Single Sign-On using Asp.net MVC 4 and Web Api - asp.net-mvc

We are devloping application looks like Google login. for example if you login Gmail and open Play Store in another tab it will automatically login playstore.
we want to develop similar application using ASP.Net MVC 4 and WEB API & JQuery.
User Flow (Login using username and password) - after login access member details
Client Flow (Client Secret and Client Id) - Authenticate HTML, Javascrip and CSS
If you have any suggestions on below approach.
1. OAuth 2.0 and Owin Middleware
2. Token base approach
3. to get HTML and Javascript using token by site.
4. cross domain token handling
if you have any sample for Resource server, here resource server is HTML, Javascript and CSS

For the User Flow, you can use OpenIdConnect Middleware: https://github.com/AzureADSamples/WebApp-OpenIDConnect-DotNet. There are many additional samples in AzureADSamples.
Fore the Client Flow, this sample give a good example: https://github.com/AzureADSamples/WebApp-WebAPI-OAuth2-AppIdentity-DotNet.

Related

What is the correct structure for MVC + API + Authentication server project

I have an MVC project that sends/receive data to/from a web API.
In my MVC project, users can log in to access certain pages.
I would like to implement an "authentication service" with tokens to acces my web API for 2 reasons :
1) To secure my web aPI
2) To access the id of the user that is logged in on my MVC app
I have read following statement :
The basic flow of things here is that your users will authenticate using OpenID Connect on your MVC site, after which they can get an access token to authorize access to the Web API using OAuth.
My question is :
I already have a project for my MVC app, a project for my web API. Do I need a third project for the token service?
If not, in which project do I implement it?
If anyone has an example or tutorial that would be great too.

What are the ways to handle authentication for outlook mail api other than using owin middleware?

I have followed the following guide to implement oauth for outlook mail api.
https://learn.microsoft.com/en-us/outlook/rest/dotnet-tutorial
It uses Microsoft Authentication Library (MSAL) in combination with owin middle-ware to authenticate users.
I would essentially like to separate the authentication to be something that is done after the main authentication with a local db.. (seperate module for outlook).. The authenticated user can opt to use or not use outlook features in the app.
Would there be an easy way to achieve this other than manually (using http calls) doing authentication?
You can do this fairly easily. You don't need OWIN to use MSAL. For example, you could get the login URL using GetAuthorizationRequestUrlAsync from the ConfidentialClientApplication class and use that to generate a login button or link. Then you'd just need to implement a redirect in your app to exchange the auth code for a token.

cookie and bearer authentication with angular MVC web API architecutre

In my current project i have following arcitecture
MVC application wrapping angularJS application (one action is provided to load templates for TemplateUrl in angularjs. Views are .cshtml instead of simple HTML pages which gives me flexibility to use Razor engine and do simple things like checking if users is in role and not render HTML template part.
second project is Web API project. once AngularJS application is loaded, it makes direct calls to API endpoint and uses MVC only for template loading.
MVC+AngularJS is hosted on -> subdomain.mydomain.com
WEB API is hosted on -> subdomain2.mydomain.com
currently app works without any issues, but i need to add authentication so the problem is;
how can i implement authentication flow in a way, that, If user is not authenticated it is redirected to the MVC login page,
Once it gets authenticated it gets authenticated in Web API as well.
If request is made to load template i can access authenticated user
roles.
if API call is made to API WEB API can check for authentication as
well?
how can i implement authentication flow in a way, that, If user is not authenticated it is redirected to the MVC login page,
You can do this by enabling Forms Authentication in you application. You can get number of documents online if you google that out.
Once it gets authenticated it gets authenticated in Web API as well.
WebApis are designed to be stateless. For authenticating there, use token based authentication where once user is authenticated, pass in a token with each webAPI request which can be validated at server before processing the request.
If request is made to load template i can access authenticated user roles.
Once user is authenticated you can cache user roles associated with the user's session and use that to identify his roles.
if API call is made to API WEB API can check for authentication as well?
Use Authentication token for this for identifying each request that will be sent from client.

MVC 5 Authentication

I have a Web API 2 with bearer token authentication, where an external site authenticates in my api and makes requests by sending the token in the request header, but I also have a MVC 5 Web Site, where authentication should be automatic in this site, the Web API will have a method that redirects to this Web Site and it should already open authenticated, this web site will have just one client, the web api, and the users came authenticated from web api.
How could I authenticate the web site automatically?
I thought in two different ways to solve this problem:
Use authentication cookies, where I perform a redirect from the web api to the site passing the login information (placed in the web.config, with user and password, or a kind of key), and then, the web site perform the authentication and set a cookie for the browser.
Use bearer authentication in both web api and web site (With the same Machine Key on web.config), and when the web api redirect to the web site it pass the bearer token generated for the client, but when the user navigate on the web site, I need to pass this token in the header all the time, and i think that is not a good idea share this token between the web api and the web site, when the navigation ends the process needs to come back to the web api, and will have to authenticate agaIn or pass the same token to the web api.
Which of these approaches would be the most correct? Or there are some other approach to solve this problem?
I'd take option 2, you could use a token auth with the claims you need to identify that the incoming request comes from your API. It's stateless, simple and you don't need to pass sensible data among urls

Securing ASP.NET WebAPI - Custom Login + Social Login

I am writing an ASP.Net WebApi application and I want to secure it using a combination of Custom Login (like ASP.NET Membership) and Social Logins (Google,Facebook,Twitter,LinkedIn and hopefully many more). User should be able to select any of them.
My client is pure HTML/JS SPA application and for that i will need to implement Implict grant flow of OAuth.
The options i see right now are
Use Thinktecture's Identity Server and Authorization Server.
Use DotNetOpenAuth library.
Can anyone point me in the right direction ? Which one of the above options can work for me?
Thanks
Why not follow the same pattern in MVC 5 SPA template, which already did exactly what you want to do:
It uses resource owner password login flow with ASP.NET Identity API
Support Social Login (Google, Facebook, Twitter, Microsoft Account)
Its client uses knockout and pure html/js
It uses implicit grant flow to convert social login to application access token
The template uses OWIN security middlewares, which can support:
Cookie auth
Bearer token auth
Social login auth
OAuth 2.0 Authorization Server flows and extension grant, which you can customize your own
You may need my blog to better understand the whole security story in the SPA template.

Resources