blazor.net with HttpClient sending credentials - dotnet-httpclient

I have an api hosted on IIS that I am trying to call through a Blazor.Net client app with the HttpClient as provided in the example.
Since the api endpoint is hosted on IIS with windows authentication, I need to include credentials when the call is made.
I tried to create an instance of the httpClient instead of using the static method provided in the examples but I receive the PlatformNotSupported exception.
Is there a way to pass credentials with the Static HttpClient as used in Blazor.net?
If I use JavaScript interop with XMLHttpRequest and set withCredentials to true, the api returns data. However I would rather not use js to get the data but rather C#.
Thanks,

Normally the browser should take care of this, that's why you need a browser that is Windows Authentication compatible. See here for an explanation of how Windows Authentication interacts with the browser.
So if that does not work by default, I guess Blazor/Mono does not supports this yet. But you are able to include your own authorization headers in the http call in blazor. I have an example here how to do that (for a jwt token). So if you are able to somehow get the Windows token from somewhere you could try that.

Related

Authentication of Web API and AngularJS SPA app

I have two servers - web and app. The web server (IIS) serves only static files - HTML/CSS/JS. On executing the JS, the client gets the data from the app server (HTTP service using Web API, self hosted with OWIN). I need to bring in authentication so that my data as well as the content is restricted.
I can use SSL, I can pass username / password to the web api, have it authenticated and get back a token. I can pass this token for future web api requests. In my client app javascript (done using AngularJS), I can also maintain info whether the user is authenticated, what roles she has etc. (for user experience). But for security, I need to be able to ensure the html content requested (in the web server) is also having authentication and authorization done. How can I achieve this?
Should I change my app to make the web server call the app server internally rather than from the client? I can use MVC controllers or ASP.NET, but since I was using AngularJS, I thought it is not required, and is kind of a duplicate. Should I ditch pure .html files and move to .cshtml?
How is this done in the Angular + .NET world, when you data comes from a different server than your htmls?
We've been using JSONP with REST type api to do cross domain AJAX calls, but our Angular client code is within .cshtml files in a .NET project. Sounds like the simplest solution is to use the app server internally- I would go with that

Authenticating basic-auth REST API calls from forms-authenticated web app

I'm developing a service that has two components - a web interface and a REST API. I use ASP.NET MVC and ASP.NET Web API, respectively. The two components are hosted on different subdomains of the same domain.
I want the REST API to be used by both external users and the web interface, and I want to simplify authentication as much as possible.
The REST API currently only supports basic authentication.
The web interface uses forms authentication and thus generates an ASPXAUTH cookie. The web interface interacts with the REST API using AJAX calls.
My question to the community is:
How do I authenticate the AJAX calls from the web interface to the
REST API, using the most elegant and secure method?
Some ideas:
Send the ASPXAUTH cookie in the ajax calls (by changing the cookie domain to ".myservice.com" to allow cross-subdomain read) and adding an authentication method in the API that reads the ASPXAUTH. Not sure if this is a great idea, or how to implement this.
Storing the user name and API key in separate cookies. Not really safe unless the values are encrypted/hashed.
Using OAuth in the web interface and rest api, instead of forms + basic authentication?
Ok, I've come up with the following solution:
I've added form authentication to the REST API and made sure not to use IsolateApps in the <machinekey>section of machine.config. This ensures that the REST API can use the same ASPXAUTH cookie. I'm making sure to fall back to basic authentication if no ASPXAUTH cookie is present.
Since there's no way to include the ASPXAUTH cookie in ajax requests to a different subdomain due to the Same-origin policy (even though the cookie's domain is ".myservice.com"), the solution I chose was to add an application (through IIS) to the web interface with the name "api".
The ajax calls now point to "/app.myservice.com/api/..." instead of "https://api.myservice.com/...", and the ASPXAUTH cookie is included and works.
Not sure if this is the best solution, but it's both clean and secure. Only tweak is the sharing of machine keys. If running in a web farm you would need to set the same machine key to all machines.

VerifyAccess through Javascript

I am currently creating a system basically consisting of mainly three parts. There is one authorization server and one resource server. Furthermore, I have one pubsub api based on Node.js (Javascript) next to it. The authorization server and resource server are built using the DotNetOpenAuth libraries. The resources can be accessed by means of the token received from the authorization server.
Now, what would be the preferred way of working when I also would like to have the pubsub api authorized by means of the same token? In the DotNetOpenAuth library, I have this VerifyAccess method available which does this for me but I don't have this in my Javascript. Would it be proper to have a separate web service doing the verification which i then call from my javascript?
Thank you in advance...
Having your Node.js call via web request to .NET to call VerifyAccess would certainly be the simplest. Alternatively if Node.js has the ability to perform asymmetric signature verification, and both asymmetric and symmetric decryption, then theoretically Node.js could validate the token directly. But that would be left as an exercise for the reader. :)
If you do accomplish it, please publish your result for others though.

Grails: Securing REST API with OAuth2.0

I am building a REST API using Grails. I want it to be protected using OAuth2.0 client_credentials flow(grant_type). My use-case is as follows:
a external agent will send a request to something like
http://server-url/oauth/token?client_id=clientId&client_secret=clientSecret&grant_type=client_credentials
and obtain a access_token. Then, my URL(protected resource) should be accesible with something like
http://server-url/resource?access_token={access-token obtained before}
I am looking for something that makes doing this on Grails easy and quick. What will be the best way/tool/plugin to use for this ? Scribe library is an option, if there are any tutorials for my specific use-case, it will be great.
P.S.: I have tried the spring-security and related plugins, no joy there. Any alternatives would be nice.
I have the same issue. I found a lot of grails plugins that helped you authenticate your app against other oauth providers, but nothing that would help me make my app the oauth provider. After a lot of digging, I came across this grails plugin that will do exactly what you want.
https://github.com/adaptivecomputing/grails-spring-security-oauth2-provider
I'm still configuring it for my application, and I think the docs might need a few edits (specifically the authorization_code flow) but I got the simple client_credentials flow to work with minimal configuration. Hope that helps!
Based on my experiences, Scribe was built for OAuth 1.0 and has only very limited support for OAuth 2.0. In fact, for testing our own OAuth 2 implementation, all we could use from it was an HTTP request wrapper, we had to do anything else manually. Fortunately, doing it manually is suprisingly easy.
Since I still haven't found a fine open OAuth 2.0 library for Java (frankly I'm not familiar with Groovy), I encourage you to write the client code for yourself. You don't even need a client callback endpoint to use the client credentials grant flow. So you simply create an HTTP request (as you've written above already, take care to escape the GET parameters though) and get the response content. Your flow does not use redirects, so simply parse the JSON object in the response content, e.g. with the org.json library. Finally, send an HTTP request using the extracted access token.
Note that your examples are not completely standard compliant. The standard requires using HTTPS, sending the token in an HTTP header instead of a GET parameter and suggests using a HTTP basic authorization header instead of GET parameters to specify client credentials.
I may have misunderstood your question, and you may want to implement the server side, too. The scribe library supports only client side, so you can find a commercial implementation or implement your own server. It is a complex task, but if you support only the client credentials flow, it almost becomes easy. ;-)
This isn't a plugin, it's just a sample Grails application that acts as an OAuth provider. It was really easy to get up and running with Grails 3.
https://github.com/bobbywarner/grails3-oauth2-api

Data scraping from the web using dart

I am making a web application, in which i need to scrape the web to get some data. I can't see a way to do this without using the dart:io.HttpConnection which is not imporatble for web apps. What should i do, Can i make a server application and then use it with a client version, or something else?
You would need to build this server side since the browser security model does not allow you to connect to other origins than the one that served your application (unless of cause you can use JSONP or CORS to do the scraping but I doubt that). So you need to create a service on your server that uses HttpClient to do the scraping for you and then call this service from your client using XMLHttpRequest

Resources