We have bunch of web applications which are secured using WIF and custom database authentication, currently we are in the process of building a RESTful public API. My question is whether we can use the existing WIF implementation to authenticate these new RESTFul service requesuts?
Thanks!
You can take a look at those two blog posts relating how to use WIF to secure an OData endpoint (which is REST on steroids):
http://blogs.msdn.com/b/astoriateam/archive/2011/01/20/oauth-2-0-and-odata-protecting-an-odata-service-using-oauth-2-0.aspx
http://blogs.msdn.com/b/astoriateam/archive/2011/01/21/connecting-to-an-oauth-2-0-protected-odata-service.aspx
I'll be in the process of integrating WIF with classic-REST and OData endpoints shortly, if you have any feedbacks, I'm interested.
Vincent-Philippe
REST services typically use different token formats from those supported by WIF out of the box (e.g. SWT vs SAML). You can extend WIF so it understands the appropriate token format. There are many examples that show how to do that.
See here for an example: http://zamd.net/2011/02/08/using-simple-web-token-swt-with-wif/
Related
I'm trying to obtain a Azure Maps Token using a Azure Function based on the following documentation.
How to secure a single-page web application with non-interactive sign-in
Does anyone know how to create a Azure Maps Client using .NET similar to this?
AzureMapsManagement client library for JavaScript
They just released a .NET client library yesterday. You can find it here: https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/maps
For example, if you wanted to use the search API, you would authenticate
in a similar manner to the JavaScript client library:
AzureKeyCredential credential = new AzureKeyCredential("<My Subscription Key>");
MapsSearchClient client = new MapsSearchClient(credential);
Here is some documentation on this client library: https://learn.microsoft.com/en-us/azure/azure-maps/how-to-dev-guide-csharp-sdk
For token base authentication you can use the Azure.Core.TokenCredential class. A good article on the different ways to do this can be found here: https://www.rahulpnath.com/blog/defaultazurecredential-from-azure-sdk/ (not putting code in stackoverflow as there are a lot of different ways depending on your scenario).
I have a naive question.
I am looking for some web application that implements Authentication and Authorization mechanism using api keys.
Example Case: Users authenticate themselves using an api key (apikey generation
mechanism is either GOOGLE or any other free service). The logic identify the user along
with the provided apikey and release resource access delegation accordingly]
For me the optimal case is to use Grails framework with oracle database.
Is there any web application for that?, otherwise how would I follow step by step to accomplish it?
I would do a search on the Grails plugin site for oauth plugins:
http://plugins.grails.org/
Look at what they offer, and maybe look at the code to see how you can extend them to get what you want.
I would also take a look at the Spring Security Rest plugin.
It really depends on authentication methods that you're using. I suppose in order to secure REST APIs, you can probably write a filter/interceptor to check against any third party auth that you desire. I reckon that you're probably having the idea of using JWT authentication for this, right?
I have a AngularJS/Web API/SQL Server application that currently uses token based authentication and authorization using the article outlined below:
JSON Web Token in ASP.NET Web API 2 using Owin
There has been a request to change this security mechanism to use Microsoft Identity. My initial research appears to suggest that JWT has more advantages as it can facilitate accessing multiple resource servers (single sign on scenario) and has a nice way of decoupling the different layers.
On the other hand, Identity is coupled with Entity framework (I use Dapper and do understand that I can write a custom provider) and it appears to be difficult to implement if your Web API is shared across multiple consumers (Web and Mobile app). But Microsoft recommends this framework for Authentication/Authorization. I ran into this article that helps implement it with AngularJS/Web API. Can someone help me understand if one is more favorable than the other and how? Thanks
Microsoft identity is not binded to entity framework you can write custom identity classes to use nhibernate & other O/R mappers
Can I use spring-security-rest as a replacement of Oauth?. My app has server side part and java script client side part where I found that spring-security-rest plugin fits most. But I want to be able to authenticate other apps who want to consume my service (I want to be something like Oauth provider). Does spring-security-rest plugin support this? or should I use another plugin?
The plugin is not a fully OAuth provider. Or said in OAuth terminology, is not a full Authorisation Server.
In that case I recommend you Spring Security OAuth 2 Provider Plugin
If you are looking only for a simplistic token based authentication for your service, you could leverage the spring security rest plugin and tweak it a little bit based on your need without having to implement the full blown Spring Security OAuth2 Provider plugin. I managed to accomplish something similar with by extending some of the base classes of spring security rest plugin to modify the login payload and authentication and exposed a token/validate as a REST endpoint. I put up this as an independent authentication service that uses the /api/login API for token generation in tandem with the /token/validate to accomplish some kind of validation on token. Not a full blown Oauth scenario but serves the purpose of authentication between consumer and provider services.
Our current app is a standard spring 2.5 application with Form Based Authentication using Acegi. However, we need to expose some REST Service for 3rd party application and we are trying to use BASIC auth over SSL. We have used RESTEAsy for exposing the REST Services. Now, given that the rest of the application uses form & Session based authentication, how can I enable basic authentication for the few REST Services.
To me, the usecase seems normal, however, I couldn't find much reference on the web. Any comment/suggestions will be very much appreciated.
Regarding the more general question of whether to secure the REST service using Form authentication or Basic/Digest authentication - this is deeply tied into one of the more important constraints of RESTful architecture - statelessness.
With this in mind, logging into a service means keeping state on the server, which goes against the stateless server constraint. From an authentication POV, Form based authentication implies logging in, whereas Basic/Digest authentication means embedding the authentication credentials in each request, with no need to keep any state on the server. This is why this kind of authentication is much more inline with the way REST is meant to be build.
Hope this helps.
Check out Basic/Digest Authentication in the Spring Security Reference.