I'm working on an Web API that have a web (ASP.NET MVC), WCF service and mobile interfaces (Android/ iPhone) and i have token authentication for API.
The MVC and API have user identity to verify the users, but WCF service won't have this user identity.
Here, i need to have access the WCF service from the mobile client with security.
Application structure,
So, How can verify or share the user identity with WCF service?
Can i use the same OAuth token in WCF service to identify the user? or Is there any other standard way to do it ?
With given high level detail, ADFS should be a right fitment for your requirement, with that Identity validation can be achieved for WCF based services as well.
Refer below link to MSDN guide for a detailed approach.
A Guide to Claims-Based Identity and Access Control
However, I presume this solution for new requirements, if so, why still WCF service is required when Web API can be manage external http requests? and given that there is no DB interaction through WCF services as per diagram.
I have a similar application. I added the token (previously received after authentication) using this:
Common ajax call with jQuery:
$.ajax({
beforeSend: function (request)
{
request.setRequestHeader("Authority", authorizationToken);
},
// Below you set type, url, data, ...
});
Here, using Cordova + Ionic + Angularjs:
$http.defaults.headers.common.Authorization = authorizationToken;
if ($http.defaults.headers.common.Authorization.Parameter != undefined) {
$http.defaults.headers.common.Authorization.Parameter = authorizationToken;
}
Hope it helps.
Related
I have an ASP.NET MVC website in which I have added a "Web API 2 OData Controller with Actions, using Entity Framework".
This is the 1st set of code that is auto-generated.
I am calling this web API from a native client. I have added a reference to the Web API service through, Right Click, Add References.
This is the 2nd bit that is auto-generated.
I've configured Azure AD authentication at the client side. This is working.
What I want to do now is: setup authentication for each Web API call based on the user who logged in from the client. So the client's access token needs to be passed from the client to the Web API, and this token should be used to authenticate further.
Note that a lot of the code is auto-generated. So the additions to code should have minimal effect on regeneration of the code, if possible.
Later on the Web API will use the user information to filter data based on his identity, and use role based identity as well.
Any pointers on how to start with this? I feel that all the various pieces are available, but how to gather them into a single solution is just out of grasp.
The container that is part of the auto-generated solution is where we need to pass the token.
Here's the code:
autogenContainer.BuildingRequest += (sender, args) =>
{
args.Headers.Add("Authorization", "Bearer " + access token retrieved from Azure);
};
I got a MVC web application that authorizes users through Azure ACS. Now I want my web application to make calls to my WCF services. Since these services can be called by other applications I want them to be secured through ACS also. I'm at a loss on how to set this up. Can I reuse the security tokens in my WCF service calls somehow?
Formally you can't because these are 2 different (autonomous) "apps". Tokens are issued for a specific app (or "Relying Party"). Your website should request a second token for the web service. You have 2 options:
1- Simply get a token under a service identity (that is the identity the web site is assuming) and attach it to your calls to the web service. WCF bindings support this out of the box (albeit complex, as any WCF configuration),.
2- Get a token for WCF "on behalf" of the original user. This is a delegation scenario, in which the identity of the original caller to the web app is transferred to the service.
The first option is rather simple (putting aside the WCF specifics). The second option is more complex one and not supported in ACS (as far as I know), because it requires a special endpoint that understands and issues ActAs tokens.
You could use the same token for both the web site and the service if you own both and are "the same app". This is a pragmatic shortcut and not a pure implementation, and might have other implications (e.g. the same app in ACS, the WCF can't easily distinguish that it is being called from your website or external parties, etc).
In that case, the MVC app must keep the token that was sent to it. There's a setting for that (bootstraptoken=true). The WIF API in .NET 4.5 changed a little bit, so there might be something else.
I have a WCF service hosted in IIS. I have another website hosted in asp.net mvc. It is a public web site. I want to secure my WCF service so that it won't be accessible from any applications other than my MVC application, or which I give access.
Can I do this using forms authentication?
Update:
I had gone through several examples, but I couldn't get an effective one. I dont want to use ssl. Login feature is not there in my web spplication. If required, a programitic login can be implemented. All I need is, deny access if the service is not called from my website. I've done this in web service using forms authentication. But here, the httpcontext is null.
Yes, you can. WCF calls go through the same pipeline so that if you check for specific principals (usernames or roles), your checks will fail/succeed depending on the Forms cookie.
More details in my blog entry
http://netpl.blogspot.com/2010/04/aspnet-forms-authentication-sharing-for.html
where I show how to share the forms identity between a web app and hosted silverlight app which calls WCF services.
In case of yet another type of the client application, the way you get the cookie value at the client side can vary. Silverlight just inherits cookies from the web application it is run from.
Assuming your client is a console application, you could even expose an unguarded method from the WCF service which accepts loginname+password and returns the cookie to the client. This way, the console application would first call this unguarded method to login the user and then, using returned cookie, would call other WCF services guarded with forms authentication.
I have a MVC website that uses ACS as an authentication provider.
The authentication process works well.
I want to call a WCF service that requires authentication and I want to pass an RST token but I don't know how to create it
The key question is what identity is the WCF service expecting. If you can use an identity for the entire MVC site (a.k.a. "Trusted Subsystem"), then it is business as usual: you would need to get a token from an identity provider that the WCF trusts and that's it. ACS could be one, but it could be something entirely different too. It really depends on who owns the WCF service.
If, on the other hand, you want to flow to the WCF service the original user identity (that is the caller of the MVC site), then you are in a delegation scenario. This is possible, but it's often complex. Search for "Act As" (here's an article that talks a little bit about it: http://msdn.microsoft.com/en-us/library/ee517268.aspx).
In a nutshell, the MVC app would request a new token to the STS using as input the original token the user submited, with a special condition (the "Act As"). This condition signals the STS of the delegation.
As I said, this is a farily complex setup. Also (last I heard) ACS doesn't support "Act As" requests.
I am building a website using ASP.NET MVC 3 and have forms authetication setup correctly (user is able to register and login). I want to setup an OData WCF Data Services service so a Windows Phone 7 (Mango Beta 2 Refresh) client can authenticate and query the Odata service, with CRUD actions. This idea comes from the FullStack episodes here. They use OAuth login, but I wanted to use the user setup I already have, instead of an OAuth solution.
I do have this all working without auth currently (MVC app with Odata client on wp7), but am looking to make the Odata service secure. I guess I am looking for some articles or walkthroughs on how to get this working.
If forms authentication is not the correct choice, please let me know.
UPDATE
So lots of research done on this. There is an official how-to series on the blog for the WCF team here. Since forms auth is already configured on the web app, adding a check inside the QueryInterceptor provides the auth. However it uses a 'standard authentication endpoint' for client apps to actually 'login' that seems to use the base Membership providers, which I don't use. Is there a way to override this?
You could turn your custom forms authentication setup into a Claims based Federated Authentication Provider (STS) using Windows Identity Foundation. Then use that to authenticate your wp7 app with the STS provider and then send that claim (token) to your Odata service which will verify its an authentic claim. There is an example of this in the WIF training kit