I study external login strategies and the terminology confuses me. What's the relation between the following.
Owin
OauthWebSecurity
OAuth 2.0
Owin Katana
ASP.NET Identity
Owin
Owin is no more than a specification. It stands for Open Web Interface for .Net.
In very simplistic terms it is based in the idea that using a few language constructs (delegates and a dictionary) you can create a framework for handling web requests that is independent of where it is hosted (you can even run an "owin application" from a console app).
The implementation of Owin's specification is called Katana.
OAuth
OAuth 2.0 is an Authorization protocol. The idea behind OAuth is that you (the resource owner) can delegate access privileges to a third-party. An example is a Web app being able to post on your Facebook wall for you.
Again, in very simplistic terms, this materializes by sending a 302 redirect to the user when she accesses a protected resource. That 302 redirects the user, for example to Facebook's oauth login page (https://www.facebook.com/dialog/oauth?client_id=...&redirect_url=[yourwebapp]&scope=[permissionsrequiredfromuser]).
After you login to facebook, accept the permission request, facebook will send a 302 redirect to the redirect_url you provided with an access_token that you can then use to send requests on behalf of the user that provided the credentials. For example, to get information about the user you'd perform a request to https://graph.facebook.com/me?access_token=[access_token].
There are variations for this workflow. They are all explained in the links at the end of the answer.
ASP.NET Identity
ASP.NET Identity has nothing to do with ASP.NET. Talk about poor naming... It provides functionality to save and retrieve user's data from a data source. It also provides you with the ability to associate claims and roles to the users, other "login providers" (that would be the case when you "login with facebook" and your user_id from facebook gets associated with your local user id, this information is stored in the AspNetUserLogins table).
The way you see it being used in the MVC project template is in the Account controller and the CookieAuthenticationMiddleware.
References
Owin/Katana:
http://odetocode.com/blogs/scott/archive/2013/07/09/getting-started-with-owin-katana-and-vs2013.aspx
http://odetocode.com/blogs/scott/archive/2013/11/11/writing-owin-middleware.aspx
http://odetocode.com/blogs/scott/archive/2013/11/12/simple-logging-middleware-katana-part-4.aspx
http://www.asp.net/aspnet/overview/owin-and-katana/an-overview-of-project-katana
http://www.asp.net/aspnet/overview/owin-and-katana/owin-startup-class-detection
OAuth
https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/v2.1
http://blogs.msdn.com/b/webdev/archive/2013/07/03/understanding-owin-forms-authentication-in-mvc-5.aspx
http://www.asp.net/web-api/overview/security/external-authentication-services
ASP.NET identity
http://brockallen.com/2013/10/20/the-good-the-bad-and-the-ugly-of-asp-net-identity/
http://curah.microsoft.com/55636/aspnet-identity
http://typecastexception.com/post/2014/04/20/ASPNET-MVC-and-Identity-20-Understanding-the-Basics.aspx
https://learn.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server (latest approach - technically you have to realize few methods. there are few examples, as alternative you can review how it is realized in IdentityServer4 for .net core)
Related
Im trying to implement IdentityServer authorization and my scenario is below:
we have one home page for all our application "www.vision2025.com" and i have link to my mvc application "MarketingDashboard" where users are authenticated by home page and redirect to my mvc application using windows authentication. Now user can do any action in my dashboard which interact to web API.
Now i need to implemented IdentityServer to authorize all the web API call from my dashboard but no need of login.
Please suggest any idea
Thanks in Advance
I think you don't want to build IdentityServer because your enterprise company has already built ADFS (Active Directory Federation Services). You just want to ask who maintain AD and ask him to enable ADFS for OAuth2. This is a page to help you catch all scenarios here.
Because I don't know how far you can change for all applications but there are some solutions with ADFS you can go with:
Let your main server (acts as Home Page and where user redirects to ADFS to sign in) performs On-behalf-Of flow. In this scenario, your main server will be a linked server that transfer its taken access token which retrieved from ADFS. I strongly recommend this way because you just want to add as many as your new upcoming web and api. The cons are they require you ensure protect highly access token in your main server
Because OAuth 2.0 doesn't support chaining Resource Servers yet (such as you signed in Resource Server A, then use provided access_token to call Resource Server B in different clients), you need to allow your main server store his username/password (also knew as trusted back end server , means your enterprise allows this server can store client credentials). So each time you redirect user to target MVC Application, you should transfer encrypted username/password as well. Then your target MVC application can perform Authorized Flow or Implicit flow itself in Back-end code, then returned new access token to client web to perform calling Web API.
I have created a Web API using ASP.NET Core 2.1 and it uses (successfully) JWT as a method of authorising requests.
The API is linked to a SQL Server database.
My users are stored in it using Identity as the base framework.
To authorise access for my API I take the username and password which is checked against the stored (Identity based) user.
Successful login returns an Access Token (with a 30min life).
Upon first logging in, a Refresh Token is generated and stored against the Identity user and sent back from the API.
All of this works well. My next step was to create a separate .NET Core 2.1 MVC site which consumes the API.
My question is:
From the MVC site point of view, how do I secure my controllers and views based on this security set up? I would normally use the [Authorize] attribute as part of Identity.
All I have on the MVC site side at the moment is the Access Token (and Refresh token) for the user in question.
I'm thinking the following solution:
MVC Site has it's own database and authentication for users (using Identity).
The connection (credentials/tokens) to the API is stored separately in the MVC site database and used as a 'global' way on the server-side to execute calls against the API
You should use an OpenID Connect and OAuth 2.0 framework. please check IdentityServer4. It also support asp.net core identity
IdentityServer is an OpenID Connect provider - it implements the
OpenID Connect and OAuth 2.0 protocols.
Different literature uses different terms for the same role - you
probably also find security token service, identity provider,
authorization server, IP-STS and more.
But they are in a nutshell all the same: a piece of software that
issues security tokens to clients.
IdentityServer has a number of jobs and features - including:
protect your resources
authenticate users using a local account store or via an external identity provider
provide session management and single sign-on
manage and authenticate clients
issue identity and access tokens to clients
validate tokens
What is the correct way to use IdentityServer3 and OpenID Connect (flow and configuration) in order to implement the following:
We have one MVC site Products and one Web API Products.API. We must secure all Web API endpoints:
Some endpoints can and should only be accessible by the MVC application on behalf of an authenticated (logged on) user.
Other endpoints, such as the ones used for account registration, password reset or anonymous operations, need to be authorized to the MVC client site directly, since there is no authenticated user in the picture.
We are currently using the Hybrid Flow, but this was mostly motivated after watching one of Dominick Baier videos. I've looked into https://gist.github.com/jawadatgithub/638c11f08ecc0d76b05c and it seems what we are looking is a combination of Client Credential Flow and Resource Owner Password Credential Flow, but I'm not sure I can even mix two flows as apparently it is not recommendable.
You could split the API into a "service" type API and a "user" API and have separate auth flows but do you really need to have the 2 APIs?
Does the registration code really belong in the API? It sounds like the the MVC app (guessing that it is also your identity provider) should deal with account registration - this is normally a key separation in using Oauth2.0 : the API doesn't concern itself at all with user admin!
If you do refactor the registration functionality to sit with the identity provider / Auth server, then do you still have the need to have 2 auth flows?
If you do, you could use just the password flow and have a fake "admin" user setup in your identity system for the non-user context endpoints. Your MVC app can pass in the credentials for the "admin" user and the API can code for this specific user. It's horrible, I don't recommend it, but I've seen it work!
I have an ASP .NET MVC application (default template).
I have added a Nuget package for OAuth support for an external provider.
I have successfully logged in with the external provider, however I now need to use the token that they provide to make REST calls with another API I am using.
How do I get the token the external provider has given?
You should refer to the external provider's docs to see how you can get the token. For the ASP.NET's own identity you call %appurl%/token and then store it somewhere like in your session and then send it in your authorization header as described here.
http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api
For most providers it should work because ASP.NET itself works with the token of let's say facebook and generates a token for you itself so you always use yourapplication/token to get the token.
See this question
MVC 5 Web API with Facebook access token to RegisterExternal without need of Cookie
I have a web application written in ASP .NET MVC 3. I'm using ACS for authenticating my users and I defined Google, Windows Live, Yahoo! and Facebook as identity providers.
Now I want to expose a REST API for the application (I want to create an app for WP7). Some of the calls require that the user is authenticated so I thought I should pass a token in the authentication header of the request. What is the best approach to do this with ACS? Is the ACS able to provide me these kind of tokens or am I responsible for writing the code that generates these tokens?
Yes. ACS supports this scenario with "Simple Web Tokens" (SWT). See here, or any of the "released" documentation in ACS. ACS v2, currenlty in labs, has expanded support for WS-Fed, WS-trust, etc (this is what you are using today).
Here's a blog post I wrote with more information for the phone.