We have an existing asp.net Mvc 5 application having external login with OAuth2 providers like google, and microsoft. We are using CookieAuthenticatoin for this.
Now we need to add ApiContoller to the same application.
Is there any way to use the same cookie to authenticate ApiControllers. Can I configure both cookie authentication and tokenauthentication in Startup file?
Related
I have an existing ASP.NET MVC 5 application that uses a custom authentication scheme and sessions for storing state using ASP.NET_SessionId cookie.
Now there is a requirement to put a React front-end in front of an ASP.NET Core Web API. There is an opportunity to reuse some of the service code from the API. The showstopper is the authentication.
Is it possible to reuse/share the existing cookie and authentication scheme from a React web application? JWT and IdentityServer appear to be solid options but would require a significant rewrite to the existing system.
As far as I know, if you want to share authentication cookies between ASP.NET 4.x and ASP.NET Core apps, you need to rebuild the asp.net core cookie authentication.
Since the asp.net core and asp.net use different way to encrypt the authentication cookie, so you should let them use the same way to encrypt the cookie to get the token work for both asp.net and asp.net core application and make sure there are in the same domain.
More details about how to set the application to share cookie between ASP.NET 4.x and ASP.NET Core apps I suggest you could refer to this MSFT example.
Some part of the document:
ASP.NET 4.x apps that use Katana Cookie Authentication Middleware can be configured to generate authentication cookies that are compatible with the ASP.NET Core Cookie Authentication Middleware. This allows upgrading a large site's individual apps in several steps while providing a smooth SSO experience across the site.
When an app uses Katana Cookie Authentication Middleware, it calls UseCookieAuthentication in the project's Startup.Auth.cs file. ASP.NET 4.x web app projects created with Visual Studio 2013 and later use the Katana Cookie Authentication Middleware by default. Although UseCookieAuthentication is obsolete and unsupported for ASP.NET Core apps, calling UseCookieAuthentication in an ASP.NET 4.x app that uses Katana Cookie Authentication Middleware is valid.
Katana Cookie Authentication can be used to reuse cookie among app. For more detail please find the documentation for Share Authentication Cookie among app
I have ASP.NET MVC and Angular2 application and I'm using Identity Server 3. Typical workflow for user is to log on MVC application which stores obtained token in a cookie.
After successful login, user can use angular2 application for specific operations and it resides on subdomain. Angular application "talks" to web api.
Is it possible to share access token stored in a cookie between mvc and angular (javascript) client. Currently, I'm extracting access token and store it in local storage for using in ng2. It is working, but in my opinion this is not elegant solution
You can implement Direct Authentication in Angular and use SSO.
User will be logged in to ASP.NET MVC, the Angular will hit the identityserver and will returns the token.
You can use the OIDC.JS library to implement implicit flow in Angular.
I am building an AngularJS MVC application, I need some guidance in terms of authentication. I am thinking of building the Authentication using the MVC authentication pipeline. AngularJS code will reside in the MVC application and the root SPA view would be a Razor cshtml. Here is my scenario -
Login page will call a Authenticate API that would return a token
AngularJS has the logic to get the bearer and pass to each of the API requests
There will be multiple ASP.NET WebAPI projects that will be hosted as subdomains.
I also need to call complex dynamic razor templates, this would need the authentication for the MVC controller that will return the razor views. Since MVC follows cookie based authentication, the token gives a 401 status code. How would this work wherein the authentication is shared between MVC and WEB API apps.
I think you would need to get your token from the API project, not the MVC in order to be able to securely call the API.
If you want to share identities across both the API and MVC projects, have them use the same database.
When getting the token from the API, you can get the identity details of the current user from your MVC application. At least, that is how I have done it in the past.
I blogged something along these lines here: http://blogs.msdn.com/b/martinkearn/archive/2015/03/25/securing-and-working-securely-with-web-api.aspx however this does not cover the step of using the creds from your MVC login and passing that to the API to get the token.
Hope that helps.
I am creating an application that will use MVC 5 to serve the initial layout, views, scripts, etc. and then I am using WebApi2 to serve data to the UI.
I want to use the OWIN OAuth bits for Authentication on the WebApi.
The WebApi lives in a DLL and the MVC 5 app is a Web Application.
I have referenced this article for the OAuth WebApi bits.
How do I setup the WebApi to run in the MVC 5 application and use the OWIN Startup class?
Or is this not possible?
I recommend you to check the VS 2013 Web API template (Web API and MVC core dependency) but with individual accounts checked as this image, I believe you are missing adding those both lines in class WebApiConfig.cs:
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
You need to suppress the default authentication (Forms Auth) then add the bearer authentication only for Web API.
I am new to AngularJS. I need to develop a Web API (ASP.NET) which will be consumed by an Android, iPhone and a Web Application. I want to build the web application using ASP.NET MVC to use the built in routing and razor view engine.
The first problem I am facing is how to add security to my Web API and ASP.NET MVC in a way that they work together or use the same auth token (ASP.NET Identity). For example web application will display a login page to the user, AngularJS will send back-end login call to Web API and in return will get an auth token as ASP.NET Identity is being used on Web API side. Now whenever user requests a resource/view/html from web application (ASP.NET MVC), he/she should be authenticated and authorized first.
If my login call go through the ASP.NET MVC controller action and I create a FormAuthentication cookie on a successfull login, then how can I pass the Web API auth token to AngularJS in a secure way so that my angular controllers can call Web API methods for data manipulation using that auth token?
It would be great if someone could refer a blog/article with example.