I am about to create a JQM + WebAPI + PhoneGap solution. But I am not sure how to handle the authorization part given that webapi is not designed to support session state.
I can use an ajax call to the webapi to complete the login process but then how do we know if a user is logged in on subsequent requests from the client? Do we attach the userId in the HTTP header of each page? If so, how do we do this in an efficient manner?
Web API ample of options for user authentication and authorization. Watch this video by Dominick Baier to get a sense of options that you have:
Securing ASP.NET Web APIs
Related
I have a project that has both regular MVC controllers with Views as well as Web APIs.
I have implemented Forms authentication. This protects both my Web API as well as my MVC controllers. However since cookies are not supported by Mobile browsers I am looking for implementing an alternate token based authentication. Following questions
1) Is there any way to use token based authentication for both Web API as well as regular MVC controllers ?
2) Is there any way to pass bearer token automatically by the browser instead of manually putting it in request headers ?
3) How can I include authorization information in the bearer token ?
In response to your questions
1) you are looking at a hybrid flow which allows multi user clients being MVC and Mobile clients to obtain and use tokens, refreshing tokens is only available from the MVC client from what I know.
2) you can use identity server to send through authorization tokens or use the link below where you will insert authorization information (roles based) when sending tokens.
Please look at the following tutorial, it'll help in most of your requirements http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/
i'm new to asp.net web api, owin, and everything related to it.
I'm trying to find the best way to do this scenario:
1 - Web api to have all the connections and rest service
2 - Web site to show data to user on a browser using the restful service
3 - An mobile app that have some functionalities like the web site and access the restful service to get all the information
My doubt is: what's the best practice related to the login? I'll use owin/oath2 with Identity to login, but since it's going to be implemented on the web api, the login/register/forgot password should be on the web api directly (like the project template does) or should i move most of the functionality to the web site? Of course its easier to leave in the web api, but if i do it, i must duplicate my razor templates just to call the login part. Can someone give me a path to follow?
Thanks!
the answer is not, your web api should not have any html or js or css file, only the services that your need, the web api exposes the functions to register the user, next when you have to do request, you must Send a token, you can obtain the token using the URL that you have configure in owin, the URL is like /token and Send the username and pass.
Regards,
I am new to AngularJS and trying to evaluate it for my new web application.
Requirement:
I will have one ASP.NET Web API which will be consumed from an Android, an iPhone and from a web application (ASP.NET MVC) too. ASP.NET Identity will be implemented in Web API. All three applications will call the login method of Web API to get the auth token.
Problem:
My problem is how to get ASP.NET MVC server side authentication work (in sync with Web API so I don't have to login for ASP.NET MVC separately) while Angular makes a call to get the HTML template/view, JavaScript files or other resources. I have went through many articles and blogs on AngularJS but still unable to find a security model which fits in my requirement.
Possible Solution:
Would it be a good idea to make the login call to ASP.NET MVC application instead of Web API directly, and ASP.NET MVC application would call the Web API to login, and once authenticated, save the auth token in session plus create a FormsAuthentication cookie and in cookie data save the encrypted auth token. Moreover set the auth token in ng-init somewhere in HTML to have the token in AngularJS scope. Now when AngularJS tries to make a call to ASP.NET MVC application to get HTML, then authenticate/authorize the user by matching the cookie decryted data with auth data in session. Also, AngularJS will send the auth token in header to call the Web API methods directly for all the subsequent calls for data manipulation through Web API.
I solved the problem with a very strait forward solution. I just made sure I have following two lines of code in the Register method of WebApiConfig:
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
That's it. Now my MVC controllers look for the session cookie for authorization whereas my Web API controllers look for the auth token in the header of each request. Moreover, the Web API sends a token (JSON) and a session cookie itself in response to the login/authentication request e.g. http:\\www.mydomain.com\token.
So now I send my login request to Web API to get the token as well as the session cookie. Session cookie will automatically be sent will each request so I don't have to worry about the authorization of my MVC controllers. For Web API calls I am sending the auth token in the header for each request as Web API controllers don't care about the session cookie being sent with the request.
Also worth a look:
https://bitbucket.org/david.antaramian/so-21662778-spa-authentication-example/overview
(based on this SO question)
Warning: it's not for the faint-hearted...
ASP.NET Web API 2
HTML5 + AngularJS + $ngRoute
NuGet scaffolding
Yeoman (Grunt/Bower)
Owin framework (OAuth 2.0)
CORS
I think you are on the right path. I would store the tokens in an Angular Service to make it easier on yourself (http://blog.brunoscopelliti.com/deal-with-users-authentication-in-an-angularjs-web-app). I'm a little confused on what you mean by "AngularJS tries to make a call to ASP.NET MVC application to get HTML", you shouldn't need to secure the MVC app, it's just running your Angular right? The API is the piece you want to secure as well.
I am developing an ASP.NET MVC web application. The application is consuming a REST API, but authentication for REST-full application is quite unclear for me.
As REST is stateless, do I have to implement two different Authentications with two different databases, one for client, and one for the REST service?
Or, do I have to send the login/password each time, to authenticate on the server?
Please give me some advice or tutorial on this.
You can authenticate a Web API using individual user accounts that are stored in a database.
In this case client should obtain access token first. And then include it to each request, that requires authorization, header:
Authorization: Bearer boQtj0SCGz2GFGz[...]
Good tutorial can be found HERE
Also authentication methods could be extended in Startup.Auth.cs with Cookies or some external authentication methods (Google, Facebook etc)
The stateless isn't a main problem in your situation, problem is that browser can only send GET or POST request in tradition way in tag form, so to send PUT or DELETE request you should use Ajax, the easiest way is to use JQuery library and config it to send user credentials in http header(between requests it can be store in cookies) in every request and use basic-authentication if you plan use own auth logic. I recommned you to look some SPA frameworks like angularjs
or emberjs
or backbonejs
to simplify your life from hardcode JavaScript . Also in future you can easy extend your auth by OAUTH 2.0.
I have two servers - web and app. The web server (IIS) serves only static files - HTML/CSS/JS. On executing the JS, the client gets the data from the app server (HTTP service using Web API, self hosted with OWIN). I need to bring in authentication so that my data as well as the content is restricted.
I can use SSL, I can pass username / password to the web api, have it authenticated and get back a token. I can pass this token for future web api requests. In my client app javascript (done using AngularJS), I can also maintain info whether the user is authenticated, what roles she has etc. (for user experience). But for security, I need to be able to ensure the html content requested (in the web server) is also having authentication and authorization done. How can I achieve this?
Should I change my app to make the web server call the app server internally rather than from the client? I can use MVC controllers or ASP.NET, but since I was using AngularJS, I thought it is not required, and is kind of a duplicate. Should I ditch pure .html files and move to .cshtml?
How is this done in the Angular + .NET world, when you data comes from a different server than your htmls?
We've been using JSONP with REST type api to do cross domain AJAX calls, but our Angular client code is within .cshtml files in a .NET project. Sounds like the simplest solution is to use the app server internally- I would go with that