In Server, I use OAUth2 to secure Web API with access_token and refresh_token.
But I don't know any way to use refresh_token in MVC Client ?
If access_token is expired,when user is using MVC Web,Request cannot go to server API and something will lost. I means : MVC Client can auto-refresh token when expires?
I rolled out my OAuth utilising refresh tokens strategy by following the guide at "Enable OAuth Refresh Tokens in AngularJS App using ASP .NET Web API 2, and Owin". It is in production with no problems.
It does focus on the client implementation as an Angular JS app, but there is logic towards the middle of the article that refers to "Step 6: Generating an Access Token using the Refresh Token" and shows graphics and process of how you can send a request for refresh_token etc, you should be able to draw some ideas from for an ASP.NET MVC implementation. It also includes the entire workflow and setup required on the ASP.NET API side which may help you double check things.
If this article is helpful to you, you may wish to start at the beginning of his OAuth ASP.NET discussion as you might find it of interest to follow - "Token Based Authentication using ASP.NET Web API 2, Owin, and Identity"
Related
There aren't any good article explaining how to generate a refresh token in asp.net core 2.0 and how to generate a access token using the refresh token?
Any exports knows how this is handled in .net core 2.0?
The closer i got was this article but the getToken method is not explained.
http://bestaspnethostingreview.com/refresh-token-using-asp-net-core-2-0-and-json-web-token/
In the real world you won't be writing code to generate tokens - an authorization server will do this token issuing for you.
I would very much recommend using a real authorization server early - it is very educational and obviously better from a security viewpoint as well.
I have found Okta to be very developer friendly - you can go to Okta Developer Sign Up, register for free and start coding against it.
I have recently been starting a new blog at http://authguidance.com that covers getting UI logins working and then calling APIs (though my blog probably has more detail than you want):
I assume you want to write a web app in C#? If so then I would recommend plugging in the standard Microsoft security libraries to do the login processing for you.
Technically, the Microsoft libraries use the Authorization Code Flow, and your application will then issue an encrypted cookie containing an Okta refresh token.
Would it be useful if I write a small C# code sample for you that runs against Okta, with instructions on getting it working?
Currently, I think my understanding of OAuth and how it it is implemented in ASP.NET Web Api is flawed.
1) I keep seeing OAuth described as a server (i.e. the OAuth server). Is the OAuth implementation by a Microsoft a separate server with a different port or is it just referred to as a server even though it is self contained within the API project?
2) Is OWIN separate from OAuth or are the two linked such that they must be used together?
3) How does an OAuth v2 server keep track of tokens that have been revoked or have expired? Does the OAuth component have a database that keeps track of the tokens that it issues? If so, what type of database is it?
I have been reading the tutorials by Taiseer Joudeh from bitoftech.net but I think I am missing some of the basics.
Here are my responses:
You can implement the server as a stand alone authorization server or you can implement it together with the resource server. The Visual Studio template brings you both servers together, but you can separate them. Tutorials from Taiseer Joudeh will guide you very well, they did in my case.
OAuth 2.0 is an authorization framework, as said in its definition document. And OWIN stands for Open Web Interface for .NET. Both of them are different things, but Microsoft decided to do an implementation of OAuth 2.0 protocol using OWIN middlewares architecture. Then the easiest way to develop OAuth 2.0 servers in ASP.NET is using Microsoft.Owin.Security.* libraries implemented by Microsoft.
The OAuth 2.0 protocol does not talk about keeping track of expired or revoked tokens, you could implement if you want, but you only could do if the authorization and resource servers are both the same, and then you will need to access to database to check the token for each request, that it is not necessary. If the resource server is separated from the authorization server it has no direct access to the authorization server database. Normally you don't do that. The expiration check of the token is something that the Microsoft.Owin.Security.OAuth library makes for you. If a token received by the resource server has expired, the library responds with a 401 - Unauthorized response.
To make possible that the resource server can decrypt the token, you only need to set the same machine key in both servers' web.config file.
To avoid to have long lived access tokens you could set short access token timespan and implement refresh token. In this case, you could save refresh tokens in database and you can implement some method to revoke them.
Refresh tokens and its revokation are implemented in Taiseer Joudeh blog posts too.
I hope my explanations are clear and can help you. Please tell me if you have any other doubts.
I have a project that has both regular MVC controllers with Views as well as Web APIs.
I have implemented Forms authentication. This protects both my Web API as well as my MVC controllers. However since cookies are not supported by Mobile browsers I am looking for implementing an alternate token based authentication. Following questions
1) Is there any way to use token based authentication for both Web API as well as regular MVC controllers ?
2) Is there any way to pass bearer token automatically by the browser instead of manually putting it in request headers ?
3) How can I include authorization information in the bearer token ?
In response to your questions
1) you are looking at a hybrid flow which allows multi user clients being MVC and Mobile clients to obtain and use tokens, refreshing tokens is only available from the MVC client from what I know.
2) you can use identity server to send through authorization tokens or use the link below where you will insert authorization information (roles based) when sending tokens.
Please look at the following tutorial, it'll help in most of your requirements http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/
the below process which i have followed while implementing single sign on
Decoupled Authorization server & Resource server
Got access-token using client_credentials from Authorization server
Problem:
i have used mvc 4 application for resource server and can't able to access views(resource) from resource server using mvc controllers with Authorize Attribute
used access-token generated by authorization server
also read the below question:
"I have an un-secured MVC 5/Web API 2 application. It accesses resources using a combination of MVC controllers, and ajax calls to the Web API endpoints.
Eventually I would like to move all resource access into a separate Resource Server. However, for the time being, I would like to get the application into production as a proof of concept for a line of business applications secured using the OAuth 2 framework.
I have configured users in IdentityServer, and added the application to AuthorizationServer using a code flow client. Based on the sample provided with the AS code, I am able to retrieve an access token in the application, add it to the request headers for Web API endpoint calls secured with the Scope attribute.
My questions is how can I utilize this same flow to secure the MVC controllers? I imagine it would entail setting up an OWIN middleware component which will set the authorization headers for each request based on a cookie which contains the token. Am I on the right path, or should I go in a different direction with this?"
please let me know how to access the mvc resource using owin middleware instead of web api.
I am developing an ASP.NET MVC web application. The application is consuming a REST API, but authentication for REST-full application is quite unclear for me.
As REST is stateless, do I have to implement two different Authentications with two different databases, one for client, and one for the REST service?
Or, do I have to send the login/password each time, to authenticate on the server?
Please give me some advice or tutorial on this.
You can authenticate a Web API using individual user accounts that are stored in a database.
In this case client should obtain access token first. And then include it to each request, that requires authorization, header:
Authorization: Bearer boQtj0SCGz2GFGz[...]
Good tutorial can be found HERE
Also authentication methods could be extended in Startup.Auth.cs with Cookies or some external authentication methods (Google, Facebook etc)
The stateless isn't a main problem in your situation, problem is that browser can only send GET or POST request in tradition way in tag form, so to send PUT or DELETE request you should use Ajax, the easiest way is to use JQuery library and config it to send user credentials in http header(between requests it can be store in cookies) in every request and use basic-authentication if you plan use own auth logic. I recommned you to look some SPA frameworks like angularjs
or emberjs
or backbonejs
to simplify your life from hardcode JavaScript . Also in future you can easy extend your auth by OAUTH 2.0.