cookie and bearer authentication with angular MVC web API architecutre - asp.net-mvc

In my current project i have following arcitecture
MVC application wrapping angularJS application (one action is provided to load templates for TemplateUrl in angularjs. Views are .cshtml instead of simple HTML pages which gives me flexibility to use Razor engine and do simple things like checking if users is in role and not render HTML template part.
second project is Web API project. once AngularJS application is loaded, it makes direct calls to API endpoint and uses MVC only for template loading.
MVC+AngularJS is hosted on -> subdomain.mydomain.com
WEB API is hosted on -> subdomain2.mydomain.com
currently app works without any issues, but i need to add authentication so the problem is;
how can i implement authentication flow in a way, that, If user is not authenticated it is redirected to the MVC login page,
Once it gets authenticated it gets authenticated in Web API as well.
If request is made to load template i can access authenticated user
roles.
if API call is made to API WEB API can check for authentication as
well?

how can i implement authentication flow in a way, that, If user is not authenticated it is redirected to the MVC login page,
You can do this by enabling Forms Authentication in you application. You can get number of documents online if you google that out.
Once it gets authenticated it gets authenticated in Web API as well.
WebApis are designed to be stateless. For authenticating there, use token based authentication where once user is authenticated, pass in a token with each webAPI request which can be validated at server before processing the request.
If request is made to load template i can access authenticated user roles.
Once user is authenticated you can cache user roles associated with the user's session and use that to identify his roles.
if API call is made to API WEB API can check for authentication as well?
Use Authentication token for this for identifying each request that will be sent from client.

Related

Identity Server without Login

Im trying to implement IdentityServer authorization and my scenario is below:
we have one home page for all our application "www.vision2025.com" and i have link to my mvc application "MarketingDashboard" where users are authenticated by home page and redirect to my mvc application using windows authentication. Now user can do any action in my dashboard which interact to web API.
Now i need to implemented IdentityServer to authorize all the web API call from my dashboard but no need of login.
Please suggest any idea
Thanks in Advance
I think you don't want to build IdentityServer because your enterprise company has already built ADFS (Active Directory Federation Services). You just want to ask who maintain AD and ask him to enable ADFS for OAuth2. This is a page to help you catch all scenarios here.
Because I don't know how far you can change for all applications but there are some solutions with ADFS you can go with:
Let your main server (acts as Home Page and where user redirects to ADFS to sign in) performs On-behalf-Of flow. In this scenario, your main server will be a linked server that transfer its taken access token which retrieved from ADFS. I strongly recommend this way because you just want to add as many as your new upcoming web and api. The cons are they require you ensure protect highly access token in your main server
Because OAuth 2.0 doesn't support chaining Resource Servers yet (such as you signed in Resource Server A, then use provided access_token to call Resource Server B in different clients), you need to allow your main server store his username/password (also knew as trusted back end server , means your enterprise allows this server can store client credentials). So each time you redirect user to target MVC Application, you should transfer encrypted username/password as well. Then your target MVC application can perform Authorized Flow or Implicit flow itself in Back-end code, then returned new access token to client web to perform calling Web API.

Getting access token from Web Api using credentials of MVC Local user

I have an MVC application built that uses forms authentication and stores credentials encrypted in AspNetUsers
I also have a web api application that using that same store of users and is secured with oAuth.
The api is tested and works from an javascript app (going to be deployed on smartphones).
Now I also have a need to access the same API from the MVC app. Basically the user is already logged in an authenticated, but as far as I can see, in order to get an access token from the API (calling the api/token endpoint) I need the users password, which is one way encrypted in the DB.
The API and MVC app are deployed as two separate apps.
I guess one way I could do this is to grab the access_token when they first log into the MVC app and store it in the user table.
Is there a another recommended way to handle this in the .NET world?
Thanks

MVC 5 Authentication

I have a Web API 2 with bearer token authentication, where an external site authenticates in my api and makes requests by sending the token in the request header, but I also have a MVC 5 Web Site, where authentication should be automatic in this site, the Web API will have a method that redirects to this Web Site and it should already open authenticated, this web site will have just one client, the web api, and the users came authenticated from web api.
How could I authenticate the web site automatically?
I thought in two different ways to solve this problem:
Use authentication cookies, where I perform a redirect from the web api to the site passing the login information (placed in the web.config, with user and password, or a kind of key), and then, the web site perform the authentication and set a cookie for the browser.
Use bearer authentication in both web api and web site (With the same Machine Key on web.config), and when the web api redirect to the web site it pass the bearer token generated for the client, but when the user navigate on the web site, I need to pass this token in the header all the time, and i think that is not a good idea share this token between the web api and the web site, when the navigation ends the process needs to come back to the web api, and will have to authenticate agaIn or pass the same token to the web api.
Which of these approaches would be the most correct? Or there are some other approach to solve this problem?
I'd take option 2, you could use a token auth with the claims you need to identify that the incoming request comes from your API. It's stateless, simple and you don't need to pass sensible data among urls

Single Sign-On using Asp.net MVC 4 and Web Api

We are devloping application looks like Google login. for example if you login Gmail and open Play Store in another tab it will automatically login playstore.
we want to develop similar application using ASP.Net MVC 4 and WEB API & JQuery.
User Flow (Login using username and password) - after login access member details
Client Flow (Client Secret and Client Id) - Authenticate HTML, Javascrip and CSS
If you have any suggestions on below approach.
1. OAuth 2.0 and Owin Middleware
2. Token base approach
3. to get HTML and Javascript using token by site.
4. cross domain token handling
if you have any sample for Resource server, here resource server is HTML, Javascript and CSS
For the User Flow, you can use OpenIdConnect Middleware: https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet. There are many additional samples in AzureADSamples.
Fore the Client Flow, this sample give a good example: https://github.com/AzureADSamples/WebApp-WebAPI-OAuth2-AppIdentity-DotNet.

What is the relationship between owin and oAuth2.0?

I study external login strategies and the terminology confuses me. What's the relation between the following.
Owin
OauthWebSecurity
OAuth 2.0
Owin Katana
ASP.NET Identity
Owin
Owin is no more than a specification. It stands for Open Web Interface for .Net.
In very simplistic terms it is based in the idea that using a few language constructs (delegates and a dictionary) you can create a framework for handling web requests that is independent of where it is hosted (you can even run an "owin application" from a console app).
The implementation of Owin's specification is called Katana.
OAuth
OAuth 2.0 is an Authorization protocol. The idea behind OAuth is that you (the resource owner) can delegate access privileges to a third-party. An example is a Web app being able to post on your Facebook wall for you.
Again, in very simplistic terms, this materializes by sending a 302 redirect to the user when she accesses a protected resource. That 302 redirects the user, for example to Facebook's oauth login page (https://www.facebook.com/dialog/oauth?client_id=...&redirect_url=[yourwebapp]&scope=[permissionsrequiredfromuser]).
After you login to facebook, accept the permission request, facebook will send a 302 redirect to the redirect_url you provided with an access_token that you can then use to send requests on behalf of the user that provided the credentials. For example, to get information about the user you'd perform a request to https://graph.facebook.com/me?access_token=[access_token].
There are variations for this workflow. They are all explained in the links at the end of the answer.
ASP.NET Identity
ASP.NET Identity has nothing to do with ASP.NET. Talk about poor naming... It provides functionality to save and retrieve user's data from a data source. It also provides you with the ability to associate claims and roles to the users, other "login providers" (that would be the case when you "login with facebook" and your user_id from facebook gets associated with your local user id, this information is stored in the AspNetUserLogins table).
The way you see it being used in the MVC project template is in the Account controller and the CookieAuthenticationMiddleware.
References
Owin/Katana:
http://odetocode.com/blogs/scott/archive/2013/07/09/getting-started-with-owin-katana-and-vs2013.aspx
http://odetocode.com/blogs/scott/archive/2013/11/11/writing-owin-middleware.aspx
http://odetocode.com/blogs/scott/archive/2013/11/12/simple-logging-middleware-katana-part-4.aspx
http://www.asp.net/aspnet/overview/owin-and-katana/an-overview-of-project-katana
http://www.asp.net/aspnet/overview/owin-and-katana/owin-startup-class-detection
OAuth
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.1
http://blogs.msdn.com/b/webdev/archive/2013/07/03/understanding-owin-forms-authentication-in-mvc-5.aspx
http://www.asp.net/web-api/overview/security/external-authentication-services
ASP.NET identity
http://brockallen.com/2013/10/20/the-good-the-bad-and-the-ugly-of-asp-net-identity/
http://curah.microsoft.com/55636/aspnet-identity
http://typecastexception.com/post/2014/04/20/ASPNET-MVC-and-Identity-20-Understanding-the-Basics.aspx
https://learn.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server (latest approach - technically you have to realize few methods. there are few examples, as alternative you can review how it is realized in IdentityServer4 for .net core)

Resources