I'm creating integration with site that support autorization via OAuth 1. As a OAuth callback I put Crm web resource. But when site executes callback - crm gives me HTPP 500 because path is something like that http://crm/webresources/auth.html?oauth_token=<data>&oauth_verifier=<data>&realmId=1381471230&dataSource=QBO.
Is there any way to enable this get parameters in CRM web resources?
You can't pass on custom parameters to CRM. You have to pass any custom parameters via the standard "data" URL parameter. https://msdn.microsoft.com/en-us/library/gg327945.aspx
Related
I'm currently working on an MVC5 application + WebAPI for some AJAX requests. For the MVC part I use the standard cookie authentication, and token based authentication for the WebAPI part.
I'd like the user to log in using only the MVC site, wthout having to authenticate again with the authorization server to obtain an acess token.
Is it safe to get the access token on the server side, put it in a hidden field on the site and use java script to query for it and use it later for the web api requests? Assuming the connection will be over HTTPS, for obvious security reasons :)
You can pass the security token to the api as a header custom attribute to the api which you can pre-check and cache it for all subsequent call in the api.
i'm new to asp.net web api, owin, and everything related to it.
I'm trying to find the best way to do this scenario:
1 - Web api to have all the connections and rest service
2 - Web site to show data to user on a browser using the restful service
3 - An mobile app that have some functionalities like the web site and access the restful service to get all the information
My doubt is: what's the best practice related to the login? I'll use owin/oath2 with Identity to login, but since it's going to be implemented on the web api, the login/register/forgot password should be on the web api directly (like the project template does) or should i move most of the functionality to the web site? Of course its easier to leave in the web api, but if i do it, i must duplicate my razor templates just to call the login part. Can someone give me a path to follow?
Thanks!
the answer is not, your web api should not have any html or js or css file, only the services that your need, the web api exposes the functions to register the user, next when you have to do request, you must Send a token, you can obtain the token using the URL that you have configure in owin, the URL is like /token and Send the username and pass.
Regards,
the below process which i have followed while implementing single sign on
Decoupled Authorization server & Resource server
Got access-token using client_credentials from Authorization server
Problem:
i have used mvc 4 application for resource server and can't able to access views(resource) from resource server using mvc controllers with Authorize Attribute
used access-token generated by authorization server
also read the below question:
"I have an un-secured MVC 5/Web API 2 application. It accesses resources using a combination of MVC controllers, and ajax calls to the Web API endpoints.
Eventually I would like to move all resource access into a separate Resource Server. However, for the time being, I would like to get the application into production as a proof of concept for a line of business applications secured using the OAuth 2 framework.
I have configured users in IdentityServer, and added the application to AuthorizationServer using a code flow client. Based on the sample provided with the AS code, I am able to retrieve an access token in the application, add it to the request headers for Web API endpoint calls secured with the Scope attribute.
My questions is how can I utilize this same flow to secure the MVC controllers? I imagine it would entail setting up an OWIN middleware component which will set the authorization headers for each request based on a cookie which contains the token. Am I on the right path, or should I go in a different direction with this?"
please let me know how to access the mvc resource using owin middleware instead of web api.
I have two servers - web and app. The web server (IIS) serves only static files - HTML/CSS/JS. On executing the JS, the client gets the data from the app server (HTTP service using Web API, self hosted with OWIN). I need to bring in authentication so that my data as well as the content is restricted.
I can use SSL, I can pass username / password to the web api, have it authenticated and get back a token. I can pass this token for future web api requests. In my client app javascript (done using AngularJS), I can also maintain info whether the user is authenticated, what roles she has etc. (for user experience). But for security, I need to be able to ensure the html content requested (in the web server) is also having authentication and authorization done. How can I achieve this?
Should I change my app to make the web server call the app server internally rather than from the client? I can use MVC controllers or ASP.NET, but since I was using AngularJS, I thought it is not required, and is kind of a duplicate. Should I ditch pure .html files and move to .cshtml?
How is this done in the Angular + .NET world, when you data comes from a different server than your htmls?
We've been using JSONP with REST type api to do cross domain AJAX calls, but our Angular client code is within .cshtml files in a .NET project. Sounds like the simplest solution is to use the app server internally- I would go with that
I'm developing a service that has two components - a web interface and a REST API. I use ASP.NET MVC and ASP.NET Web API, respectively. The two components are hosted on different subdomains of the same domain.
I want the REST API to be used by both external users and the web interface, and I want to simplify authentication as much as possible.
The REST API currently only supports basic authentication.
The web interface uses forms authentication and thus generates an ASPXAUTH cookie. The web interface interacts with the REST API using AJAX calls.
My question to the community is:
How do I authenticate the AJAX calls from the web interface to the
REST API, using the most elegant and secure method?
Some ideas:
Send the ASPXAUTH cookie in the ajax calls (by changing the cookie domain to ".myservice.com" to allow cross-subdomain read) and adding an authentication method in the API that reads the ASPXAUTH. Not sure if this is a great idea, or how to implement this.
Storing the user name and API key in separate cookies. Not really safe unless the values are encrypted/hashed.
Using OAuth in the web interface and rest api, instead of forms + basic authentication?
Ok, I've come up with the following solution:
I've added form authentication to the REST API and made sure not to use IsolateApps in the <machinekey>section of machine.config. This ensures that the REST API can use the same ASPXAUTH cookie. I'm making sure to fall back to basic authentication if no ASPXAUTH cookie is present.
Since there's no way to include the ASPXAUTH cookie in ajax requests to a different subdomain due to the Same-origin policy (even though the cookie's domain is ".myservice.com"), the solution I chose was to add an application (through IIS) to the web interface with the name "api".
The ajax calls now point to "/app.myservice.com/api/..." instead of "https://api.myservice.com/...", and the ASPXAUTH cookie is included and works.
Not sure if this is the best solution, but it's both clean and secure. Only tweak is the sharing of machine keys. If running in a web farm you would need to set the same machine key to all machines.