I am implementing an OAuth server using Microsoft.Owin.Security.OAuth.
I use the OAuthAuthorizationServerOptions to setup AuthorizeEndpointPath and TokenEndpointPath. It looks like there is no option for a UserInfoEndpointPath though.
The OAuthV2 spec does discuss this endpoint vaguely -
This specification does not define a resource owner profile
information API. It is assumed that other APIs such as the SCIM API
[I-D.ietf-scim-api] or the OpenID Connect [OpenID.Core] UserInfo
Endpoint could be used for this purpose.
So, is there no way to leverage OAuthAuthorizationServerProvider to provide this endpoint? Would I have to make a separate MVC controller endpoint? Or is there a better way?
Related
I'm confused on how the Web API implements the authentication?
I have gone through the links 1.
Link1
Link2
and need to summarize what I understood.
Owin katana is a mechanism that can be implemented for authorization.
There will be Iprincipal which can be created either in the host or
in the httpmodule which will be attached to the currentthread to
validate.
Token based authentication implements owin.
I have very little idea about the authentication mechanism in web api. If someone can help me to understand this, It would be great.
I have the following doubts.
Owin is a new way of authentication in MVC? or its already exists as
a part of windows and form based authentication?
If I wrote a module to authenticate what are the different ways I can use to authenticate an api method/controller?
The answer to your question could be quite big, I will try to give you some guidelines:
Katana is Microsoft's implementation of the OWIN standard
https://learn.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/getting-started-with-owin-and-katana
Token based authorization is supported by OWIN and , therefore, by Katana.
There are two very usual ways to implement this token authorization, you can use Windows Authorization
https://learn.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/enabling-windows-authentication-in-katana
or you can use a more standard and recommendable way using OAuth:
https://learn.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
With ASP.net (netfx, not core), you use attributes on controller level to provide the metadata necessary to implement the authorization and authentication.
I am trying to understand IdentityServer3 and different terms associated with it in order to secure my Web APIs. Can someone explain what is significance of Scope in IdentityServer with some good example.
I found this link but idea is not clear.
Thanks in advance!
Scope
It's safe to say that Scope is kind of a role to access a specific set of resources IMHO. IdentityServer has two scope types, the ScopeType enum is defined and described as 'OpenID Connect scope types.'
Identity Scope : representing identity data (e.g. profile or email)
For example, if you have a profile identity scope, then clients with this scope can get the profile data from an identity provider ( e.g. IdentityServer )
Resource Scope : representing a resource (e.g. a web api)
For example, if clients have a calendar resource scope, then they can call a /get/calendar/months web api and get the resources.
Scope will be included in Claim when a HTTP request with an access token is in flight and will be further validated at the validation stage for the access token.
Of course the client should be added prior to running IdentityServer and proper scopes should be specified in AllowedScopes; a member of the Client class in IdentityServer.
The better resource to know about oAuth2 is IETF, and about OpenID Connect is openid.net.
IdentityServer is an implementation of OAuth2 and OpenID so it's documentation will not cover the basics that related to OAuth2 and OpenID.
To understand first about scopes you should have a clear understanding about clients.
Client: Models an OpenID Connect or OAuth2 clients (not your client application) and it should have a clear flow for example you defined a client which uses implicit flow.
The flow is the way that you should follow in order to get the needed data for example access_token and id_token.
All flows can be used with any cases but there are recommended flows for every case.
For example, up until now, it was recommended that you use implicit flow with native and javascript clients. Though, recently this has been changed to Authorization Code with PKCE. See Identity Server's blog post on this change to IETF/OpenID recommendations
Scopes: Models an OpenID Connect (Identity scopes like email, given_name etc.) or OAuth2 (Resource scopes like your WebApi that you want to protect it's data) scopes.
You can think about scopes as intent of the client, for example: The Client ask you to use your resource owner to grant me access to your openid scopes > given_name, email & prefered_username and your OAuth2 scope > WebApi.
For full understanding:
1- Pluralsight - Building and Securing a RESTful API for Multiple Clients in ASP.NET
2- Pluralsight - OAuth2 and OpenID Connect Strategies for Angular and ASP.NET
We're trying to extend our current infrastructure to be able to use WebApi/OAuth2 for our mobile apps. Currently we have been using SAML tokens for the mobile apps but it's to heavy. I was hoping somebody here could point me to the right direction for getting and ActAsToken for our already WIF protected WCF services ... We've come to a point were we have imported the AuthorizationServer from ThinkTecture into our solution, and we're now holding a fully legit JWT token which we use from our codeExample calling the WebApi. We've made the first call into the protected WebApi project and we can access the claims on the ClaimsPrincipal from within the WebApi.
So far, so good ... I've seen multiple examples on how to get into the secured WebApi and I've done that successfully with OAuth2. But now I need to get from the WebApi, down to the Middletier WCF services which are protected by WIF, using SAML tokens ( we still want to use the SAML tokens for the WCF services, we've already got the speed increase by getting the OAuth2 refresh_tokens/access tokens into our mobile devices ).
I'm wondering how we'll go from here, making an active signin against our StandardTokenService to get an SAML ActAs-token so the WebApi can call our middletier WCF services which are protected with SAML tokens. I found a similar post on this matter here; Identity Delegation ActAs with JsonWebToken but so far it's still unanswered.
This post above has a similar setup to ours - we need to get a DelegationToken (ActAs) from our IDP, from our holding JWT OAuth2 token inside the WebApi project.
Am I missing something? I want to get the ActAs token from within the secured WebApi to be able to call the all our WCF services in the middletier which are already protected by WIF using SAML tokens.
We want the mobile devices to contain the JWT refresh token/access tokens to speed things up ( instead of bullblown saml tokens ) but then we need to get the ActAs tokens, calling from the WebApi to be able to communicate with the WCF services on the middletier. The ideal solution would be to able to create a RequestSecurityToken (RST) with enough information populated from the JWT to be able to issue out a legit ActAs token ( before we populated the RequestSecurityToken (RST) from the SAML bootstraptoken ) for the WebApi to use.
Kind regards,
I am learning oAuth2 for the first time. I am going to use it to provide authentication for some simple web services using a two-legged approach.
According to what I have read, the flow should go like this: the web service client supplies some kind of credential to the oAuth server (I'm thinking of using JWT). If the credentials are valid, the oAuth server returns an access token. The web service client then supplies the access token when attempting to use the web service end point.
Here is my question, why not just supply the JWT when making a request to the end point? Why is oAuth's flow conceived this way. Why not just supply to JTW to the end point and use that for authentication? What is the advantage of having the extra step of getting an access token?
Thanks!
You can certainly supply the JWT directly to the web service. The questions is how do you generate it in a way that the service trusts.
A JWT is and access_token, but not all access_tokens are JWTs.
Your client can issue a JWT, sign it with a key (or a cert) and then send it to the API. The advantage of having a 3rd party (an Issuer) is that you can separate authentication from issuing tokens. Clients can authenticate in multiple ways (e.g. usr/pwd, certs, keys, whatever) and then use the JWT to call your API.
The additional abstraction gives you more flexibility and management scalability. For example: if you have 1 consumer of your API, then you are probably ok with a single credential (or JWT, or whatever). If you plan your APIs to be consumed by many clients, then handing that responsibility to a specialized component (e.g. the the issuer) makes more sense.
OAuth BTW, was designed for a specific use case: delegate access to an API to another system on your behalf. You grant access to system-A to access resources on system-B on your behalf with a permission scope.
I have set the wso2 api manager 1.6 and I have a rest api at the backend to which this is calling.
I know that wso2 provides Oauth 2.0 support. but I am not able to find out how scopes are handled.
This is my specific scenario:
I have a client application to which i want to assign scope view Photos. And another client application with a scope to delete photos.
Now in the Api manager I want to restrict access to the delete api only to the client application which has the delete photos scope.
How can this be handled in wso2?.
One approach is to explicitly get information about scopes in your application and perform manual validation (or through some framework, like Spring Security in Java world).
Scope information for oauth token can be found by sending request to validation web service at Identity Server (or Api Manager server, if you do not have separate IS).
Validation service endpoint is: services/OAuth2TokenValidationService/
WSDL file for this SOAP service can be found in their repository
EDIT:
Since Api Manager 1.7 you can define this security settings in manager itself. Check out this blogpost for details: http://nuwanzone.blogspot.ru/2014/06/oauth-20-scopes-with-wso2-api-manager.html