As shown in https://petstore.swagger.io/, apis of the PET controller get authenticated by OAuth2, but that of the STORE controller, gets authenticated by ApiKey.
I want to achieve the same using IOperationFilter in .Net MVC (and not .Net Core).
Though I am able to turn on the BasicAuth for one API, but couldn't turn off the ApiKey Auth for the same. May be I am not able to find the correct documentation of using the tool.
Could someone point me towards the correct documentation please.
Swagger-Net version 8.3.35.101
Related
Problem description
All the routes (URL(s)) for the API (including parameters to use) are accessible to unauthenticated users by calling this API AbpServiceProxies/GetAll which doesn't require any token and is not protected.
This opens the application for easy attacks.
Can you please tell me how to secure this API without affecting the normal functionality of the framework.
Abp package version: 7.4 (last version at the time of writing this issue).
Base framework: .Net Core.
Steps needed to reproduce the problem: Just call the API like https://ServerIP/AbpServiceProxies/GetAll
I expect to find a way to secure this API or if it was not possible, at least list only public APIs which has no [Authorize] attribute.
I'm using identity server 4 as an authentication server, and have successfully demonstrated authenticating clients for access to my MVC web application and my Web API application, both running on IIS under .NET 4.7.
The problem I'm having is finding the correct approach for ensuring clients are only able to access the endpoints they should after the authentication process. EG, I have two clients, one with a write scope, and one without. How do I ensure the one without is only able to access endpoints that will read my data and not amend it?
The best method I've found so far is to use an authorization attribute like this:
https://github.com/IdentityModel/Thinktecture.IdentityModel/blob/master/source/WebApi/ScopeAuthorizeAttribute.cs
However, this is marked as obsolete and I'm unaware of the version based on OWIN middleware is mentions. Considering my MVC and Web Api applications are unable to be updated to .NET core applications, what would be the best approach?
Since the scope claims are available within the ASP.Net pipeline you can implement your own access control filter quite easily. It may be that that particular library is obsolete but the practice of enforcing scope in an MVC/WebAPI filter is certainly entirely valid.
Background:
I've implemented a Web-API (.NET), now I need to do the most important thing,
Secure it.
As I investigate this topic I understand that the common way is the Bearer Token.
Now we getting to my problem.
My Problem
On one side:
Every article I saw (that explains the concept and the way to implement it over .NET) starts from a project with a Web API template that holds MVC and Web API and in the authentication field choose one option from Individual / Organizational / Windows .
On the other side:
I don't need a MVC project, I need only Web API (without any GUI) that the reason I choose the empty project and check the Web API checkbox, in that way I cant choose an authentication type, I forced to start with no authentication.
Questions:
1.Do I bound to use MVC to get authentication ? if not how can I do it from pure Web API project ?
2.Maybe I will create an Authentication Server (that only generates tokens) from that Web API template (with the possibility of choosing authentication type) ? (and use the token on the real Web API)
3.There is any benefits of implement the Authentication Server on a different project and on different server ? (Kerberos style )
P.S I want to use an out of the box solution because the security aspect is the most important one (to my opinion) and should be flawless.
I wrote a blog on this topic called 'Securing and securely calling Web API and [Authorize]': http://blogs.msdn.com/b/martinkearn/archive/2015/03/25/securing-and-working-securely-with-web-api.aspx. I think if you read this, you'll have all your answers.
The Web API template does include MVC by default so that you get the automated docs feature (which is a great feature to have). However the authentication part is related to a core ASP.net feature, not specific to MVC or Web API. You'll need to enable one of the authentication options to secure your API using .net's built in security features.
If you do not want the MVC project that comes with Web API, just delete it after the project has been created. It is contained within the 'areas' folder. If you delete that folder, you'll be running on pure web api.
To answer your specific questions:
1) No you do not need an MVC project to secure an API project. You can use the [Authorize] attribute on your API controllers and actions.
2) an authentication server gets created by default with the web api template. You can access it and get tokens via http:///Token
3) No, you need to use the api itself to serve valid tokens for secured controller/action requests
Hope that helps. If not, then please be a bit more specific with your questions.
I have 2 projects an mvc5 & webapi. I am wanting to call the api from a pure clientside manor even though im using mvc (I am slowing trying to migrate old code into a spa like application still being able to maintain the current codebase).
The url of the api sits under the main domain e.g. subdomain.mydomain.com/api so I dont have to worry about jsonp or crossdomain stuff.
How do I secure the api. Am I right in thinking when a user logs into the mvc5 application there is there some kind of key or token I can access. I store it somewhere on the site and add it in the request header?
If I follow this approach how do I validate the token at the api end. An actionfilter that reads the header? or is there a cleaner method.
The only information I can really find on using the api is to use basic auth which is something I dont really want to have to do.
I think a nice simple(ish) way to do it is to use a token based method. So the client authenticates once, you give them a token, then subsequent requests pass the token and the server checks it.
It does require some custom code, but I have seen a few good examples. Here is one that I loosely followed:
http://www.codeproject.com/Articles/630986/Cross-Platform-Authentication-With-ASP-NET-Web-API
It enforces HTTPS, then does the token generating and validation after that.
I have been implementing a skeleton Claims Based architecture for our services and websites. I'm using WIF, .NET 4.5, MVC / Web Api.
I have the STS (WS-Federation / WS-Trust) and several Relying Parties implemented, and all is working fine.
Now, I want to be able to authenticate in one Relying Party and use that same token (the bootstrap token, I assume) to make Ajax calls to another Relying Party. I can get the Bootstrap Token down in the HTML (is this even a good idea?), and add it to the Ajax call headers as some form of Authentication (Basic, etc).
What I don't know is how to intercept the request in the final Relying party, and "tell" WIF to use that bootstrap token and do it's magic with it (Load, Validate, Authenticate, Authorize, Create Principal, Create Session Token, Write it down in a cooke).
I guess I could do all this by hand using the available classes, but there must be a point where I can just hook up for this. Probably around the SAM / FAM modules, but I can't understand exactly how.
Any ideas?
Thanks
SAML is not a good fit for being consumed in html. The format is complex and relies too much on WS-Security for cryptography. I see more adoption these days of OAuth2 (It was OAuth-Wrap in the past), although is complex as well. If you want to explore that path, I recommend the ThinkTecture Identity Server as a quick solution.
http://weblogs.thinktecture.com/cweyer/2012/11/oauth2-in-thinktecture-identityserver-v2-implicit-grant-flow-with-javascript.html
Thanks
Pablo.