I am developing web api which will be hosted in Azure. I need to implement security to handle tokens from corporate STS server. Which would be better approach:
ACS oAuth 2.0
OWIN
Seems like OWIN comes standard with WEB API 2.0 and quite easy to implement with few nugget packages. Any one have suggestion?
Microsoft ACS can be one of the authentication/token provider. The WebAPI can use OWIN to consume tokens from different providers, such as Facebook, Azure AD, Google, Microsoft Live, ACS etc.
Related
I am reading microsoft documentation and using their apps / api to secure api using Azure AD.
But I got confused by two different approaches and as articles describe setting up the client app and Api.
This article describe " Protect a web API backend in Azure API Management using OAuth 2.0 authorization with Azure Active Directory"
link: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad
I am following another tutorial and using built application for web app and api, this describe
"How to secure a Web API built with ASP.NET Core using the Microsoft identity platform. This sample demonstrates a ASP.NET Core Web App calling a ASP.NET Core Web API that is secured using Azure AD".
It further describe "1. The client ASP.NET Core Web App uses the Microsoft Authentication Library (MSAL) to sign-in and obtain a JWT [Access Tokens].
2. The [Access Tokens] is used as a bearer token to authorize the user to call the ASP.NET Core Web API protected by Azure AD.
So I am confused are they two different things if so when to use 2nd option or first 1. Both deals with the Azure AD and claims to protect an api.
The first article you're referring to uses Azure API management, where authentication is taken away from your API and completely configured in API management. This means you're adding an extra Azure resource type to your eco-system, most probably also adding costs.
In this article, you'll learn how to configure your Azure API Management instance to protect an API, by using the OAuth 2.0 protocol with Azure Active Directory (Azure AD).
Next tot this, API Management adds a lot of other functionality as well.
In the second article you learn how to implement authentication using Microsoft Identity Platform. This way you will not be adding Azure resource types, but you'll have to code the authentication yourself.
We have an existing MVC angular application enabled with ADFS WS-Fed authentication. The application has many API's hosted as a part of the solution which is internally accessed by views. Now, We have a requirement for the API to be published to other developers.
I am thinking of enabling OAuth/OpenId for the endpoints and enable other developers to access. I need your inputs regarding my approach.
There is no support in ADFS 2.0 for OpenID Connect and OAuth.
The only API option you have is via WCF.
We are planning to build a web application which will use ADFS for authentication. The web application will be hosted on an AWS instance but will be talking to on-premises or cloud ADFS.
can I use ADAL(Active Directory Authentication Library) for federating authentication and saving authentication context in this scenario? if yes is there any drawbacks?
When you say "cloud ADFS" you mean ADFS in a VM in the cloud?
ADAL is for mobile and native devices.
Normally a web application will use OWIN e.g. like this.
If you are not using ADFS 4.0, then use WS-Fed or SAML as per this.
These are for Azure AD but the principles are the same.
I have developed an API using ASP.NET Web API 2 to be consumed by applications in my domain. I want to secure the access to the API endpoints. I've decided to use the OAuth token based token authentication for mobile app clients and web app clients.
However there are some non-interactive windows service clients that need to consume the API. I do not want to store login credentials to get a token in the service config, however a Windows authentication suits this type of client.
Is it possible to use a hybrid - windows and token-based authentication in ASP.NET WebApi? How?
I think the Windows authentication service from Identityserver might be a good solution for your problem
You can find more information on : WindowsAuthentication repo
I have decided to break up the API into two. One for normal OAuth based access and the other with specific resources using Windows authentication to be consumed by non-interactive windows service clients.
In simple My only requirements are to implement SSO in my application:
Use ADFS 2012 R2 for SSO (OAuth2 protocol).
User will get token using oAUth 2.0 VIA ADFS Server using login prompt for credential or what ever authentication scheme is configured on ADFS form based or windows based.
If same user that is authenticated using oAuth for one application if second application want to use the same user then the login box that ADFS presented using oAUth2.0 should not appear.
Now, please help me how OWIN.SECURITY.OAuth or any other oAuth will help me and what is the best way to implement in MVC web application. Please provide sample applicaiton.
ADFS 2012 R2 only supports public clients. Web sites are confidential clients, hence you cannot perform an OAuth2 authorization grant with ADFS 2012 R2. But you should not be too bummed, given that an OAuth2 authorization grant would not give you SSO anyway - OAuth2 is not a sign on protocol.
If you want to perform web sign on using OAuth-like technology, I recommend you consider OpenID Connect and the ADFS version that comes with Windows Server 2016 (currently in technical preview 4).