I'm working on an application that allows people to authenticate with the same credentials in both MVC and Windows Phone apps. Data access for the phone and MVC client should be via Web API (or alternatively via WCF).
I've already read dozens of articles on authorization frameworks and it gave me a headache as there's quite a few of them and I don't even know how to start.
So my questions are: how can I accomplish these goals? What authorization framework should I use?
Related
We are a new tech team that has inherited a webforms app. We are planning on building out an internal API and would like some guidance for implementing it with our existing app.
Ideally we would like an independent app hosting the identity server, and both internal APIs and webform app would call it. However, we host hundreds of websites on a single platform in a multi-tenanted setup.
Can we use IS4 with webforms?
Can you give some guidance around multi-tenanted setups?
Can we use cookie based authentication in the webforms app and use the same token for delegated access when communicating with the api?
Have I missed anything obvious?
These are Application Types and Scenarios that Azure AD supports:
Web Browser to Web Application
Native Application to Web API
Web Application to Web API
Daemon or Server Application to Web API
I have two questions:
I would like to understand where my scenario below fits.
I think I need to use JWT tokens and it seems that Native Application to Web API is the closest,
but I still need Asp.Net MVC application to deliver Client side Angular MVC resources (html templates, controllers and Rest services)
Which Azure Active Directory Code Samples are the closest to my scenario below:
I would like to create a multi-tenant Angularjs (delivered using Asp.Net MVC 5) and Rest Web API 2 secured with Azure AD. I would like to have tenants choose their domain names like firstTenant.com,
smt.firstTenant.com or to have subdomains like firstTenant.MySaaS.com, secondTenant.MySaaS.com
or MySaaS.com/firstTenant, MySaaS.com/secondTenant or similar domain naming scheme.
I would use some kind of IoC container to add customization to my SaaS application or similar to deliver specific functionality to each tenant (GUI and business logic and DB).
I would use and Asp.Net MVC application that will custom tailor SPA resources (html templates, .js controllers, .js services, .css, images etc) to each tenant and use some partitioning techniquest to retrieve tenant and user specific content from DB called from Rest API controllers.
Thanks,
Rad
I am also facing the same 'i dont know' issue :)
But far as i have researched the authorization flow from SPA aplication to the web api.
You still need webserver(mvc) project that will privide redirecting to the Identity provider (azure AD) login page and on the IP callback you will need to inject baerer token to Angular auth service that will send token to the api or deal with the refresh token.
So for me I think that, Web Application to Web API, is the right direction programming.
pls comment if i'm wrong
Currently i'm investigating link
http://code.msdn.microsoft.com/windowsazure/MyCompany-demo-applications-eedab900
update 2:
http://www.cloudidentity.com/blog/2014/04/22/AUTHENTICATION-PROTOCOLS-WEB-UX-AND-WEB-API/
Maybe it will be helpful to us.
So I am trying to secure an ASP.NET Web API Service so that an iOS (iPhone 4/5) application can access it RESTfully using their Windows user name and password (don't ask :) ), and I have followed this article here, and for the most part it works, I just modified it a little to use Active Directory Services to validate the user name and password, but I am wondering if there are better ways to secure a ASP.NET Web API that will be used from non-browser clients as well as browsers possibly?
This is hosted with IIS7, so should I just let IIS control the authentication?
Need a little guidance... Thanks
It's a bit unclear specifically what you are looking for, in my experience assuming I'm authenticating against a server the keys were
Put access to the APIs behind https
Send the request via POST.
If you're also coding the iOS side, make sure you are implementing authentication challenging properly. Here's an article on the iOS side: http://mobiledevelopertips.com/networking/handling-url-authentication-challenges-accessing-password-protected-servers.html
I developed a website in ASP.NET MVC 4 using NHibernate, now I need to perform an integration with the site using Windows Forms.
How can I perform authentication system using the same users?
What technology should I use? Web API, SOAP or Rest?
Thanks!
Small clarification of terms : REST is an architectural style, SOAP is a protocol for exchanging information, and Web API is a framework to build HTTP Services.
The stock answer for questions like this is "It depends"
Before you continue with a technology selection, currently is your method for authenticating users separated properly from your business/presentation logic?
If that is the case, being that you are using MVC 4, Web API may be the path of least resistance, you can put all of the functionality that requires authentication behind Web API calls. And your controllers will call them. Once that is done, a Windows forms app can consume the data in a similar way.
Scenario:
I have an ASP.NET MVC 2 site using ASP.NET Forms Authentication.
The site includes a Silverlight 4 application that needs to securely call internal web services.
The web services also need to be publically exposed for third party authenticated access.
Challenges:
Securely accessing webservices from Silverlight using the current users identity without requiring the user to re-login in in the Silverlight application.
Providing a secure way for third party applications to access the same webservices the same users credentials, ideally with out using ASP.NET Forms Authentication.
Additional details and limitations:
This application is hosted in Azure.
We would rather NOT use RIA Services if at all possible.
Solutions Under Consideration:
I think that if the webservices are part of the same MVC site that hosts the Silverlight application then forms authentication should probably "just work" from Silverlight based on the users forms auth cookies. But this seems to rule out the possibility of hosting the webservices seperately (which is desirable in our scenario).
For third-party access to the web services I'm guessing that seperate endpoints with a different authenication solution is probably the right answer, but I would rather only support one version of the services if possible...
Questions:
Can anybody point me towards any sample applications that implements something like this?
How would you recommend implementing this solution?
You can extend WCF to use Membership as authencation store and reuse the FormsAuth Cookie (send by the MVC site) to the browser by the Silverlight app.
I would recommend using an STS with Windows Identity Foundation so you can have your app use claims identity and then change authentication outside the app. For third party you can use Windows Azure Access Control Service (ACS). We are updating our guidance on this and you can look at the new code to show you how to do this at our codeplex site. The original book is available at Amazon. I would focus on the updated guide because it has ACS has websites and an active client talking to WCF. The client is WPF but it would similar for Silverlight.