I have a project that has both regular MVC controllers with Views as well as Web APIs.
I have implemented Forms authentication. This protects both my Web API as well as my MVC controllers. However since cookies are not supported by Mobile browsers I am looking for implementing an alternate token based authentication. Following questions
1) Is there any way to use token based authentication for both Web API as well as regular MVC controllers ?
2) Is there any way to pass bearer token automatically by the browser instead of manually putting it in request headers ?
3) How can I include authorization information in the bearer token ?
In response to your questions
1) you are looking at a hybrid flow which allows multi user clients being MVC and Mobile clients to obtain and use tokens, refreshing tokens is only available from the MVC client from what I know.
2) you can use identity server to send through authorization tokens or use the link below where you will insert authorization information (roles based) when sending tokens.
Please look at the following tutorial, it'll help in most of your requirements http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/
Related
In Server, I use OAUth2 to secure Web API with access_token and refresh_token.
But I don't know any way to use refresh_token in MVC Client ?
If access_token is expired,when user is using MVC Web,Request cannot go to server API and something will lost. I means : MVC Client can auto-refresh token when expires?
I rolled out my OAuth utilising refresh tokens strategy by following the guide at "Enable OAuth Refresh Tokens in AngularJS App using ASP .NET Web API 2, and Owin". It is in production with no problems.
It does focus on the client implementation as an Angular JS app, but there is logic towards the middle of the article that refers to "Step 6: Generating an Access Token using the Refresh Token" and shows graphics and process of how you can send a request for refresh_token etc, you should be able to draw some ideas from for an ASP.NET MVC implementation. It also includes the entire workflow and setup required on the ASP.NET API side which may help you double check things.
If this article is helpful to you, you may wish to start at the beginning of his OAuth ASP.NET discussion as you might find it of interest to follow - "Token Based Authentication using ASP.NET Web API 2, Owin, and Identity"
the below process which i have followed while implementing single sign on
Decoupled Authorization server & Resource server
Got access-token using client_credentials from Authorization server
Problem:
i have used mvc 4 application for resource server and can't able to access views(resource) from resource server using mvc controllers with Authorize Attribute
used access-token generated by authorization server
also read the below question:
"I have an un-secured MVC 5/Web API 2 application. It accesses resources using a combination of MVC controllers, and ajax calls to the Web API endpoints.
Eventually I would like to move all resource access into a separate Resource Server. However, for the time being, I would like to get the application into production as a proof of concept for a line of business applications secured using the OAuth 2 framework.
I have configured users in IdentityServer, and added the application to AuthorizationServer using a code flow client. Based on the sample provided with the AS code, I am able to retrieve an access token in the application, add it to the request headers for Web API endpoint calls secured with the Scope attribute.
My questions is how can I utilize this same flow to secure the MVC controllers? I imagine it would entail setting up an OWIN middleware component which will set the authorization headers for each request based on a cookie which contains the token. Am I on the right path, or should I go in a different direction with this?"
please let me know how to access the mvc resource using owin middleware instead of web api.
I am developing an ASP.NET MVC web application. The application is consuming a REST API, but authentication for REST-full application is quite unclear for me.
As REST is stateless, do I have to implement two different Authentications with two different databases, one for client, and one for the REST service?
Or, do I have to send the login/password each time, to authenticate on the server?
Please give me some advice or tutorial on this.
You can authenticate a Web API using individual user accounts that are stored in a database.
In this case client should obtain access token first. And then include it to each request, that requires authorization, header:
Authorization: Bearer boQtj0SCGz2GFGz[...]
Good tutorial can be found HERE
Also authentication methods could be extended in Startup.Auth.cs with Cookies or some external authentication methods (Google, Facebook etc)
The stateless isn't a main problem in your situation, problem is that browser can only send GET or POST request in tradition way in tag form, so to send PUT or DELETE request you should use Ajax, the easiest way is to use JQuery library and config it to send user credentials in http header(between requests it can be store in cookies) in every request and use basic-authentication if you plan use own auth logic. I recommned you to look some SPA frameworks like angularjs
or emberjs
or backbonejs
to simplify your life from hardcode JavaScript . Also in future you can easy extend your auth by OAUTH 2.0.
I'm re-developing an app as a web app (the "previous" iteration was in VB6) to run on azure. One requirement is that we only use facebook/google authentication (OAuth 2.0). Another business requirement lead me to break my project into the following schema:
1 Project for the WebAPI 2.0
1 Project for Controllers
1 for Data Access (typical layer pattern)
N Projects for MVC 5 front-end
The idea is that the MVC projects will only consume the WebAPI via javascript/json! The N MVC projects will contain just the GET implementation for the pages. No models or others actions (post for example). In other words the MVC projects are completally disconnectd from the other projects and should have no intelligence what-so-ever!
This is the selected way because of (bitchy clients and) limited time constraints.
Anyway, as you can notice the "core" (WebAPI + controllers + DA) is shared. The core is in fact a multi-tenant service. (but remember the disconnected facet!)
My problem here is: How do I handle Authorization? What/how should treat the passing of the claims between the MVC projects and the WebAPI? Im lost here. After some thought, I came to the conclusion that I need to make the WebAPI project act as a proxy here, something like:
Random users lands on www.myClientWebsite.com/Register
Chooses a login provider
The MVC project redirects the user signaling facebook to return to www.myWebAPI.com/Register
I intercept the claim and redirect the user to the original www.myClientWebsite.com/LoginComplete or something...
Am I getting it wrong?
You have to use OAuth 2 for authentication and authorization purpose in this scenario. Yes, you should be making the authentication at the MVC level and then use tokens to keep the security intact for rest calls.
Here your MVC application should get a Bearer token from the identity provider like google and then hide it some where on the form. Then for every jquery request you make to web api, you have to send this bearer token in the request.
[Update]
This is considered kind of hack and I do not encourage it. And this works only if both the systems are in same domain.
[\Update]
If both MVC and Web API are on different domains, then you can think of using Azure ACS Service Identity to build the trust between domains. Then pass the bearer token of User claims in the payload of the request.
[Update]
This is much more better way to handle this but must be accompanied with proper token revocation and https security.
[\Update]
I've been reading different articles on the subject of securing WebAPI, including:
leastprivilege article
kevin junghans article
piotr walat's article
and many others.
I would like to use the MVC 4.NET SPA template (with either Backbone.js or another JS lib) and I'd like to secure WebAPI used by SPA with basic http authentication, using tokens in the headers because some of the WebAPI clients will not support cookies required by forms authentication.
The SPA template uses SimpleMembership and oauth, which I would like to use and combine with basic http authentication.
What's unclear to me is whether the SPA template out-of-the-box authenticate and authorize WebAPI with basic HTTP authentication and tokens, or do I have to follow and piece this together from the links above?
This is quite a large topic and its best to completely understand it before simply plugging in templates.
Here is a great video to help put everything in place: https://vimeo.com/43603474
You must be using SSL for any token based authentication (like oAuth)
Once the user is authenticated - via oAuth or your own membership provider, you can simply attribute any Web Api methods with [Authorize] to ensure that a non-authenticated user can't call those methods (will return a 401 - not authorized if not authenticated)