we need to build a secure web service. and need to setup a OAuth server to manage ,validate token.
as we need to do from scracth , I have no idea ,how to build ,is any guideline or library to use for setup Oauth server.
Related
I have two applications API and client. The two were working fine when they both used Forms authentication with machine key. After migrating the client app to azure authentication using OpenId and OWIN everything is fine with client, users can login with no issues to client.
The issue is when the client now tries to make call to API I get a 401 error.
I tried to generate forms authentication cookie in my client and add that to response. I can see that cookie is there but I still get a 401 from the API.
The problem is that you cannot combine OpenIdConnect on client side and Forms authentication on server side.
You have to set both, client and server, to use same authentication. If you went for OpenIdConnect on client, you need to set OpenIdConnect on server side too.
There is a sample on GitHub that may help you to understand how to do it.
How to secure a Web API built with ASP.NET Core using the Microsoft identity platform (formerly Azure Active Directory for developers)
My team writes a monitoring system which we have recently migrated the definitions of our monitoring into a git repo. These definitions are comprised of some json and powershell files. VSCode is an ideal scenario for editing and dealing with git. The problem is while developing the monitoring it is nice to be able to execute it against a test environment. Previously all editing was done through a web interface and we allowed ad hoc execution of the powershell against test machines through an API which is secured with AzureAD and OAuth2.0.
VS Code extensions don't have access to the full electron api and you are restricted from creating a BrowserWindow to handle the usual OAuth redirect flow. Is there a way to work around this limitation and allow a user to auth to our api so that we can make calls to it?
Any ideas or possible workarounds would be awesome.
One thing you can do is to use Server to Server via Client Credentials authentication method. There is node npm library here.
You will need to first register your VS code extension into Azure AD via Azure Portal.
The downside of this method is the credential passed to the Web API won't be user's credential but rather same extension specific credentials. But it would be OK in case you don't need VS code user's identity.
The supported way to get a user token for an application that doesn't have the ability to open a Web Browser to auth is the "OAuth Device Flow". Here is a link to a blog about how to implement it with AAD.
https://joonasw.net/view/device-code-flow
You need to host a localhost webserver inside your extension, when you're doing the auth and then pass localhost:port as the redirect URI for the oauth login flow.
I have developed an API using ASP.NET Web API 2 to be consumed by applications in my domain. I want to secure the access to the API endpoints. I've decided to use the OAuth token based token authentication for mobile app clients and web app clients.
However there are some non-interactive windows service clients that need to consume the API. I do not want to store login credentials to get a token in the service config, however a Windows authentication suits this type of client.
Is it possible to use a hybrid - windows and token-based authentication in ASP.NET WebApi? How?
I think the Windows authentication service from Identityserver might be a good solution for your problem
You can find more information on : WindowsAuthentication repo
I have decided to break up the API into two. One for normal OAuth based access and the other with specific resources using Windows authentication to be consumed by non-interactive windows service clients.
I am trying to implement:
An MVC Web API server to return content on-demand (REST Server)
A Central authentication OAuth 2.0 server (for example OWIN)
An Android end-user side Application
The Scenario is like this: Android application requests content on REST Server, if its token is expired, REST server makes a request on authentication server to identify the client. The REST server should be registered using its own [id,secret] on authentication server and then Android application should be informed to identify on central authentication server using end-user [username,password] and Android application [id,secret].
So REST server must be registered on authentication server using fixed [id,secret].
Android application must be registered on authentication server using fixed [id,secret] and end-user [username,password].
So the problem is most samples on the web use cookie based sessions that cannot be used via a REST server and a non-browser end user (at least it is not recommended). I did not find a clear example to explain the implementation of this scenario or even some part of this, all that I found were some beginner code snippets.
Thanks for your help.
I recommend you posts on Token Based Authentication and Enable OAuth Refresh Tokens from Taiseer Joudeh, wich teaches you step by step in the process to create a token based Authentication (mobile friendly, without cookies storage) and refreshtoken for managing token expiration.
Note: Don't be afraid if the post title talks about "AngularJS". You can skip this part.
How implement an Component that publish secure services Rest , conditions:
These services should be secured by OAuth 2.0.
This component will is the Resource Server.
The Authorization Server is third party component implemented with Spring OAuth2.0 and Deployed in JBoss Server.
The client app will be called to resouce server, using JavaScript or RestTemplate Client.
Since you are already developing other legs of the OAuth2 solution using Spring Security, there is no reason to not use it as OAuth implementation for Mule as well.
http://www.mulesoft.org/documentation/display/current/Configuring+the+Spring+Security+Manager
There is some also prepared things in Mule, if you run the commercial version, check htis out: http://www.mulesoft.org/documentation/display/current/Mule+STS+OAuth+2.0a+Example+Application