-on) for a WCF REST/HTML-service on Azure
Ans neither seem to be relevant.
Here is what I have so far.
An azure cloud service with various worker roles, and a WCF web role with REST and SOAP Endpoints
An azure active directory account with a couple users
ACS namespace.
The WCF service will be used by a couple different companies but other than that closed off. We chose azure active directory to provide SSO for the wcf service and other apps.
Here is what I want to do:
Create users/passwords for each company using the WCF service in
Azure Active Directory.
Allow only companies with a valid username and password pair to obtain an access token
Have each company use their token to access the WCF methods.
I didn't think this would be that hard to accomplish, but all the tutorials out there seem to be for IIS hosted or self hosted services with a console application.
What I have done so far:
Added the WCF service as an integrated app in azure active directory
Created a new identity provider named testAAD in ACS and added the WS-Federation metadata from the integrated app to that provider
Added a relying party application that uses the newly created testAAD identity provider
Added a rule group with a pass-through rule that uses the testAAD Identity Provider and the default settings.
See option 1 here for more details.
I need to know if what I did was anywhere close to correct, and if it was, how do I get the WCFservice to start using those settings.
Other Info:
WIF 4.5
VS2012 Pro
C#
Any relevant tutorial links or general advice would be great. Thanks in advance.
Update:
Just to add more info, the WCF service is being posted to by a number of different websites. Each of our customers will collect data from their own web forms, and then either add a service reference using c# code, or post the data to a url via something like curl if they are using php. The Service has both rest and soap endpoints. So for example, they would send an XML or SOAP request to mynamespace.cloudapp.net/myservice.svc/servicemethod. I am either looking to have them send their username and password with that request and validate those credentials in the actual WCF Method, or have them request an authentication token, and then send that authentication token with their request.
Update 2
I think I found the missing piece. In order to use active directory as an identity provider, it looks like I need to set up an ADFS server. I had thought that the ADFS server was set up already with the azure active directory account, but apparently thats not the case? Is there any way to do this without an ADFS server?
The main question you haven't covered is how will these companies use that WCF service?. Via your web portal, or via rich client (such as WinForms / WPF)?
If it is rich client, you can take a look at this blog post? It shows you how to secure WCF service with token and access that service from a WPF application.
If you plan to only allow access to the WCF service via your web portal, then picture is a bit different. You can first protect your portal by Azure AD and get user's token. Then use that token to authenticate against the WCF.
But in a truly web scenario, the client that will make calls to the service is actually your web server. If this is the case, I will just protect my web portal with Azure AD. Then protect my WCF with a single access token. I can get that token from a Service Identity in my Azure AD Access Control. And provide this "Service Token" as part of each WCF call from my web server. For added audit (and compliance) I will also send the original user token, to keep track of who accessed what and when.