Hey guys what do you think,
is rendering an Access Token that I got via Hybrid Flow in code-behind to my Java Script as "non-secure" as using Implicit Flow in Open ID Connect?
If you need the token on the client in your JS code - you somehow need to transmit it.
The APIs you are planning to call have to be considered public at this point.
Related
I need to implement Azure AD authentication and authorization for my ASP.NET MVC web application using MSAL.NET with authorization code flow and I need to call my own API.
I can see a lot of manual code implementations on the internet to redeem authorization codes etc...
I know the latest version of MSAL.NET will handle auto code redeem without writing any manual code but how to use it, any good example will help me a lot.
Second, what are the best practices followed while using MSAL.NET with authorization code flow to call my own API?
Note: I am using the .net framework.
Thanks in advance.
This might be helpful
Microsoft.Identity.Web adds extension methods that provide convenience services for calling Microsoft Graph or a downstream web API. These methods are explained in detail in A web app that calls web APIs: Call an API. With these helper methods, you don't need to manually acquire a token.
https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-web-app-call-api-acquire-token?tabs=aspnetcore
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
Also you can use custom solution like below
https://identitymodel.readthedocs.io/en/latest/client/token.html
Start reading from here, it supports the following frameworks:
.Net Core
.Net framework
For MVC ensure first that u are using either Asp.net Core or normal .net framework. Once you have figured that out. You can find the relevant code which you can refer to generate the token logic.
Read here for more details about the MSAL authentication library.
MSAL authentication library for dot net
Code samples collection.
https://learn.microsoft.com/en-us/azure/active-directory/develop/sample-v2-code
I've got 2 different .NET Core 2.2 MVC projects. I'm using IdentityServer4 for the token server, Azure B2C for the identity store.
The 1st MVC app is a normal MVC application, and I've got it working perfectly with the OIDC Hybrid flow.
The 2nd MVC app is an Angular 7 cli app, which serves up the index.html and houses the API that the app will be calling. The angular app will not call any other APIs directly (gateway pattern).
My questions are about the 2nd app - I'm trying to figure out the best way to set up the Angular app for security.
My understanding is: OIDC Implicit flow exposes exposes the access token on the browser. OIDC Hybrid flow does not expose the access token (at least when hitting the same web server - no CORS), because the web server (client) uses the back channel to obtain the access token, via the authorization code, and its never exposed to the browser.
QUESTION #1: Is my understanding of Implicit vs. Hybrid correct?
If my understanding is correct, I'd think the best way to go would be Hybrid flow even for the Angular app, but most samples I've seen for using OIDC with Angular involve the Implicit flow, and don't take advantage of the authorization code / backchannel. Avoiding having an access token on the browser seems like a big deal, like a worthy goal, but wondering why it doesn't seem to be done?
QUESTION #2: I'm serving up my Angular index.html from my MVC server - why can't I just use Hybrid flow to protect the index.html page, and keep the token on the backchannel?
Something tells me my understanding of all this isn't quite complete...
Your understanding is correct. You can protect your index.html. The only problem you will face that way is that it's not the default configuration for today. With your requirements, most likely you don't need any of oidc client libs at all, you can protect your (only) API with a (same-site, http-only) cookie (not a bearer token) and in your Angular guards just ensure that you are still logged in to your back (if not, redirect through a local MVC resource to involve server-side code into login procedure).
See this question, especially the comments and link below for further reference.
There aren't any good article explaining how to generate a refresh token in asp.net core 2.0 and how to generate a access token using the refresh token?
Any exports knows how this is handled in .net core 2.0?
The closer i got was this article but the getToken method is not explained.
http://bestaspnethostingreview.com/refresh-token-using-asp-net-core-2-0-and-json-web-token/
In the real world you won't be writing code to generate tokens - an authorization server will do this token issuing for you.
I would very much recommend using a real authorization server early - it is very educational and obviously better from a security viewpoint as well.
I have found Okta to be very developer friendly - you can go to Okta Developer Sign Up, register for free and start coding against it.
I have recently been starting a new blog at http://authguidance.com that covers getting UI logins working and then calling APIs (though my blog probably has more detail than you want):
I assume you want to write a web app in C#? If so then I would recommend plugging in the standard Microsoft security libraries to do the login processing for you.
Technically, the Microsoft libraries use the Authorization Code Flow, and your application will then issue an encrypted cookie containing an Okta refresh token.
Would it be useful if I write a small C# code sample for you that runs against Okta, with instructions on getting it working?
I am developing an IOS app which is going to make asynchronous calls to a Spring-MVC back end which is protected by Spring Security. I have been unable to figure out how this would work. I have a web client which makes calls to this service (using jQuery Ajax), and I'd like to implement the same calls in IOS (iPad).
Is there any framework that would take care of handling authentication, then passing the token back and forth, as required by Spring Security? How will the IOS application know to request userid/password from the user again after a timeout?
-- After doing some research, it looks like the IOS API already has functionality for authenticating (providing for Basic, Digest, Certificate and trust Authentication). It looks like it is possible to throw up a dialog box to get a userid/password, then save it in an NSURLCredential object, and it will be used when necessary.
Am I correct with this? Is there an easier way? Does anyone have a simple example which illustrates how this authentication might work with a Spring-security protected server?
Thanks!
I use AFNetwork to make my network API calls. The only problem that I have is the CookieTheftException that occurs when two connections with expired JSessionIds hit the server.
I am currently creating a system basically consisting of mainly three parts. There is one authorization server and one resource server. Furthermore, I have one pubsub api based on Node.js (Javascript) next to it. The authorization server and resource server are built using the DotNetOpenAuth libraries. The resources can be accessed by means of the token received from the authorization server.
Now, what would be the preferred way of working when I also would like to have the pubsub api authorized by means of the same token? In the DotNetOpenAuth library, I have this VerifyAccess method available which does this for me but I don't have this in my Javascript. Would it be proper to have a separate web service doing the verification which i then call from my javascript?
Thank you in advance...
Having your Node.js call via web request to .NET to call VerifyAccess would certainly be the simplest. Alternatively if Node.js has the ability to perform asymmetric signature verification, and both asymmetric and symmetric decryption, then theoretically Node.js could validate the token directly. But that would be left as an exercise for the reader. :)
If you do accomplish it, please publish your result for others though.