I'm building a web app which will have an api and an authorization service using DotNetOpenAuth. I found this example on how you can authorize using a service provider that already exists but I would like an example on how to implement a service provider that can create tokens, persist them and do evaluation. Is there any great articles or sample providers that I can download?
Update
DotNetOpenAuth has moved on since this was initially posted. I strongly suggest you follow Ashish's advise and take a look at the samples. It contains code to write Authorization Servers, Resource Servers and Clients for all the major flows.
If you wanted a pre built solution, with opensource code
Thinktecture Identity Server is an Open Source .NET security token service. It supports a number of endpoints for authentication including OAuth 2.0 Bearer tokens.
Update this Thinktecture Identity Server is now on version 2 and supports these OAuth 2.0 flows
Resource Owner Password Credential Flow
Implict Flow & JavaScript
Authorization Code Flow
again take a look at the code to see how it was all done and there are samples here to show how to plumb it in.
I hope this helps - these library's and examples have hugely helped us over the past few months.
Update
There is also another example warning, it looks dated of a simple OAuth provider for MVC here Sample code here
There are complete working example for DotNetOpenAuth can be found here - https://github.com/DotNetOpenAuth/DotNetOpenAuth/tree/master/samples
I tried a number of times with DNOA....had to give up, but documented my findings (used Thinktecture in the end)...http://tb-it.blogspot.co.nz/2015/06/oauth-20-frameworks-and-platforms.html
Related
I am creating new product. for that I have to use available security features. should I use Oauth2 or Json web token? which is better and in which situation these should be used?
I think you may find your answer in using org.apache.oltu.oauth2.
https://www.programcreek.com/java-api-examples/?api=org.apache.oltu.oauth2.client.request.OAuthClientRequest.AuthenticationRequestBuilder
You can see an implementation for oauth and openID here oauth server and resource server
Just to explain what they are,
oauth server creates the tokens
resource server uses that token and processes it to give you the requested data
You can also go through the following docs to understand what they mean and how to implement them,
sample implementation in java , oracle tutorial on the concept of tokens
If you want to do google API auth then you can go through this
I also found this stackoverflow link which is sort of similar question and has shared few of similar links. You should check that out as well.
I have a working (tested) oauth response from postman, but unfortunately I don't know which way to go when I need to implement the query in .net Core.
Please can you give me a simple example or a hint?
The Identity Server 4 Samples repository, have a lot of examples of OAuth clients.
The steps you need to execute to authenticate, depends of the flow used by the server, more information about flows and usage http://oauthlib.readthedocs.io/en/latest/oauth2/grants/grants.html
There are to things that I want to understand
Does Microsoft OWIN Security oAuth is completely built in on the oAuth 2.0 RFC.
I need a complete sample code that have client to Single Sing on ADFS using OWIN oAuth. What will the architecture for this Single Sing on
Many Thanks
IK
1) OWIN is based on RFCs 6749 and 6750 (oAuth 2.0 and Bearer Tokens), and whilst I can't say for certain that it's 100% compliant in every respect, that does certainly appear to be the goal, there's an interesting discussion on similar matters on the Katana forum here.
2) Have a look at this, it's the Azure AD Git sample for WSFederation, recently mentioned in Vittorio Bertocci's Cloud Identity blog here.
I need help with oauth2.0 and java restful (jersey), any help would be appreciated, I need to find way how oauth2 would be implemented. Here's the scenario, We have a web based application, now, there are clients engage to it. They're planning to have an API (Restful service) so that it will be consumed on mobile devices(android and ios). (They can login using mobile and update their accounts etc.).
Now, my problem is how will I integrate oauth2 for its security using java and how will I create Authorization server.
I used to have the same question and end up building an open-source project: srb4j, which is also based on Jersey and OAuth2.
Srb4j has implemented both token endpoints and resource endpoints for you. You can adopt a lot of its code to your own existing system.
# Sorry for this advert, but it may help you...
java-oauth-server is a new authorization server implementation in Java (JAX-RS, Jersey, Jetty) which supports OAuth 2.0 and OpenID Connect.
The implementation is DB-less, because authorization data (e.g. access tokens), settings of the authorization server itself and settings of client applications are stored in the database on cloud. Therefore, you don't have to set up a database server before starting the authorization server.
Just 4 commands for downloading and starting the authorization server.
git clone https://github.com/authlete/java-oauth-server.git
cd java-oauth-server
vi authlete.properties
mvn jetty:run
The source tree of java-oauth-server is very small and customization points are abstracted as SPI (Service Provider Interface), so it will be easy to incorporate the authorization server implementation into your existing web service.
The implementation supports RFC 7636 (Proof Key for Code Exchange by OAuth Public Clients). It is a new specification (released on Sep. 2015) about a countermeasure against the authorization code interception attack. If you want to expose Web APIs to mobile applications, I recommend that you look for an implementation that supports RFC 7636.
An explanation about RFC 7636 with graphical figures is here.
I ended up using this library https://github.com/BrightcoveLearning/oauth-client-examples/tree/master/amber-java and works like a charm, thanks to the author.
I'm trying to secure my MVC4 Web Api. Actually, I just really need an identity provider with some light security. My service is similar to twitter, from a security standpoint, there's not a lot of private data, but the service does need to know the userid for the caller.
It's also important to know that the web service will only be consumed by mobile devices right now, although a website may accompany it at some future point.
S.O. and the internet have led me to Thinktecture.IdentityModel, but man it seems complex and I can find exactly zero documentation or samples. I also haven't yet had a pleasant experience with claims-based authentication. I don't have a claims server, token provider, or anything like that, and it seems like you would need that to use this method. This all seems far to heavy for my situation.
I've also read about people implementing their own HMAC solution (https://github.com/cuongle/WebAPI.Hmac) or using OAuth (https://github.com/maksymilian-majer/DevDefined.OAuth) but these also seem a bit complex (I've read that OAuth without the helper class is enough to make the best developers cry, and I'm not the best). Janrain looks like it might work, but it looks like you have to pay for more than 2,500 authenticated users per year ...
What is the best way to implement a simple identity provider and security for Web Api?
Thanks!
I have attempted to answer a similar question to this before Create an OAuth 2.0 service provider using DotNetOpenAuth where I highlighted the Thinkecture Identity Server. The Setup instructions not too difficult (IMHO) The installation video is here and should help a lot.
I have updated my older answer with this too but there is also a fairly lightweight O-Auth 2.0 implementation example here Sample code here http://code.google.com/p/codesmith/downloads/detail?name=OAuth2.zip&can=2&q=#makechanges
Have you also read this well articulated question here Authenticating requests from mobile (iPhone) app to ASP.Net Web API (Feedback requested on my design)
Well, security is hard :)
As for Thinktecture.IdentityModel -- this is a token processing library (among other things) that you'd use in your WebAPI application. You'd use this so you don't need to do the logic to accept tokens (basic auth, SAML, SWT, JWT). Claims are just a side-effect.
If you're looking for an identity provider, then the sister open source project Thinktecture.IdentityServer is in beta for version 2. It's an identity provider that supports a custom database and issues tokens. The project URL is:
http://thinktecture.github.com/Thinktecture.IdentityServer.v2/
In response to the problem of finding example code as documentation, consider the samples folder in the Thinktecture github repo: https://github.com/thinktecture/Thinktecture.IdentityModel.45/tree/master/Samples
(Why do you need more reputation to comment on SO than to answer?)