I enabled windows authentication for asp.net mvc project. I'm in company domain, and when I send an get request to server side, I don't see any special stuff like username/pwd in header/body. How does server know who am I? And if I send an ajax call to server, do I need to include username/pwd as part of this call? Please help.
Integrated Windows Authentication uses Negotiate (Kerberos) or NTLM authentication work the same way that Basic Authentication works.
When you send an initial request, the server responds with a 400 not authorized response. The browser sees the accepted types of authentication, and prompts the user for the username/password, or if it knows how to use the current windows login token and is configured to do so, it uses that token automatically.
NTLM Working from Fiddler Perspective
Related
I am quite new to Asp.net core identity and Identity Server 4. I am following online training course on implementing Authentication using Open Id Connect with asp.net core and Identity server 4.
If I further illustrate my solutions having Asp.net core mvc web application as client. Another asp.net core mvc web app as IDP (Identity Server4) and another asp.net core mvc web api as resource server.
For un-authenticated Users Login page on IDP is appearing. Problem for me is how does client web (asp.net core web app) knows user is not authenticated? My guess is when user first time access web app access token is not presenting on authorization header so authentication middleware knows this is not authentication request and redirect request to IDP Is it correct?
Then user redirect to Logic view of Account Controller how that redirection configured on IDP (I mean here is how exactly redirect to Account controller login page)?
Furthermore what is purpose of RedirectUris(https://localhost:44326/signin-oidc) configure on IDP. and how it works
By the way in here I am using Authorization Code flow and IdentityServer4.Quickstart.UI AccountController comes from there.
Either you know what api needs authentication, therefore, if you don't have this token available anywhere, you shall redirect the user to the oauth server. Once this one redirects back on your application, you will find the token in the url (a parameter of it if my memory is good). This token will have to be saved in memory for later usage or in your application db (standard browser feature). Then you can make a call to the api using this token that you stored.
If you don't know what api needs authentication or if your token is expired, you make the call to the api anyway, and then you get an 403 error (not authorized). Any 403 error should make the client application decide to redirect the user on the authentication portal to get an new token.
As you use code flow, I suppose you must develop a react, angular or any spa application. So I advice you to use oidc-client. It is a javascript library that is developed by the same guys who developed identity server. It makes the client very simple to develop when dealing with oauth authentication.
Here a more detailed description of the process and check/variable that are done/used:
The client application (javascript/html5) makes a call to the resource server without any token in the authentication http request header
The resource server (your api server) tries to get the token in the header
doesn't exists. This means the request is not authenticated.
The resource server return an 403 error to the client before even making any controller call or even authorization checks (roles and such)
The client catches this 403 error, and then knows that a token is necessary for this call.
The client stores the url of the request that failed and its post (if applicable) in the application db
The client redirects the browser to the authentication server url, by transmitting the client id (the identifier of the javascript/html5 application for the authentication server), the scope (what set of resource that should be used by this client application in the context of this authentication request) and the url where the authentication server should reidrect the user back once he is authenticated.
The authentication server asks the users to authenticate (in any way you can imagine, but most of time it is by asking him a login and a password)
if the user is recognized by the authentication server (password that matches the login), this one will check if the return url (the url that was transmitted by the client application for it to be used to redirect the user on the right page once he is authenticated) is in the list of granted return urls for this client application (the RedirectUris you are wondering about). The point of this is to ensure that the the issued token is not transmited to an ungranted application (like a external javascript/html5 application hosted in china that could find a way to suck some data from your api server that only your user can know about and submitting it to a russian api server without the user even noticing it)
it also checks if this client application (not the user... here it's to ensure that a specific client javascript/html5 application can access a set of resources) can use the scope that is requested.
if checks are ok, the authentication server issues an access_token by signing it with its private key.
the authentication server redirects the user on the initially transmitted return url, by setting the access_token in the url as a parameter.
the client application get this parameter and stores it somewhere (anywhere you want, but most of time in the application db and in memory)
the client application get the url that stored for the call to be done again, but with the access_token in the authentication header this time
the api server (or resource server) receives the http request again
finally find an access_token and checks if the it was actually issued by the authentication server (using its public key) since it is the only tiers that is trusted to issue a token.
then it can trusts what is in the token: the user id that is mentionned inside, scopes (set of features) that are allowed to be accessed, etc...
then it calls the controller and returns the response. If the token is expired, (a simple date that is in the token) it doesn't make any call to the controller and return a 403.
FYI, anything that is in the token can be trusted if its signature has been done by then authentication server. This system prevents the man in the middle security breach. Meaning: a guy who got a token by spying the network activity, changes what is inside this token so that he can make any call he want against your api server. Any changes that is made in this token will be detected because the signature (some sort of encrypted hash) won't match the new content anymore. And this signature, if everybody can check it in the world with the public key, only one tiers can issue it with its private key: the authentication server.
I tried to make it as complete as possible and yet still understandable for a newbie in oauth that you claim to be. Hope this helps.
Between the Authorization Request (3.1.2.1) and the Authentication Response (3.1.2.5) the authorization server is responsible for validating the request, authenticating the user, and get user-consent before sending the response.
http://openid.net/specs/openid-connect-core-1_0.html#ImplicitFlowAuth
How is that supposed to work in a SPA application?
If I issue an ajax request the authorization server can't authenticate the user (I don't see how since there's no cookie, http-header or url fragment telling the Authorization Server who the user is). If I redirect the user to the authentication endpoint my SPA is unloaded. Since I don't have a server redirect_uri (which I've understood is the whole point of the implicit flow?) the endpoint can never reach my SPA again.
Obviously I'm missing something. How is the authentication and user-authorization chrome supposed to be shown to the user in the implicit flow?
OAuth 2.0/OpenID Connect separate the authentication from the application. You would redirect unauthenticated clients/users away from your application before anything is loaded and only handle the authorization response in the SPA. Your redirect URI would point to the SPA. In any case, you would not handle the OAuth 2.0/OpenID Connect dance in Ajax but in a full browser.
I am trying to implement:
An MVC Web API server to return content on-demand (REST Server)
A Central authentication OAuth 2.0 server (for example OWIN)
An Android end-user side Application
The Scenario is like this: Android application requests content on REST Server, if its token is expired, REST server makes a request on authentication server to identify the client. The REST server should be registered using its own [id,secret] on authentication server and then Android application should be informed to identify on central authentication server using end-user [username,password] and Android application [id,secret].
So REST server must be registered on authentication server using fixed [id,secret].
Android application must be registered on authentication server using fixed [id,secret] and end-user [username,password].
So the problem is most samples on the web use cookie based sessions that cannot be used via a REST server and a non-browser end user (at least it is not recommended). I did not find a clear example to explain the implementation of this scenario or even some part of this, all that I found were some beginner code snippets.
Thanks for your help.
I recommend you posts on Token Based Authentication and Enable OAuth Refresh Tokens from Taiseer Joudeh, wich teaches you step by step in the process to create a token based Authentication (mobile friendly, without cookies storage) and refreshtoken for managing token expiration.
Note: Don't be afraid if the post title talks about "AngularJS". You can skip this part.
I have an ASP.NET [MVC] application which has a claims based authentication scheme running. ADFS authenticates users and redirects back to the application domain with relevant token.
Now, I'd like to simulate this process from start to end. I was able to get a SAML 2.0 token object of type GenericXmlSecurityToken from ADFS via some powershell scripting but couldn't figure out how to create an SSL tunnel and pass the token to the application just to download the Index view. Any use of net.webclient ?
You have to send SAML 2.0 token to some SP application according with SAMLP standarad.
First, that application have to know how to handle SAML tokens. Second is to send it properly. If you want to send authentication response per instance you have to create HTTP POST request to your application on specific address where it is expecting it.
Take a look over SAML protocol documentation.
I have a Windows Phone application which is reading and writing data from a WCF Data Services service which is hosted in and ASP.NET MVC 3 application.
I can configure both client and server as necessary. I'd like to use OpenID if practical, and once a user is authenticated on the phone they should be able to browse through data which is associated with their OpenID.
How should I configure client and server to make that work?
To use OpenID in your app you should look at using an embedded WebBrowser control which connects to the provider site (or your site which can redirect). When the OpenID provider returns to your site (embedded in the browser control) you'd pass necessary identifiers back to the app.
There's an example of doing this with a twitter app (using OAuth) at http://blog.markarteaga.com/OAuthWithSilverlightForWindowsPhone7.aspx
OpenID is an awkward choice. It sounds like the user already has data associated with their account, which means that the user would have to login to the server at some point in time to set up this data, and then login to the app with the same credentials to access this data. The issue is that of securely verifying that the client app has indeed authenticated the user in question. Assuming that the client app (somehow) has the user's OpenID is not enough because the server can't implicitly trust what the client app tells it.
Off the top of my head, I'd say, what could be done with OpenID is as follows.
First, set up OpenID authentication on the server. Then, when the client app needs to authenticate, it should use the WebBrowser control to point to a server URL that, in turn, lets the user authenticate with their OpenID provider, and points the browser back to the server with the authentication info. At this point, the client app is unaware of the user's authentication status, but the server knows who they are. Now, the server can generate a single-use auth key for the client to use. It can redirect to a special URL with that key in it, at which point the client detects said URL, extracts the key, hides the WebBrowser control, and uses that key to talk to the server. I believe that would be a secure way to do such authentication, but like I said, this is just off the top of my head.