asp.net website wcf data service authentication - asp.net-mvc

I am building a website using ASP.NET MVC 3 and have forms authetication setup correctly (user is able to register and login). I want to setup an OData WCF Data Services service so a Windows Phone 7 (Mango Beta 2 Refresh) client can authenticate and query the Odata service, with CRUD actions. This idea comes from the FullStack episodes here. They use OAuth login, but I wanted to use the user setup I already have, instead of an OAuth solution.
I do have this all working without auth currently (MVC app with Odata client on wp7), but am looking to make the Odata service secure. I guess I am looking for some articles or walkthroughs on how to get this working.
If forms authentication is not the correct choice, please let me know.
UPDATE
So lots of research done on this. There is an official how-to series on the blog for the WCF team here. Since forms auth is already configured on the web app, adding a check inside the QueryInterceptor provides the auth. However it uses a 'standard authentication endpoint' for client apps to actually 'login' that seems to use the base Membership providers, which I don't use. Is there a way to override this?

You could turn your custom forms authentication setup into a Claims based Federated Authentication Provider (STS) using Windows Identity Foundation. Then use that to authenticate your wp7 app with the STS provider and then send that claim (token) to your Odata service which will verify its an authentic claim. There is an example of this in the WIF training kit

Related

How to use Asp.net MVC Core with Asp.net Identity Core and WebAPi Core?

I am going to create an web app using Dot Net Core. In future, i will also create mobile application for the same application. Now, i am in thinking the architecture of the project. I want to use WEB API core using Asp.net Identity Core. Also, i will consume WEB API in MVC Core application. But the question i have in mind that how i can handle ASP.net identity with MVC and WEB API? Do i need to include in MVC as well or only in WEB API?
I tried to think hard but still confuse. Need suggestions.
You can use token based authentication .
In a resource owner flow scenario , your client app( mvc application/native application) will consume your web api by providing user's credential , web api will validate the credential(using ASP.NET Core Identity) in database , If the username and password are correct then a JWT authentication token and the user details are returned. Your client app could validate the token and sign in user :
ASP.NET Core 2.2 - JWT Authentication Tutorial with Example API
Tutorial built with
Token Authentication in ASP.NET Core 2.0 - A Complete Guide
In addition, IdentityServer4 is a good choice when you want to roll your own full-fledged OpenID Connect authorization server that can handle complex use cases like federation and single sign-on.
So your question is maybe a bit open-ended for Stackoverflow and you don't really show what you have tried so far.
I will try to answer though. First you just need to start out with a template for your project. Start an MVC project in which you can easily have API endpoints as well. I would suggest splitting those in two projects for clarity - but if it is just a small personal project then you probably are fine having them in the same project. Microsoft have a pretty good resource on MVC:
Microsoft MVC walkthrough
For the Identity part. You would need some kind of authority for it to work. I suggest you take a look at IdentityServer4. Which offers an excellent walk-through of how to set it up and how to integrate it with Asp.NET Core Identity:
IdentityServer4

Multiple Azure/ADFS/OpenConnect/oAuth Identity Framework options on single site

I have a Angular site that is multi-tenant. When they login they're linked to a specific organization that we keep track of using Web Api.
We're using the excellent articles written here: http://bitoftech.net/2014/08/11/asp-net-web-api-2-external-logins-social-logins-facebook-google-angularjs-app/ as our starting point to get everything going with webapi and angular for handling the identity framework through Web Api with Angular and that works well.
We have the ability to login as facebook, google etc. which is all straight forward.
The issue is that we want to be able to setup for organizations the ability for them to have their users login using their ADFS server, or their azure ad (or any other oAuth 2 compliant server.)
Basically we use a subdomain xxx.yyy.com where xxx is unique to the organization. When they hit that subdomain we show them a button to login using their endpoint.
The problem I'm facing is that I can't find any documentation on how to set this up so that I can have multiple endpoints configured for wither oAuth over ADFS or oAuth over Azure (openconnect it looks like, can't tell if ADFS in Windows 2008 R2 supports openconnect, but it does support oAuth).
Can someone point me in the right direction of how to accomplish this? Do I need to setup a single app.UseOpenIdConnectAuthentication() and then intercept based on the request some how for all of them? Or is there different rules for ADFS versus Azure so I have to use something else.
Any details would be fantastic. Even an inkling of where to go with this without having to use something like Auth0 would be fantastic.
Have a look at IdentityServer3.
You'll see a number of connections as a general guide (albeit in C#!).
ADFS in Server 2008 R2 has zero OpenID Connect / Ouath2 support. ADFS Server 2012 R2 has zero OpenID Connect / some OAuth2 support (Web API). ADFS Server 2016 is pretty similar to Azure AD - supports both.
Note that you need to support the hybrid OAuth profile.
You could use other protocols for ADFS e.g. WS Federation / SAML (using the OWIN libraries).
Or go the ADAL route.

How to use IdentityServer as STS alongside ASP.NET Identity

I'm wondering if it is possible to use Thinktecture IdentityServer simply as an STS alongside an existing web app? That is, I want to use ASP.NET Identity for authentication in my web app because I want to use all of the built-in functionality like 2-factor, etc. However, I want to use IdentityServer as an STS to serve up tokens to access my web services (WCF and Web API).
I thought perhaps I need to authenticate normally through ASP.NET Identity, then again through IdentityServer to get the token. However, this seems heavy and wasteful.
Is there perhaps some way to authenticate against the IdentityServer directly from ASP.NET Identity? I saw the sample where we can integrate the two together (IdentityServer using ASP.NET Identity), but it seemed like I might lose the ability to use all of the built-in stuff like two-factor workflows.
I'm hoping I'm way off base here, and apologies if I have some fundamental misunderstandings about how IdentityServer works. Perhaps there is a way to get all of the added functionality that ASP.NET Identity provides from within IdentityServer?
Identity Server will handle all authentication, no need for double sign-ins if you are using it correctly.
You'll have to implement two factor authentication yourself though as it is not currently supported by Identity Server. However extending Identity Server's existing support for ASP.NET Identity to allow for two factor authentication is definately possible.
I think your first port of call should be to have a bit of a deep dive into the Identity Server documentation and the OpenID Connect protocol. After that check out UserService documentation and then derive from the existing ASP.NET Identity UserService to add support for two factor authentication.

Windows authentication in MVC app calling WebAPI

We're building a Windows-authenticated ASP.NET MVC app. This will then call into an ASP.NET WebAPI layer sat on a different server.
We don't have Kerberos enabled so assume authentication with this will be via some form of Basic auth. We're also looking to use ASP.NET Membership/Identity for role management. All communication with the Membership database will be via the WebAPI.
Can anyone give guidance on how best to handle issuing authentication tokens for communication between the MVC and WebAPI apps, and how Authorize attributes may be used across both layers?
I've blogged detailed series of posts about Token based authentication in Web API using ASP.NET Identity, it should answer part of your questions, check it here

MVC/SPA Authentication Scenarios for Azure AD

These are Application Types and Scenarios that Azure AD supports:
Web Browser to Web Application
Native Application to Web API
Web Application to Web API
Daemon or Server Application to Web API
I have two questions:
I would like to understand where my scenario below fits.
I think I need to use JWT tokens and it seems that Native Application to Web API is the closest,
but I still need Asp.Net MVC application to deliver Client side Angular MVC resources (html templates, controllers and Rest services)
Which Azure Active Directory Code Samples are the closest to my scenario below:
I would like to create a multi-tenant Angularjs (delivered using Asp.Net MVC 5) and Rest Web API 2 secured with Azure AD. I would like to have tenants choose their domain names like firstTenant.com,
smt.firstTenant.com or to have subdomains like firstTenant.MySaaS.com, secondTenant.MySaaS.com
or MySaaS.com/firstTenant, MySaaS.com/secondTenant or similar domain naming scheme.
I would use some kind of IoC container to add customization to my SaaS application or similar to deliver specific functionality to each tenant (GUI and business logic and DB).
I would use and Asp.Net MVC application that will custom tailor SPA resources (html templates, .js controllers, .js services, .css, images etc) to each tenant and use some partitioning techniquest to retrieve tenant and user specific content from DB called from Rest API controllers.
Thanks,
Rad
I am also facing the same 'i dont know' issue :)
But far as i have researched the authorization flow from SPA aplication to the web api.
You still need webserver(mvc) project that will privide redirecting to the Identity provider (azure AD) login page and on the IP callback you will need to inject baerer token to Angular auth service that will send token to the api or deal with the refresh token.
So for me I think that, Web Application to Web API, is the right direction programming.
pls comment if i'm wrong
Currently i'm investigating link
http://code.msdn.microsoft.com/windowsazure/MyCompany-demo-applications-eedab900
update 2:
http://www.cloudidentity.com/blog/2014/04/22/AUTHENTICATION-PROTOCOLS-WEB-UX-AND-WEB-API/
Maybe it will be helpful to us.

Resources