I'm writing a simple web application in MVC 4, and I want to OAuth with Trello so that I can ask a user to log-in with their trello details and then see some of their cards.
Can anyone provide information about creating a custom oauth provider to support non-out of the box oauth providers? From what I can see, I think I need to create a custom Oauth provider (subclass IAuthenticationClient and use that) - is that right?
Okay, I spent the 11 hours since my comment writing a custom oAuth class for SO. Tomorrow I get to do one of sales force. I'm not excited.
Here's what I did:
Create a DataContract class for your expected Json/Xml. I went ahead and implemented everything that SO returns, but if you're only doing authorization you can probably cut it down to an ID and DisplayName.
Create a class that extends OAuth2Client from DotNetOpenAuth.AspNet.Clients. Use the DotNetOpenAuth GitHub page for examples. This is the longest, and most painful step, especially if your json serialization is rusty.
Open up /App_Start/AuthConfig.cs and enter OAuthWebSecurity.RegisterClient(new YourClass(Your, Initalization, Params), "The Name You Want to Show Up On Your oAuth Login Button", ExtraDataIfYouNeedIt; somewhere in the RegisterAuth() section. I haven't established what the ExtraData param is for, but I didn't need it in my case. Hopefully you won't need it in yours.
Edit: Updated github link.
Related
I have made a webapi which has few actions and one is AddManualDate which accepts a parameter of the object type. It is consumed by Android devices. It works. But the problem is that the link is now exposed to the public and anyone can use it in a bad way. How to control it ?
my link for example:
http://www.testing.com/api/AndroidOperations/AddManualAppointment
now, this can be accessed by anyone. So what to do?
A common way to do this is using a token based authentication. Your client has to call the token api first, to get a token and pass it to every request against your api.
This is normally done by OWIN and OAuth. The following link describes the matter:
https://blogs.perficient.com/2017/06/11/token-based-authentication-in-web-api-2-via-owin/
Since this is a very general question, I can't give you a simple example.
Feel free to ask again if you get stuck in a detail. Happy coding!
I would like to add additional Azure AD attributes as Claims to a ClaimsPrincipal created by the "out-of-the-box" ASP.NET MVC template (i.e. app.UseOpenIdConnectAuthentication(...))
I tried implementing something similar in the SecurityTokenValidated notification as shown in this article, however it seems I'm running into a bit of a chicken-and-egg problem with my scenario:
I need to call the Graph API to get the additional user attributes for the Claims, but I don't have the token yet (I don't think) at this point in the process to be able to call the API.
Seems like I'm missing something obvious here.
You have many solutions here, but two stand out:
In securitytokenvalidated you do have a token, the one sent to your app for sign in purposes. You can use it in an onbehalfof flow to get a token for the graph, and use it right within that notification. You can refer to the sample here, it's for web API but the concept is the same
You can configure your app to access the graph with its own application identity. You can get that token at any time, then. See here
I was developing website and decided to separate back-end(rails) and front-end(angularjs). All went good until I tried to implement authenticating over JSON. I've found tons of material on how to implement it with devise, or with doorkeeper, but I can't understand how to put it together. (API is implemented with RocketPants)
From what I've realized, from front-end I should send login and pass on init, getting back authtoken (step 1). Then on every call I should send authtoken with other data (step 2)
On step 1: Doorkeeper redirects_to sign_in page. Should I modify controller in way that it should come to controller, which would handle authentication (by using warden.authenticate!) ? And how does Doorkeeper know that I'm logged in since that moment? (for giving me authtoken)
On step 2: Authtokens are individual per user and per application, which uses API, right? So I should somehow specify, from which application request comes, shouldn't I? "
Note: Backend is going to be API only, so everything should be handled by JSON requests. But how I modify available applications then? One more custom controller over Doorkeeper?
Thanks in advance, I hope, I'm not the only one with such questions =)
I've gotten a good number of OAuth logins working on my site now. My implementation is based on the WebSecurity classes with amends to the code to suit my needs (I pulled the WebSecurity source into mine).
However I'm now facing a new set of problems. In my application I have opted to make the user email address the login identifier of choice. It's naturally unique and suits this use case.
However, the OAuth "standards" strikes again.
Some providers will return your email address as "username" (Google) some will return the display name (Facebook). As it stands I see two options given my particular scenario:
Option 1
Pull even more framework source code into my solution until I can chase down where the OpenIdRelyingParty class is actually interacted with (via the DotNetOpenAuth.AspNet facade) and make addition information requests from the OpenID Providers.
Option 2
When a user first logs in using an OpenID provider I can display a kind of "complete registration" form that requests missing info based on the provider selected.*
Option 2 is the most immediate and probably the quickest to implement but also includes some code smells through having to do something different based on the provider selected.
Option 1 will take longer but will ultimately make things more future proof. I will need to perform richer interactions down the line so this also has an edge in that regard.
The more I get into the code it does seem that the WebSecurity class itself is actually very limiting as it hides lots of useful DotNetOpenAuth functionality in the name of making integration easier.
Andrew (the author of DNOA) has said that the Attribute Exchange stuff happens in the OpenIdRelyingParty class but I cannot see from the DotNetOpenAuth.AspNet source code where this class is used so I'm unsure of what source would need to be pulled into my code in order to enable the functionality I need.
Has anyone completely something similar?
AttributeExchange only applies to the OpenID Providers (Google and Yahoo!) and you can see the extension used in their respective source files.
I recommend against using email address as the username. Email addresses can be recycled (an account can expire or be closed/canceled and the email address can be reassigned to a new user). If this happens, your site based on email addresses would "give away" all the data of the old user to the new user. Massive privacy violation and lawsuit potentially happening there. Far better to use the Claimed Identifier for the OpenID cases, or the service provider-specific user id number in the OAuth cases, as the primary identifier in your user table. Certainly you may capture and display the email address everywhere on the web site where you would display a username so as far as the user knows that's the username -- it's just that internally you use something more precise than that.
I am trying to implement two pieces of functionality to my ASP.NET MVC 3 applications.
I would like the ability for the user to use Twitter to authenticate on my web site. I would also like to be able to store the users name and email in my database upon successful login.
I would like to post to the users twitter feed once a certain event occurs.
Are there any open source libraries that can handle both tasks out there?
Thanks
To enable logging in with Twitter credentials on your site, use the Sign in with Twitter flow. If the user is already authenticated, it's a one click operation. The doc I linked has a flowchart and description of the process, and this answer has a bit more detail.
Once your user has signed in via Twitter, you can easily get the user's screen_name, however there is no facility to obtain the user's email from Twitter.
On the Twitter framework front, I recommend Twitterizer. I like the consistency and ease-of-use of the framework, and coverage of- and parity with- the Twitter APIs. I've personally used it on multiple implementations, and have had no issues that tied back directly to the library.
In order to use Sign in with Twitter, you'll need to use the BuildAuthorizationUri(string requestToken, bool authenticate) method overload of the OAuthUtility class, passing true as the second parameter.
Also, Ricky Smith (the Twitterizer lead dev) is active on SO, and anything tagged with twitterizer seems to get pretty prompt attention (meaning I can't answer them faster than Ricky can. ;)
Finally, posting a status to a user's timeline is pretty trivial with Twitterizer once the OAuth tokens have been obtained (simplified example from the Twitterizer site follows):
var tokens = new OAuthTokens();
tokens.AccessToken = "XXX";
tokens.AccessTokenSecret = "XXX";
tokens.ConsumerKey = "XXX";
tokens.ConsumerSecret = "XXX";
TwitterResponse<TwitterStatus> tweetResponse = TwitterStatus.Update(tokens, "Hello, #Twitterizer");
I would think that either of the following would be able to handle both your tasks:
TweetSharp
RestSharp
Also consider...
Twitterizer
or
TwitterVB