We have an existing MVC angular application enabled with ADFS WS-Fed authentication. The application has many API's hosted as a part of the solution which is internally accessed by views. Now, We have a requirement for the API to be published to other developers.
I am thinking of enabling OAuth/OpenId for the endpoints and enable other developers to access. I need your inputs regarding my approach.
There is no support in ADFS 2.0 for OpenID Connect and OAuth.
The only API option you have is via WCF.
Related
What is the difference between OAuth 2.0 and Auth0? Which one should I use to develop the authentication system?
OAuth 2.0 is a standardized authorization protocol, Auth0 is a company that sells an identity management platform with authentication and authorization services that implements the OAuth2 protocol (among others).
OAuth 2.0 is a protocol that allows a user to grant limited access to their resources on one site, to another site, without having to expose their credentials.
Auth0 is an organisation, who manages Universal Identity Platform for web, mobile and IoT can handle any of them — B2C, B2B, B2E, or a combination.
Source
In case if you cannot understand any of above,
OAuth 2 - is a standard or protocol to implement authorization for any kind of software (windows, mobile or web)
Auth0 - is a software product (cloud and on-prem), that implements the OAuth2 protocol. You can use Auth0 to simplify your
authentication and authorization requirements.
We mainly use auth 2.0 for session based security management at server side. OAuth 2.0 is an authorisation framework that enables a third-party application to obtain limited access to resources the end-user owns. It is about resource access and sharing. While https://auth0.com is a company that sells an identity management platform for authentication related task. So with the help of auth0.com services an app developer don't need to write code for login/registration/social login and its not needed to think about its security. Complete user management task manages by auth0 organisation.
What Identity Provider are you aiming to use?
Auth0, identityserver, ADFS 4.0 etc. all support the OAuth stack.
Using implicit OAuth flow you can connect your Angular application to any of these.
We are planning to build a web application which will use ADFS for authentication. The web application will be hosted on an AWS instance but will be talking to on-premises or cloud ADFS.
can I use ADAL(Active Directory Authentication Library) for federating authentication and saving authentication context in this scenario? if yes is there any drawbacks?
When you say "cloud ADFS" you mean ADFS in a VM in the cloud?
ADAL is for mobile and native devices.
Normally a web application will use OWIN e.g. like this.
If you are not using ADFS 4.0, then use WS-Fed or SAML as per this.
These are for Azure AD but the principles are the same.
I have developed an API using ASP.NET Web API 2 to be consumed by applications in my domain. I want to secure the access to the API endpoints. I've decided to use the OAuth token based token authentication for mobile app clients and web app clients.
However there are some non-interactive windows service clients that need to consume the API. I do not want to store login credentials to get a token in the service config, however a Windows authentication suits this type of client.
Is it possible to use a hybrid - windows and token-based authentication in ASP.NET WebApi? How?
I think the Windows authentication service from Identityserver might be a good solution for your problem
You can find more information on : WindowsAuthentication repo
I have decided to break up the API into two. One for normal OAuth based access and the other with specific resources using Windows authentication to be consumed by non-interactive windows service clients.
I am developing web api which will be hosted in Azure. I need to implement security to handle tokens from corporate STS server. Which would be better approach:
ACS oAuth 2.0
OWIN
Seems like OWIN comes standard with WEB API 2.0 and quite easy to implement with few nugget packages. Any one have suggestion?
Microsoft ACS can be one of the authentication/token provider. The WebAPI can use OWIN to consume tokens from different providers, such as Facebook, Azure AD, Google, Microsoft Live, ACS etc.
I am developing web application which consists of a Silverlight application and a REST API. An optional use case is that the customer may also want to integrate with Salesforce. By "integrate" I mean utilize SSO with Salesforce when logging into my application as well as access data via Salesforce's REST API. The current hurdle I can't seem to get over is that SSO uses WS-Federation while Salesforce's REST API uses OAuth 2.0. What is the best way to being these two authentication mechanisms together?
My knee-jerk reaction was for my Federation Provider STS to acquire an OAuth access token from Salesforce and add it as a claim to the security token received from Salesforce's Identity Provider STS, but I think this might require me to write a custom STS. I'd rather not do that. Is there a better way?
This question is old but comes up often, so ...
There is now information on how to do this here
Configuring-SSO-to-SharePoint
This approach uses WS-Fed.