I'm looking to employ Thinktecture's IdentityServer3 solution as a SSO service across multiple web application the organisation makes available to external users.
Taking the MVC Authentication sample as a starting point I'm looking at bolting on a registration process for new users to capture extra details when they first come to use the systems. This process is common across all the services we provide so I wish to bundle it alongside our SSO service.
Is there an elegant way to inject extra business logic into the IdentityServer3 core service? Basically if they're a new user I need to redirect them to some registration pages before flicking them back authenticated to the web application that they originally wanted to authenticate against.
Both docs
https://identityserver.github.io/Documentation/docsv2/advanced/userService.html
and samples
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/CustomUserService
cover this.
Related
As part of a process to update/secure/centralize our auth and licensing process, we are looking at using OIDC via Auth0. Part of our package is a web site that is typically hosted on customer networks. We are trying to figure out the appropriate flow to use in this situation. It seems like we would need to set up an appropriate Callback URL for the applications which would need to point at the customer hosted instances.
Is there more appropriate flow that doesn't require that callback? What is the appropriate way to handle that?
Sadly you will always need a Callback URL when it comes to the authentication workflow that way you know where to redirect users after login. I have attached documentation supporting this process. I hope this helps you in your adventure!
https://auth0.com/docs/users/guides/redirect-users-after-login
I have an ASP.NET application hosted as Azure App Service. This application is configured with Microsoft Authentication. But the problem is anyone with hotmail/live account will be able to access the application.
I wanted to restrict the access to my Application Pages to SPECIFIC hotmail/live users only.
What changes I have to do on Azure Portal?
What changes I have to do in my application?
Thanks,
Paraclete
Applications typically have two "gates" of security - authentication and authorisation.
The simplest way would be to set up a list in a store (e.g. SQL DB - or hard code for testing) of authorised users. Let the Microsoft Authentication handle authentication and then use your list for authorisation. Redirect to HTTP Status code 403 forbidden if a user is not in the list of approved users.
You could make this a bit more fancy by implementing groups/roles, which is more elegant and manageable. Look in to the ASP.NET Role provider for built in functionality to expedite development. That said, some people find this build in approach cumbersome and roll their own simple provider and add it in to the page life cycle or the master page to share the functionality across all pages.
im developing a .net core mvc application with authentication against azure active Directory. My Problem is, that i have two different azure avtice directories which are undepentandend to eachother. Based on the user Input (mail or employenumber) i will decide which active Directory should used.
Any idea or reference?
Thank You!
You're describing a multi-tenant application where the AAD common endpoint is used as the entry point to the application rather than a specific AAD login page. You can configure your application to trust more than one AAD instance. It's rather involved, but MS had good documentation on how to adopt a single tenant app to multi-tenant. I'd also highly recommend Vittirio's blog as a place to learn about AAD auth, and while you're at it, his book titled 'Modern Authentication with Azure Active Directory for Web Applications'
Once you've turned on multitenancy for your application, you'll want to handle AAD validation yourself by checking the tenant id in the incoming SSO request. You do this by overriding SecurityTokenValidated in UseOpenIdConnectAuthentication. You can refer to this example where the code validates against a database.
There are other considerations such as admin consent where an AAD admin has to grant access to restricted permissions to your application. Good explaination here.
There is a very good reliable open-source project for that (Identity Server)
https://github.com/IdentityServer/IdentityServer4
And also you can check that (openiddict)
https://github.com/openiddict/openiddict-core
Context:
We have a monster ASP.NET MVC 5/Framework 4.5 application that is planned to be divided in several others, so each new application will deal with a specific business domain instead of many. All those applications together will provide the same functionalities and services that are provided today by the existing single application.
We plan to use our own OAuth server to provide authentication and authorization for all the new smaller applications, so the very same users that use the current large application will have the same rights in the same functionality.
Currently we use Windows Authentication mixed with a secondary custom structure to establish what a certain user can do. We have our own role provider to generate the roles assigned to the users. When a certain controller action asks for the list of roles af a certain user, our role provider search in our custom structure and provide those roles, following specific business rules that make sense in our application.
We understand that the same rules that establish the set of the roles assigned to a certain user will be moved to our OAuth server.
We understand that the role-based security will be replaced by a claim-based security.
We understand that we will stop testing for roles and start testing for claims.
We understand that the first step of this refactoring should be add external authentication in our current large application and then start to break it into parts so we will have our new ecosystem.
Question:
How to change my current large application so it authenticate and authorize requests by using the new OAuth server instead by itself?
Note:
I´ve read a lot of blog posts but so far I couldn´t find a simple code sample that shows me what to do to instruct my application to go for an authentication/authorization token in my OAuth server and use it to grant or deny the access to a given controller action.
I'm currently designing a Service oriented architecture, and actually I'm facing how to design the login system.
What actually I came out with is:
webUI (client that performs several operations on other services)
loginService (stores user credentials)
other services...
Since the WebUI is one of the way to access services it makes sense to me have the login to be a separated service, so also designing access to specific services can be easily implemented.
But I'm not really sure if this is a good approach to design a login system, that most of the times will be accessed by the web interface. It could also be integrated inside the webUI itself, exposing some way to authenticate users trying to access other services directly.... What do you think about this?
I hope that's clear what I'm trying to do, if not please ask me and I'll update this post with the info you need to better understand. Thanks.
A couple of related scenarios:
Actual users authenticate and the application subsequently calls web services on their behalf
A system calls the web services
For 1, you can provide a web login as you suggest. You can then use the UsernameToken profile for web service authentication. Alternatively, you can explore a SAML-based SSO solution depending on your requirements, and send a SAML token to the web service.
Look into an STS for the second.