These are Application Types and Scenarios that Azure AD supports:
Web Browser to Web Application
Native Application to Web API
Web Application to Web API
Daemon or Server Application to Web API
I have two questions:
I would like to understand where my scenario below fits.
I think I need to use JWT tokens and it seems that Native Application to Web API is the closest,
but I still need Asp.Net MVC application to deliver Client side Angular MVC resources (html templates, controllers and Rest services)
Which Azure Active Directory Code Samples are the closest to my scenario below:
I would like to create a multi-tenant Angularjs (delivered using Asp.Net MVC 5) and Rest Web API 2 secured with Azure AD. I would like to have tenants choose their domain names like firstTenant.com,
smt.firstTenant.com or to have subdomains like firstTenant.MySaaS.com, secondTenant.MySaaS.com
or MySaaS.com/firstTenant, MySaaS.com/secondTenant or similar domain naming scheme.
I would use some kind of IoC container to add customization to my SaaS application or similar to deliver specific functionality to each tenant (GUI and business logic and DB).
I would use and Asp.Net MVC application that will custom tailor SPA resources (html templates, .js controllers, .js services, .css, images etc) to each tenant and use some partitioning techniquest to retrieve tenant and user specific content from DB called from Rest API controllers.
Thanks,
Rad
I am also facing the same 'i dont know' issue :)
But far as i have researched the authorization flow from SPA aplication to the web api.
You still need webserver(mvc) project that will privide redirecting to the Identity provider (azure AD) login page and on the IP callback you will need to inject baerer token to Angular auth service that will send token to the api or deal with the refresh token.
So for me I think that, Web Application to Web API, is the right direction programming.
pls comment if i'm wrong
Currently i'm investigating link
http://code.msdn.microsoft.com/windowsazure/MyCompany-demo-applications-eedab900
update 2:
http://www.cloudidentity.com/blog/2014/04/22/AUTHENTICATION-PROTOCOLS-WEB-UX-AND-WEB-API/
Maybe it will be helpful to us.
Related
We are a new tech team that has inherited a webforms app. We are planning on building out an internal API and would like some guidance for implementing it with our existing app.
Ideally we would like an independent app hosting the identity server, and both internal APIs and webform app would call it. However, we host hundreds of websites on a single platform in a multi-tenanted setup.
Can we use IS4 with webforms?
Can you give some guidance around multi-tenanted setups?
Can we use cookie based authentication in the webforms app and use the same token for delegated access when communicating with the api?
Have I missed anything obvious?
i'm new to asp.net web api, owin, and everything related to it.
I'm trying to find the best way to do this scenario:
1 - Web api to have all the connections and rest service
2 - Web site to show data to user on a browser using the restful service
3 - An mobile app that have some functionalities like the web site and access the restful service to get all the information
My doubt is: what's the best practice related to the login? I'll use owin/oath2 with Identity to login, but since it's going to be implemented on the web api, the login/register/forgot password should be on the web api directly (like the project template does) or should i move most of the functionality to the web site? Of course its easier to leave in the web api, but if i do it, i must duplicate my razor templates just to call the login part. Can someone give me a path to follow?
Thanks!
the answer is not, your web api should not have any html or js or css file, only the services that your need, the web api exposes the functions to register the user, next when you have to do request, you must Send a token, you can obtain the token using the URL that you have configure in owin, the URL is like /token and Send the username and pass.
Regards,
Background:
I've implemented a Web-API (.NET), now I need to do the most important thing,
Secure it.
As I investigate this topic I understand that the common way is the Bearer Token.
Now we getting to my problem.
My Problem
On one side:
Every article I saw (that explains the concept and the way to implement it over .NET) starts from a project with a Web API template that holds MVC and Web API and in the authentication field choose one option from Individual / Organizational / Windows .
On the other side:
I don't need a MVC project, I need only Web API (without any GUI) that the reason I choose the empty project and check the Web API checkbox, in that way I cant choose an authentication type, I forced to start with no authentication.
Questions:
1.Do I bound to use MVC to get authentication ? if not how can I do it from pure Web API project ?
2.Maybe I will create an Authentication Server (that only generates tokens) from that Web API template (with the possibility of choosing authentication type) ? (and use the token on the real Web API)
3.There is any benefits of implement the Authentication Server on a different project and on different server ? (Kerberos style )
P.S I want to use an out of the box solution because the security aspect is the most important one (to my opinion) and should be flawless.
I wrote a blog on this topic called 'Securing and securely calling Web API and [Authorize]': http://blogs.msdn.com/b/martinkearn/archive/2015/03/25/securing-and-working-securely-with-web-api.aspx. I think if you read this, you'll have all your answers.
The Web API template does include MVC by default so that you get the automated docs feature (which is a great feature to have). However the authentication part is related to a core ASP.net feature, not specific to MVC or Web API. You'll need to enable one of the authentication options to secure your API using .net's built in security features.
If you do not want the MVC project that comes with Web API, just delete it after the project has been created. It is contained within the 'areas' folder. If you delete that folder, you'll be running on pure web api.
To answer your specific questions:
1) No you do not need an MVC project to secure an API project. You can use the [Authorize] attribute on your API controllers and actions.
2) an authentication server gets created by default with the web api template. You can access it and get tokens via http:///Token
3) No, you need to use the api itself to serve valid tokens for secured controller/action requests
Hope that helps. If not, then please be a bit more specific with your questions.
I developed a web system using ASP.NET MVC 4 and I must perform an integration using .NET Web API and Windows Forms Application.
So far everything has been fine, but now I need to authenticate the users using Windows Forms Application and this application will be open on the internet.
My application already contains users that are registered in the database and currently are authenticated using the component 'Authorize' of ASP.NET MVC.
For data consumption through the client (Windows Forms Application) currently I use the library Microsoft ASP.NET Web Client API.
How can I accomplish this task safely?
Does anyone have any suggestions?
You can extend the HttpClient to add authentication. One example can be found here. It shows how to add a HttpMessageHandler into your pipeline for authentication using OAuth.
Here is the complete List of ASP.NET Web API and HttpClient Samples
Take a look at this Q&A which describes creating a custom AuthorizeAttribute for Web API that also authenticates the user using http basic security and grabbing the credentials from the HTTP header. Note that there is a different AuthorizeAttribute for ASP.NET Web API (System.Web.Http.AuthorizeAttribute) as opposed to the one for an MVC controller (System.Web.Mvc.AuthroizeAttribute). They have different behaviors. You do not want a call to a Web API being redirected to a logon page.
Scenario:
I have an ASP.NET MVC 2 site using ASP.NET Forms Authentication.
The site includes a Silverlight 4 application that needs to securely call internal web services.
The web services also need to be publically exposed for third party authenticated access.
Challenges:
Securely accessing webservices from Silverlight using the current users identity without requiring the user to re-login in in the Silverlight application.
Providing a secure way for third party applications to access the same webservices the same users credentials, ideally with out using ASP.NET Forms Authentication.
Additional details and limitations:
This application is hosted in Azure.
We would rather NOT use RIA Services if at all possible.
Solutions Under Consideration:
I think that if the webservices are part of the same MVC site that hosts the Silverlight application then forms authentication should probably "just work" from Silverlight based on the users forms auth cookies. But this seems to rule out the possibility of hosting the webservices seperately (which is desirable in our scenario).
For third-party access to the web services I'm guessing that seperate endpoints with a different authenication solution is probably the right answer, but I would rather only support one version of the services if possible...
Questions:
Can anybody point me towards any sample applications that implements something like this?
How would you recommend implementing this solution?
You can extend WCF to use Membership as authencation store and reuse the FormsAuth Cookie (send by the MVC site) to the browser by the Silverlight app.
I would recommend using an STS with Windows Identity Foundation so you can have your app use claims identity and then change authentication outside the app. For third party you can use Windows Azure Access Control Service (ACS). We are updating our guidance on this and you can look at the new code to show you how to do this at our codeplex site. The original book is available at Amazon. I would focus on the updated guide because it has ACS has websites and an active client talking to WCF. The client is WPF but it would similar for Silverlight.