Using VS 2013 to build an ASP.NET MVC 5 site. Without fiddling with any IIS GUI settings, I would like to set the deployed site or webapp to use Basic Challenge Auth, and use the SSL certificate "foo". Ideally something fully code-driven in C# would be ideal, but if its all web.config I'd go for that as well.
All ideas appreciated.
Thanks.
There used to be an out-of-box OWIN middleware in Katana project for basic authentication but I can't seem to find where it is currently. Even if it is not part of Katana, you can write a middleware like this. Or, you can write an HTTP module to implement the same functionality as well like this. Basic authentication is a simple mechanism. You just need to parse the HTTP authorization header in basic scheme to get the user id and password. One problem however is that it is susceptible to CSRF, when used with browser based clients. For configuring the certificate with IIS, you have to fiddle with IIS only.
Related
Can someone explain to me how to achieve single-sign on? I have an MVC ASP.NET core web app(let's say www.internalsite.com), how can the app get the user credentials automatically and authenticate etc.? I need a very clear explanation on how to do it.
By using www.internalsite.com I guess you are talking about a site on an intranet, right? How are you hosted? IIS in front of Kestrel? If so, then it's quite straightforward, you just need to configure IIS to foward the Windows identity (coming from a Kerberos token usually) by setting the proper value in the web.config: forwardWindowsAuthToken="true" as explained here: Asp.net Core Web API - Current user & Windows Authentication and make sure you have a controller/action protected by an [Authorize] tag so that the IIS middleware is challenged and set the identity of the request as explained here: NTLM authentication on specific route in ASP.NET Core No much code to write in your project. If you are using another hosting setup, WebListener, it is pretty much the same.
Another solution, would be to do SSO by client certificate which has the advantage of working cross domain, but SSO by Kerberos is by far easier and usually doing a good job on an intranet.
Background:
I've implemented a Web-API (.NET), now I need to do the most important thing,
Secure it.
As I investigate this topic I understand that the common way is the Bearer Token.
Now we getting to my problem.
My Problem
On one side:
Every article I saw (that explains the concept and the way to implement it over .NET) starts from a project with a Web API template that holds MVC and Web API and in the authentication field choose one option from Individual / Organizational / Windows .
On the other side:
I don't need a MVC project, I need only Web API (without any GUI) that the reason I choose the empty project and check the Web API checkbox, in that way I cant choose an authentication type, I forced to start with no authentication.
Questions:
1.Do I bound to use MVC to get authentication ? if not how can I do it from pure Web API project ?
2.Maybe I will create an Authentication Server (that only generates tokens) from that Web API template (with the possibility of choosing authentication type) ? (and use the token on the real Web API)
3.There is any benefits of implement the Authentication Server on a different project and on different server ? (Kerberos style )
P.S I want to use an out of the box solution because the security aspect is the most important one (to my opinion) and should be flawless.
I wrote a blog on this topic called 'Securing and securely calling Web API and [Authorize]': http://blogs.msdn.com/b/martinkearn/archive/2015/03/25/securing-and-working-securely-with-web-api.aspx. I think if you read this, you'll have all your answers.
The Web API template does include MVC by default so that you get the automated docs feature (which is a great feature to have). However the authentication part is related to a core ASP.net feature, not specific to MVC or Web API. You'll need to enable one of the authentication options to secure your API using .net's built in security features.
If you do not want the MVC project that comes with Web API, just delete it after the project has been created. It is contained within the 'areas' folder. If you delete that folder, you'll be running on pure web api.
To answer your specific questions:
1) No you do not need an MVC project to secure an API project. You can use the [Authorize] attribute on your API controllers and actions.
2) an authentication server gets created by default with the web api template. You can access it and get tokens via http:///Token
3) No, you need to use the api itself to serve valid tokens for secured controller/action requests
Hope that helps. If not, then please be a bit more specific with your questions.
I’m using ASP.NET Identity with Forms auth in an MVC6 application, and trying to implement Basic auth for the API endpoints.
I would have thought there’d be a pre-built middleware that does it, but haven’t been able to find it. I’ve had a look at the Filters test website https://github.com/aspnet/Mvc/tree/dev/test/WebSites/FiltersWebSite and I can’t seem to work out what it’s doing/which parts are important.
I’ve tried using the pre-5 approach of manually doing basic auth in an authorizationfilter, but SuppressFormsAuthenticationRedirect seems to be gone, and the CookieAuthenticationHandler keeps redirecting to the login page.
Basic auth is not there by design. Security team is against it. They will probably make a sample later.
you can read a discussion on the issue here : https://github.com/aspnet/Security/issues/209
Since you are targeting IIS, I suggest leveraging IIS for basic authentication. You can drop a web.config file into your wwwroot folder with a section to configure your basic authentication options.
If you want to remain host agnostic, you will need middleware. Here is someones implementation: https://github.com/Kukkimonsuta/Odachi/tree/master/src/Odachi.Security.BasicAuthentication
I am faced with a project that uses custom authentication via a WCF service that returns a set of claims based on some data identifying a user, close to user name and password. Then on top of this, I have a custom STS, derived from Microsoft.IdentityModel.SecurityTokenService, that resides in an ASP.NET web site project. This project looks like it was created with the VS2010 template, and not carefully had-crafted.
My gut feeling, and lots of on-line advice tell me that this web site STS project is very far from production ready. I am now looking for an MVC based STS that I can use in anticipation of being production ready. TinkTecture's IdentityServer looks promising, but it is so much more than simply implementing a custom derivation of SecurityTokenService, I have no idea where to start. If somebody could steer me toward an open project or walk-through that does this, or offer some guidance as to where and how I can start extending or modifying Identity Server, that would be great.
Have you looked at Thinktecture.IdentityServer v3? I'm at the moment using it and very simple to use.
It is still in Beta but RTM will be available soon. It has good documentation and samples too.
https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki/Getting-started
https://github.com/thinktecture/Thinktecture.IdentityServer.v3/wiki
Update:
Identity Server 4 is also available. It supports cross-platform deployment with .NET Core.
https://github.com/IdentityServer/IdentityServer4/
Have you looked at the MSDN article by Michele Leroux Bustamante?
It's a little old and based on WCF, but it has code accompanying it.
Building A Custom Security Token Service
If you want ASP.NET based example, Microsoft published this:
ASP.NET Security Token Service Web Site
There's also this STS project on CodePlex.
So I am trying to secure an ASP.NET Web API Service so that an iOS (iPhone 4/5) application can access it RESTfully using their Windows user name and password (don't ask :) ), and I have followed this article here, and for the most part it works, I just modified it a little to use Active Directory Services to validate the user name and password, but I am wondering if there are better ways to secure a ASP.NET Web API that will be used from non-browser clients as well as browsers possibly?
This is hosted with IIS7, so should I just let IIS control the authentication?
Need a little guidance... Thanks
It's a bit unclear specifically what you are looking for, in my experience assuming I'm authenticating against a server the keys were
Put access to the APIs behind https
Send the request via POST.
If you're also coding the iOS side, make sure you are implementing authentication challenging properly. Here's an article on the iOS side: http://mobiledevelopertips.com/networking/handling-url-authentication-challenges-accessing-password-protected-servers.html