I have two web applications. One is developed in MVC 5 and the second is developed in ASP.NET Core 3. Both websites hosted on different domains.
mycmswebsite.com
myshopwebsite.com
My user authentication module is on the shop website and I also store some values in session from the shop website that I need to access in the cms website.
I am planning to use a Distributed cache with SQL Server or Redis and also planning to use single sign-on using Oauth2.
What is the best practice to check if the user is authenticated on the shop website from the cms website and also access the data which are stored in the shop website?
I don't have much knowledge in Distributed cache techniques that can be shared across multiple applications.
Related
We have the requirement for doing a "Single Sign On" between Rails and Java applications. Both the applications are sharing the same database. Currently Rails is making use of default - Cookie based store and we are planning to switch it to Active Record session store, so that it will maintain the sessions in the database and which can be further leveraged for providing the seamless access into these 2 applications using SSO - by identifying the active session of the user.
So is there a way we could find the active session for a user from sessions table ? Would there be a chance of having multiple active sessions for a single user in sessions table ? If yes, we should be referring to most recent entry right ? Any additional things we should consider for doing SSO between these application ? Please note, both are sharing the same database.
Sharing db between multiple applications is not implementation of SSO.The standard sso implementation need a CAS(Central Authentication Service),which provide authentication service for other applications.All users access to other applications need rediect to CAS for authentication.
If you want to share session info by sharing db, this gem maybe help.Furthermore, it's bad idea to sharing db between multiple applications, it make application hard to maintain.
We are a new tech team that has inherited a webforms app. We are planning on building out an internal API and would like some guidance for implementing it with our existing app.
Ideally we would like an independent app hosting the identity server, and both internal APIs and webform app would call it. However, we host hundreds of websites on a single platform in a multi-tenanted setup.
Can we use IS4 with webforms?
Can you give some guidance around multi-tenanted setups?
Can we use cookie based authentication in the webforms app and use the same token for delegated access when communicating with the api?
Have I missed anything obvious?
These are Application Types and Scenarios that Azure AD supports:
Web Browser to Web Application
Native Application to Web API
Web Application to Web API
Daemon or Server Application to Web API
I have two questions:
I would like to understand where my scenario below fits.
I think I need to use JWT tokens and it seems that Native Application to Web API is the closest,
but I still need Asp.Net MVC application to deliver Client side Angular MVC resources (html templates, controllers and Rest services)
Which Azure Active Directory Code Samples are the closest to my scenario below:
I would like to create a multi-tenant Angularjs (delivered using Asp.Net MVC 5) and Rest Web API 2 secured with Azure AD. I would like to have tenants choose their domain names like firstTenant.com,
smt.firstTenant.com or to have subdomains like firstTenant.MySaaS.com, secondTenant.MySaaS.com
or MySaaS.com/firstTenant, MySaaS.com/secondTenant or similar domain naming scheme.
I would use some kind of IoC container to add customization to my SaaS application or similar to deliver specific functionality to each tenant (GUI and business logic and DB).
I would use and Asp.Net MVC application that will custom tailor SPA resources (html templates, .js controllers, .js services, .css, images etc) to each tenant and use some partitioning techniquest to retrieve tenant and user specific content from DB called from Rest API controllers.
Thanks,
Rad
I am also facing the same 'i dont know' issue :)
But far as i have researched the authorization flow from SPA aplication to the web api.
You still need webserver(mvc) project that will privide redirecting to the Identity provider (azure AD) login page and on the IP callback you will need to inject baerer token to Angular auth service that will send token to the api or deal with the refresh token.
So for me I think that, Web Application to Web API, is the right direction programming.
pls comment if i'm wrong
Currently i'm investigating link
http://code.msdn.microsoft.com/windowsazure/MyCompany-demo-applications-eedab900
update 2:
http://www.cloudidentity.com/blog/2014/04/22/AUTHENTICATION-PROTOCOLS-WEB-UX-AND-WEB-API/
Maybe it will be helpful to us.
I think there is a wide consent that is a good practice to separate your REST API from your main website. The main reason is that you can scale your API and website independently of each other.
Additionally, Rails has a lot of middleware that is not required for stateless services (e.g. sessions, cookies, view rendering, etc...). Jeff Dean has a good write up on how to remove all of this middleware (http://pivotallabs.com/users/jdean/blog/articles/1419-building-a-fast-lightweight-rest-service-with-rails-3-).
At the moment, I am simply using the new Rails 3 responder (respond_with) in one single application, both for the website and the API. The website is used mainly for administration purposes.
How would you separate the API from the website?
I think an option would be to pack all models in a gem, then have two different applications, one lightweight REST service, and the administration website. They would be hosted on different Heroku instances, but access the same MongoHQ database.
You have 2 choice
extract your Model ans use it in all of your 2 application
made you API and your application on same application. But you deploy 2 server. One using only your application par and other with your API part. So if you need more API. add more on your API server.
You don't really need extract API. You just need separate it.
Scenario:
I have an ASP.NET MVC 2 site using ASP.NET Forms Authentication.
The site includes a Silverlight 4 application that needs to securely call internal web services.
The web services also need to be publically exposed for third party authenticated access.
Challenges:
Securely accessing webservices from Silverlight using the current users identity without requiring the user to re-login in in the Silverlight application.
Providing a secure way for third party applications to access the same webservices the same users credentials, ideally with out using ASP.NET Forms Authentication.
Additional details and limitations:
This application is hosted in Azure.
We would rather NOT use RIA Services if at all possible.
Solutions Under Consideration:
I think that if the webservices are part of the same MVC site that hosts the Silverlight application then forms authentication should probably "just work" from Silverlight based on the users forms auth cookies. But this seems to rule out the possibility of hosting the webservices seperately (which is desirable in our scenario).
For third-party access to the web services I'm guessing that seperate endpoints with a different authenication solution is probably the right answer, but I would rather only support one version of the services if possible...
Questions:
Can anybody point me towards any sample applications that implements something like this?
How would you recommend implementing this solution?
You can extend WCF to use Membership as authencation store and reuse the FormsAuth Cookie (send by the MVC site) to the browser by the Silverlight app.
I would recommend using an STS with Windows Identity Foundation so you can have your app use claims identity and then change authentication outside the app. For third party you can use Windows Azure Access Control Service (ACS). We are updating our guidance on this and you can look at the new code to show you how to do this at our codeplex site. The original book is available at Amazon. I would focus on the updated guide because it has ACS has websites and an active client talking to WCF. The client is WPF but it would similar for Silverlight.