My company wants to start using Open ID connect for it's authorization and identity. The website is .Net 4.0 so OWIN is out. I've searched and searched but I cant find a 4.0 compatible library. Does anyone know of a library for parsing JWT tokens (or even better, converts them into claims) that is build for .Net 4.0?
Related
I am going to create an web app using Dot Net Core. In future, i will also create mobile application for the same application. Now, i am in thinking the architecture of the project. I want to use WEB API core using Asp.net Identity Core. Also, i will consume WEB API in MVC Core application. But the question i have in mind that how i can handle ASP.net identity with MVC and WEB API? Do i need to include in MVC as well or only in WEB API?
I tried to think hard but still confuse. Need suggestions.
You can use token based authentication .
In a resource owner flow scenario , your client app( mvc application/native application) will consume your web api by providing user's credential , web api will validate the credential(using ASP.NET Core Identity) in database , If the username and password are correct then a JWT authentication token and the user details are returned. Your client app could validate the token and sign in user :
ASP.NET Core 2.2 - JWT Authentication Tutorial with Example API
Tutorial built with
Token Authentication in ASP.NET Core 2.0 - A Complete Guide
In addition, IdentityServer4 is a good choice when you want to roll your own full-fledged OpenID Connect authorization server that can handle complex use cases like federation and single sign-on.
So your question is maybe a bit open-ended for Stackoverflow and you don't really show what you have tried so far.
I will try to answer though. First you just need to start out with a template for your project. Start an MVC project in which you can easily have API endpoints as well. I would suggest splitting those in two projects for clarity - but if it is just a small personal project then you probably are fine having them in the same project. Microsoft have a pretty good resource on MVC:
Microsoft MVC walkthrough
For the Identity part. You would need some kind of authority for it to work. I suggest you take a look at IdentityServer4. Which offers an excellent walk-through of how to set it up and how to integrate it with Asp.NET Core Identity:
IdentityServer4
There aren't any good article explaining how to generate a refresh token in asp.net core 2.0 and how to generate a access token using the refresh token?
Any exports knows how this is handled in .net core 2.0?
The closer i got was this article but the getToken method is not explained.
http://bestaspnethostingreview.com/refresh-token-using-asp-net-core-2-0-and-json-web-token/
In the real world you won't be writing code to generate tokens - an authorization server will do this token issuing for you.
I would very much recommend using a real authorization server early - it is very educational and obviously better from a security viewpoint as well.
I have found Okta to be very developer friendly - you can go to Okta Developer Sign Up, register for free and start coding against it.
I have recently been starting a new blog at http://authguidance.com that covers getting UI logins working and then calling APIs (though my blog probably has more detail than you want):
I assume you want to write a web app in C#? If so then I would recommend plugging in the standard Microsoft security libraries to do the login processing for you.
Technically, the Microsoft libraries use the Authorization Code Flow, and your application will then issue an encrypted cookie containing an Okta refresh token.
Would it be useful if I write a small C# code sample for you that runs against Okta, with instructions on getting it working?
I have a ASP.NET Core web application, having builtin authentication.
How can I authenticate Xamarin native mobile app with web app and use web services?
Is there any Xamarin library for authenticating Microsoft Identity Server?
I found an article describing creating web service backend in ASP.NET core, but it omitted authentication (why?) :
https://learn.microsoft.com/en-us/aspnet/core/mobile/native-mobile-backend
In the article they use Web API template, problem is that ASP.NET Core does support personal authentication from a box (at least for right now)
Take a look at this project OpenIddict. It's really easy to use and thay have a lot of examples how to build your own authentication service based on ASP.NET Core Web API. There is only one drawback of this project (by my opinion) - from the box OpenIddict supports only EF Core as data access library, but you can implement your own provider.
There´s no Xamarin client for Microsoft Identity Server per se, but you can use oAuth2. It´s pretty standard.
Implementing an oAuth2 server like OpenIddict, IdentityServer or AspNet.Security.OpenIdConnect.Server you can use any oAuth2 client to authenticate, either way from a javascript application or Xamarin.
For Xamarin/.NET clients, there is an awesome client (PCL) called IdentityModel.
I understood how to write Running OAuth 2.0 code for the client side.
Using existing Authorization Server, like Google, seems to be not too complicated.
Question is: How to implement my own Authorization Server?
Since many companies have their own User/Privilege system, LDAP based (e.g. Active Directory), etc. - they must have their own Authorization Server.
Is there a framework, libraries, etc. for that? Or do I have to write the code from scratch?
The best reference is the OAuth 2.0 site. They list the available server libraries that you can use. Currently, the options are:
Java
Apache Oltu
Spring Security for OAuth
Apis Authorization Server (v2-31)
Restlet Framework (draft 30)
Apache CXF
PHP
PHP OAuth2 Server and Demo
PHP OAuth 2.0 Auth and Resource Server and Demo
PHP OAuth 2.0 (AS with SAML/BrowserID AuthN, with management REST API, see DEMO)
Python
Python OAuth 2.0 Provider (see Tutorial)
OAuthLib (a generic implementation of the OAuth request-signing logic) is avaliable for Django and Flask web frameworks
Other
NodeJS OAuth 2.0 Provider
Ruby OAuth2 Server (draft 18)
.NET DotNetOpenAuth
Erlang Oauth2 Server framework
I would also highly recommend that you read all the documentation available on how the standard works before getting started. There are many parts to OAuth and it can get confusing. At least, that's how I feel.
Check out OpenAM by Forgrock. With little work you should be able to get a java based OAuth authorization server running.
http://openam.forgerock.org/
i have several questions...
Does yahoo and microsoft api support
oAuth 2.0?
If yes then what are the main
security measures those should be
taken care of while shifting from
oAuth 1.0 to oAuth 2.0.
Google API supports oAuth 2.0. But
they have still marked it as an
experimental. Is it good to start
shifting even though it is
experimental?
I see while registering an
application on google (for oAuth
2.0), they ask for callback url. If a single application uses a
condition dependent callback url
such as -
if($myVar == NULL) $callbackUrl = 'http://www.mydomain.com/test.php?m=f¶ms=null'
else $callbackUrl = 'http://www.mydomain.com/test.php?m=x¶ms=1'
How can i implement above when the callback url is already specified? The above conditional mainly handles fallback model of an application or if browser supports java then java based model of an application. Kindly suggest
May i know how many of email
providing websites and social
networks supports oAuth 2.0?
Yahoo does not support OAuth2 yet, only Oauth 1.
Microsoft does support OAuth2. http://msdn.microsoft.com/en-us/library/hh243647.aspx
Oauth 2 is simpler since it uses SSL (HTTPS) to provide transport security, so the signatures and token-secrets are not needed. When you switch you will need to re-implement your OAuth flow. I can't think of any specific security measures specifically applicable to upgrading from OAuth1 to OAuth2, but the spec details some security considerations in section 10 (The parts applicable to clients are 10.3, 10.4, 10.5, 10.6, 10.8 and 10.9).
The OAuth2 specification is still not finalized, and may change. You could begin to implement your OAuth2 flow with Google, but bear in mind that it is possible that names or requirements of parameters, endpoints etc. could change and your application will break / you will need to make changes in future. [Experimental Features] could change (or even be removed) at any time. It is probably a bad idea to use experimental (or beta) software in a critical production environment.
Also, not all Google services support OAuth2 at the moment. eg. If you want to use OAuth for IMAP access to Gmail you will have to use OAuth1 for now.
In the API Console, you can specify multiple callback URLs for your OAuth2 application, one per line. An alternative would be to store your 'm' and 'params' parameters in a browser session / cookie and do the redirect to the correct page once authorization is complete.
Support (some revision of) OAuth2: Facebook, Microsoft/Live, Google (with exceptions described above), Foursquare, GitHub, Gowalla, GeoLoqi, Salesforce.
Support OAuth1 Only: Yahoo, Flickr, Twitter.
Source.