I need to connect servicestack to ADFS, as well as the usual social id providers. I know there are apps that could do this for me, authbridge, thinktecture, etc, but would really like to have everything within one app.
Is anybody working on adding a WIF authentication provider to servicestack?
ServiceStack hasn't added any specific support for WIF, but it looks like it maybe provided by a 3rd Party (Auth10) in their ServiceStack Auth NuGet package:
https://nuget.org/packages/Auth10.ServiceStack
Related
I'm testing out ServiceStack to see how much faster the development is with this product rather than with Asp.Net Core's Web API or similar products.
I have successfully set up Service Stack with my own configuration of IdentityServer4 and everything runs fine.
My confusion is whether working with IdentityServer4 means I am required to now maintain a Web Api project along with ServiceStack? What's the reason the API is there?
I can see that I can make direct calls to the endpoints (requiring Authentication, roles, etc.) and that works in conjunction with IdentityServer4.
Would love some insight on why the Web Api project is needed and whether I can just completely get rid of it, as I was under the impression ServiceStack was a replacement for WCF/Web Api?
ServiceStack's mvcidentityserver project template that's used in the documentation of ServiceStack's integration with IdentityServer4 was an enhanced version of Identity Server's "OpenID Connect Hybrid Flow Authentication and API Access Tokens" example project that used to be maintained at https://github.com/IdentityServer/IdentityServer4.Samples/
The project template contains Auth integration examples with ServiceStack, MVC & Web API. The Web API examples were inherited from the existing IdentityServer's example project, which is optional and can be completely removed.
I couldn't find answers about using both frameworks working together.
We are planning to build an identity provider service (like Google Account) which is used to authenticate a user and provide OpenId Connection protocol to a Rely Party app. We have existing projects built in ServiceStack which work all fine. However, ServiceStack seems not to be compatible with IdentityServer4 in regards to authenticating a user. ServiceStack has its own authentication mechanism and IdentityServer4 relies on Asp.NET Identity Model. If I sign in via ASP.NET Identity Model, ServiceStack APIs may not recognize the user has signed in. And vice versa.
Is there any suggestion about this is a dead end or some solution that may make them work together?
The mvcidentityserver Project Template contains a pre-configured ServiceStack + IdentityServer4 starting project template:
$ dotnet tool install -g x
$ x new mvcidentityserver ProjectName
See the Using IdentityServer4 Auth in ServiceStack docs for more info on ServiceStack + IdentityServer4 integration.
In addition there are a couple of options available from the ServiceStack community:
Using IdentityServer 4 with ServiceStack and Angular
servicestack-authentication-identityserver
JwtAuthProviderReaderPatchedForIdentityServer4.cs - description
I read these two articles 1.here and 2.here to find out what is best way to perform authentication against an Azure Mobile App when the API on the server is using Claims based custom authorization and the Xamarin client calling it is using the MobileServiceClient framework. I am unable to finalize which of the two examples in those links is the better way to go.
In the first link there doesn't seem to be any dependency on platform specific code like it has in the second link, which means I don't need to write any code in the Driod or IOS or Windows projects and can get away with doing everything in a class library itself.(Am I right here?)
Also, the first link seems to not require any provider like the second link does because I am invoking a direct service call to a Url. The second link on the other hand only seems to support Facebook, Twitter, MicrosoftAccount, Google and WindowsAzureActiveDirectory. The mandatory MobileServiceAuthenticationProvider parameter doesn't seem to provide for Custom Authentication against a sql server based User table. I am not sure about this part and cant find documentation that says otherwise.
If LoginAsync doesn't provide for Custom Authentication then its clear that I will need to follow the InvokeApiAsync route. If it does provide it then the question is: should I write platform specific(Droid/IOS/windows) code in each target project like in the second link or should I handle all the service calls in a class library as can be done in the example shown in the first link? In other words should I go with LoginAsync or InvokeApiAsync? Which of the two is the recommended way?
The first article shows off custom authentication, as you intimated. The second article shows off App Service Authentication, which has a known list. If you need to do a custom username/password, then go with the former. If you need to go with social auth or enterprise auth, then go with the latter.
My general recommendation is don't require the user to create yet another username unless you have to - which means social authentication for consumer apps and enterprise authentication via AAD for enterprise apps.
My other recommendation is to always use the client SDK for doing the authentication part. This allows you to follow the very latest practices from the provider (facebook, twitter, etc.) in respect to security, refresh tokens and other authentication requirements. Once you have the provider token, it's easy to swap it for an Azure Mobile token by using LoginAsync() with a token. See the Azure Documentation for information on this.
In all cases, you are going to need platform specific code - that means using the DependencyService (as in the second example) to execute your login code. I generally create a singleton class that wraps the MobileServiceClient in the PCL. Then create an ILoginProvider interface which has LoginAsync/LogoutAsync code in it to handle the platform dependency code. My singleton class then calls the DependencyService to get the code. You can find an example in my GitHub Repository that covers iOS, Android and UWP.
We are developing a suite of ServiceStack based sites and would like to share user credentials between them.
From reading around, I THINK what we need, is for one of the sites to act as an OpenID Identity server, with both it and the other sites logging into its OpenID realm (Excuse me if the lingo is incorrect!).
I understand that ServiceStack, with DotNetOpenAuth, can authenticate against custom OpenID realms, and it seems that DotNetOpenAuth can also act as an OpenID provider, which could be what we need, but I haven't yet found any examples of how to put the two together.
Am I on the right track, and if so, does anyone have an example of this?
Many thanks.
Update:
Further reading suggests IdentityServer3 could be the solution, but I suspect hosted outside of ServiceStack?
Can I use spring-security-rest as a replacement of Oauth?. My app has server side part and java script client side part where I found that spring-security-rest plugin fits most. But I want to be able to authenticate other apps who want to consume my service (I want to be something like Oauth provider). Does spring-security-rest plugin support this? or should I use another plugin?
The plugin is not a fully OAuth provider. Or said in OAuth terminology, is not a full Authorisation Server.
In that case I recommend you Spring Security OAuth 2 Provider Plugin
If you are looking only for a simplistic token based authentication for your service, you could leverage the spring security rest plugin and tweak it a little bit based on your need without having to implement the full blown Spring Security OAuth2 Provider plugin. I managed to accomplish something similar with by extending some of the base classes of spring security rest plugin to modify the login payload and authentication and exposed a token/validate as a REST endpoint. I put up this as an independent authentication service that uses the /api/login API for token generation in tandem with the /token/validate to accomplish some kind of validation on token. Not a full blown Oauth scenario but serves the purpose of authentication between consumer and provider services.