The environment is on single sign on with identityserver3. I have a client angular application which is using openid connect with identityserver 3. I also have a file viewer asp.net mvc application which is used to render pdfs and other files and has no security. The angular app renders the fileviewer inside an iframe to show the contents of files.
I tried adding the file viewer as a client to identity with openid connect so that when a user is signed in to the angular app the user would be single signed into the file viewer app also but it doesn't work in the iframe when file viewer redirects to identity's authorize endpoint due to the x-frame-options sameorigin header. If I open the file viewer url is a separate tab and then launch the file preview within the angular app then calls within the angular app start working as the file viewer cookies are now in the browser.
Ideally I'd like the file viewer to work just like a web api which only validates incoming tokens but not sure how to achieve that with identity server.
How do I go about securing the file viewer application with identityserver? Do I have to manually decode the jwt token by using messagehandlers in the pipeline?
Thanks.
If you were rendering the file locally you could use bearer auth, like webapi does. However because you're using MVC in an iframe, it's slightly trickier. You'll need to trigger the auth for the file viewer in a new window - SSO login should never happen in an iframe. This should then give you auth credentials, usually a cookie, for when you call the file viewer mvc app in your iframe.
Related
How can I use cURL or Postman to read a web page from behind Azure's AD Application Proxy?
I am trying to better understand how OAuth works in order to create some automation scripts that will need to access a server that we have behind an Application Proxy. Currently I am using a web browser and must sign in to my Microsoft account in order to view a web page hosted by the server. This works fine. Seeing as I am able to accomplish this without difficult using a web browser, it seems like I should also be able to accomplish the same using cURL or Postman.
The app that we have registered is registered as a confidential client (Microsoft's "Web App"). The public client option is disabled. It uses the Implicit Grant type to return an ID Token (The Access Token checkbox is not checked, only the ID Token checkbox). I don't have the ability to create a new client secret nor the ability to enable a public client type.
I have tried several of the different OAuth flows, but they all seem to require a client secret (because we are using the confidential client type), which I do not have access to. How am I able to read the web page through the browser despite not knowing any client secrets? How can I do the same via cURL or Postman?
After being redirected to Microsoft's login page and logging in, Azure saves an access cookie in the browser. You can copy this access cookie and include it as part of a request in Postman. This will allow the request from Postman (or curl or whatever) to get to the service behind the Azure AD Application Proxy.
This is enough for my particular use case, but it does come with the problem of having to teach users how to find and copy the access cookie. It would be nice to find a more user-friendly way of getting the access cookie (or something similar).
I am using external logins for my ASP.NET MVC project.
In the latest version of the Visual Studio MVC project template, the redirect url passed to the external provider is /signin-microsoft, /signin-google, etc. After the external provider successfully authenticates the user, it redirects the browser to this url. However, inside the MVC app, I can't find a method at this url.
Who or what is listening at /signin-xxxx?
I need to troubleshoot as it works for all providers but not for Microsoft. /signin-microsoft will redirect the user to /Account/ExternalLoginCallback?ReturnUrl=%2FHome&error=access_denied.
We want to code a web-application (with ASP.NET Core) that starts a legacy Windows desktop application via a custom URL protocol. The web-application must use an authorization server for obtaining an access (bearer) token via OAuth 2 with which it has access to the user's resources via an ASP.NET Core Web API. The desktop application must be able to access the user's resources via the Web API too. How can the desktop application obtain an access token?
I can think of the following options:
The desktop application shows a login screen, sends the entered username and password to the authorization server (using the “Resource Owner Password Credentials” grant type of OAuth 2) and gets an access token back.
The desktop application shows an embedded browser window. The embedded browser requests the OAuth Authorize endpoint of the authorization server (using the “Authorization Code” grant type of OAuth 2) and the user must log-in to authorize. The authorization server redirects back to the redirect URL. The desktop application intercepts this redirect, extracts the authorization token and uses it to get an access token.
The web-application starts the desktop application and passes its access (bearer) token as an argument to the desktop application.
Before starting the desktop application, the web-application requests a new authorization code from the authorization server. The web-application starts the desktop application and passes the authorization code as an argument to the desktop application. The desktop application exchanges the authorization code for an access token by sending the authorization code to the OAuth Token endpoint of the authorization server.
We do not wish to use the first and second option, because we want single sign on.
The third option does not seem to be a good idea, because malicious software on the user’s desktop PC can obtain and use the access token too.
The fourth option seems to be the only option left. As far as I know an authorization code is a temporary (short-lived) one-time token. Besides that, you need to know the client secret for obtaining an access token.
Can anyone confirm that option four is the way to go? Or did I overlook something?
Are there any examples with IdentityServer for this scenario?
Both application should share a logon session using the system browser. This way the user gets SSO in the native app (and even vice versa).
The spec describes the best practices for native apps:
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-native-apps-12
In your case there is a flow that is made specially for desktop application:
Client Device Flow for OpenID connect allows Application that do not have any "browser capability",this Flow will typically suit well Desktop applications.
In my current project i have following arcitecture
MVC application wrapping angularJS application (one action is provided to load templates for TemplateUrl in angularjs. Views are .cshtml instead of simple HTML pages which gives me flexibility to use Razor engine and do simple things like checking if users is in role and not render HTML template part.
second project is Web API project. once AngularJS application is loaded, it makes direct calls to API endpoint and uses MVC only for template loading.
MVC+AngularJS is hosted on -> subdomain.mydomain.com
WEB API is hosted on -> subdomain2.mydomain.com
currently app works without any issues, but i need to add authentication so the problem is;
how can i implement authentication flow in a way, that, If user is not authenticated it is redirected to the MVC login page,
Once it gets authenticated it gets authenticated in Web API as well.
If request is made to load template i can access authenticated user
roles.
if API call is made to API WEB API can check for authentication as
well?
how can i implement authentication flow in a way, that, If user is not authenticated it is redirected to the MVC login page,
You can do this by enabling Forms Authentication in you application. You can get number of documents online if you google that out.
Once it gets authenticated it gets authenticated in Web API as well.
WebApis are designed to be stateless. For authenticating there, use token based authentication where once user is authenticated, pass in a token with each webAPI request which can be validated at server before processing the request.
If request is made to load template i can access authenticated user roles.
Once user is authenticated you can cache user roles associated with the user's session and use that to identify his roles.
if API call is made to API WEB API can check for authentication as well?
Use Authentication token for this for identifying each request that will be sent from client.
We are devloping application looks like Google login. for example if you login Gmail and open Play Store in another tab it will automatically login playstore.
we want to develop similar application using ASP.Net MVC 4 and WEB API & JQuery.
User Flow (Login using username and password) - after login access member details
Client Flow (Client Secret and Client Id) - Authenticate HTML, Javascrip and CSS
If you have any suggestions on below approach.
1. OAuth 2.0 and Owin Middleware
2. Token base approach
3. to get HTML and Javascript using token by site.
4. cross domain token handling
if you have any sample for Resource server, here resource server is HTML, Javascript and CSS
For the User Flow, you can use OpenIdConnect Middleware: https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet. There are many additional samples in AzureADSamples.
Fore the Client Flow, this sample give a good example: https://github.com/AzureADSamples/WebApp-WebAPI-OAuth2-AppIdentity-DotNet.