I am upgrading a resource server that accepts access tokens from our oAuth server. In .NET 4.7, I had a startup configuration that looked like this:
appBuilder.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
When I add the Nuget Package 'Microsoft.Owin.Security.OAuth', I get a warning that the package is not compatable with the target .NETCoreApp. Makes sense, but I'm not sure what the new package is.
I thought the package I needed was 'Microsoft.AspNetCore.Authentication.OAuth'. That allows me to add to startup:
services
.AddAuthentication(OAuthDefaults.DisplayName)
.AddOAuth("Bearer", options => options.AuthorizationEndpoint = "uhhh" );
Why would I be configuring an endpoint, I just want to look for an authorization token, not actually serve them up. This looks like the setup for an oAuth server, not a recipient. Also, the old 'OAuthBearerAuthenticationOptions' class allowed me to override things like 'AccessTokenFormat' but I'm not seeing that in the new options.
Lastly, I see that there is the option to configure oauth this way:
app.UseOAuthAuthentication
But it complains that it's Obsolete, looks like a Core 1 version of 'AddOAuth', and nothing about AccessTokenFormat.
Any ideas?
Core does not provide a direct replacement for those APIs or their associated token server. The current guidance is that you use a server like IdentityServer4 along with AddJwtBearerAuthentication.
Related
I built a claims-aware asp.net mvc application following the steps outlined in this page: https://learn.microsoft.com/en-us/dotnet/framework/security/how-to-build-claims-aware-aspnet-mvc-web-app-using-wif. The example in the page uses an STS on the local host, but in my application I am pointing to a fully-functioning AD FS on a different server.
I'm using Framework 4.7 and Windows Server 2016 to host the AD FS and to host the web application.
After I deployed the application I ran the Windows Identity Federation Utility against it (because I thought I needed it to add the application as a Relying Party Trust on the AD FS). This utility inserts a lot of tags into the web.config that refer to the Microsoft.IdentityModel namespace.
I then added the application as a Relying Party Trust to the AD FS, and navigated to the claims-aware app. The page failed because the sample code cast the claim returned by the STS as System.Security.Claims.Claim. When I changed it to cast as Microsoft.IdentityModel.Claims.Claim it worked fine.
The example I was following makes no mention of the Windows Identity Federation Utility. Do I need to use that? Or would this have worked without it?
When I try reversing the web.config changes that the utility inserted the site fails with a 401 error (access denied due to invalid credentials) so obviously the stuff inserted by the Utility is needed to get authentication from AD FS. Is this because I ran the Utility on the web site before adding it as a relying party trust to the ADFS?
The answer here is: don't run the Windows Identity Federation Utility if you are using ADFS Server 2016, as it forces use of the Microsoft.Identity libraries, which are deprecated. I mistakenly thought this utility was needed to create the FederationMetadata.xml file.
I created the FederationMetadata.xml file manually and reverted my web.config back to what it was before I ran the utility. This reverted me back to using the System.Identity libraries, which were added to the 4.5 framework, instead of the now-deprecated Microsoft.Identity libraries.
Just to note that the more "modern way" is to use the OWIN WS-Federation library.
This example is for Azure AD but you simply point to the metadata and the code figures all the rest out for itself.
As part of an evaluation process for a commercial project I'm searching for any full fledged example of authentication/authorization using the websharper stack. I'd like to use OWIN, since it seems to be a well designed protocol, but I'm open to alternatives.
Some requirements:
use Mono
use the Suave server.
For now, we have been trying to adapt this tutorial for the websharper toolchain: https://www.codeproject.com/tips/849113/four-easy-steps-to-set-up-owin-for-form-authentica
This is what we currently have: https://github.com/Denommus/cookies-problem/blob/master/Main.fs
I would also like to mention that the default method ctx.UserSession.LoginUser has this issue: https://github.com/intellifactory/websharper/issues/647
But the cookies file is not being generated for some reason, probably because we're missing something obvious. Anyone able to help?
EDIT
I think I figured out the reason why the cookies file is not being generated: the Suave server doesn't actually run OwinStartup, so I need to figure out another way to configure the IAppBuilder of my application. But I still don't know how to do it, so if anyone can help I'll appreciate.
EDIT 2
I think I fixed the configuration of OWIN in my application, but I still don't have cookies being generated.
I've followed the steps on http://www.cloudidentity.com/blog/2014/02/12/use-the-on-premises-organizational-authentication-option-adfs-with-asp-net-in-visual-studio-2013/ to create a new MVC application using ADFS to authenticate my users. Now the team behind the ADFS configuration needs the application metadata file to allow the application to connect the ADFS.
How can I generate this metadata file?
It normally "lives" at /FederationMetadata/2007-06/FederationMetadata.xml in your STS website. If you used a standard solution like thinktecture then that is the case. Otherwise, you can generate it yourself using the .Net classes in System.IdentityModel.Metadata. You can find some inspiration at https://github.com/IdentityServer/IdentityServer3.WsFederation/blob/25a2101f9bfe78e4ec856eb15c9bf19a9a9b256c/source/WsFederationPlugin/WsFederationController.cs and related classes.
I wanted to implement a small Proof of Concept for ADFS integration with MVC application. For this I created a virtual machine for Windows 2008 R2 and configured ADDS, ADCS and added my updated my server domain to one created one using ADDS.
After this I created certificate using ADCS.
Now, installed ADFS 2.0 using Microsoft download of ADFSSetup.exe RTW.
With help of some I configured ADFS & added relying party trust from my MVC application SSL URI.
After this I tried to run the application however started facing 403.14 error page.
Following observations as outcome from entire configuration:
I tried to access "<>/federationmetadata/2007-06/federationmetadata.xml" and I
got a proper XML which is as per expected.
I saw couple of entries from server computer - IIS website as like "http://<>/adfs/services/trust" OR "https://<>/adfs/ls/" however couldn't get any response from server. even I tried to access same from server using localhost instead of server names, then also no luck.
Then to cross-verify I checked IIS's default website where I found adfs/ls however it was a like a website. Not sure correct or not. I couldn't find anything 'services/trust' under ADFS IIS application.
After that I installed ADFS from Server manager and saw one more virtual directory 'fs',added under adfs application. when I tried to access 'fs' using https I am able to access it easily and can see SOAP service and page displayed with available web method.
I tried to find more on 'adfs/ls' and 'adfs/services/trust' however couldn't get much more information.
Please, if anyone came across this issue. Do let me know.
This is not an issue, this is how ADFS works. Next step you have to configure claims providers and relying parties from ADFS management console (from Admin tools). Relying party could be a sample claims aware MVC application. It should work
The only URL's that ADFS "answers" to are the federation metadata endpoint and the IDPInitiated one.
adfs/ls expects either WS-Federation or SAML parameters after it. On its own it will throw an error.
Then follow How To: Build Claims-Aware ASP.NET MVC Web Application Using WIF.
Why are you using Windows 2008 R2? (ADFS 2.0)? You should rather use Windows 2012 R2 (ADFS 3.0).
I'm using JaxWs Metro project implementation and i'm using this tutorial to add Ws Security feature to my web services.
http://java.globinch.com/enterprise-java/web-services/jax-ws/secure-usernametoken-java-web-services-using-metro-wsit/
What i have understand is that to add a Ws Security to your web service.You must first generate manually the wsdl file then add WSIT configuration part to your web service then put that modified wsdl in your project and modify sun-jaxws.xml so that take care of your modified wsdl file(so that it will not generate a new one).
I think it's extremley difficult to do all that for all my web services.In addition,i'm using eclipse so there is no generating tool(like netbeans).
I want to know is there any simple solution ?