We're looking to secure an Angular application that is running in an MVC project.
If I secure the MVC app using hybrid flow, then all the Angular $http calls are jQuery $.ajax calls under the hood. Which if I remember rightly, sends all cookies with each web API call.
My question is, how should I secure this application. Do I need to secure the MVC app using hybrid flow and then do I need to further secure the APIs?
EDIT
I've just been watching the NDC video and it talks about asking for 2 tokens when you originally authenticate.
Communication between an angular app and MVC is usually secured using session cookies. If you need your APIs to be called from other apps then you better move those APIs to WEBAPI and communicate with them using bearer tokens. If you already have other APIs that require bearer token, you can get an access token in hybrid flow and talk to those APIs(from either the angular app or the MVC app).
Related
I have a mobile application built upon Ionic Framework which uses many Cordova packages. We are upgrading the app from Ionic3 to Ionic5. In the Ionic3 application our .NET API was responsible to managing user logins. Going forward, in the Ionic5 app we will NOT be managing user credentials - we will be using 3rd party Identity Providers such as Google, Facebook, and Twitter.
We have implemented the Cordova packages to handle external authentication with Facebook and Google and it works fine. How do we tie the token that is received from Google/Facebook to our .NET API? When we try to use the token provided from Google/Facebook we - of course - get a 401 because our .NET API doesn't know about that token as it was issued from an external source.
I am aware of the process of how to enable the schema described here (External Authentication Services w/ASP.NET Web Api) but in this case the user agent browses to the Web Application in the browser. This is not true in my case as the user agent will be using a mobile application not a web site.
But I hope the principal is the same. But I'm missing something here.
The user will open the mobile app, authenticate with Google/Facebook and be issued a token. Now, what needs to happen to get that token to be recognized by my ASP.NET Web Api?
For example. When I registered my mobile app with Google Developer's Console I selected that the type of app is an Android application and was issued a Client ID for Android now how can I use this token in my ASP .NET Web API? There MUST be some way to tie the two together or some article out there.
Thanks in advance for your assistance!
Also, I looked at this post and see its 11 years old. Is there something here that I should be doing? Please help point me in the right direction. how-can-i-verify-a-google-authentication-api-access-token
It is about data ultimately, and identifying users in a consistent manner, then tracking their history with your app / business.
SOCIAL LOGIN PACKAGES
These are often cheap and nasty solutions that add complexity to your apps as you are finding.- especially when you need to look things up by user.
OPTION 1 - COMPLEX APPS
Your API could look at the token issuer (ISS claim in the token) and download token signing keys from either Facebook or Google - if JWKS endpoints exist. Then create a user from the access token's sub claim if required.
OPTION 2 - SIMPLER APPS
Deal with only a single type of token in your UIs and APIs, which will work like this. It moves the complexity to your Authorization Server (AS):
You have an Authorization Server (use Google maybe) to deal with token issuing and other central OAuth concerns
You have multiple Identity Providers (eg Facebook + Google) to support different login methods for users
During login Facebook posts a token to the AS
Then the AS issues its own token to your UI
The AS may be able to use Account Linking to provide a consistent user id regardless of login method
There is a learning curve in getting this working, but once done it can easily be scaled to many apps with zero code changes.
The proper answer is Auth0... see the below sequence diagram!
I have hosted my REST services on API management and consuming those in the Azure Web app service which consists of only HTML pages, javascript files and CSS files.
I would like to know how to restrict accessing the REST endpoints of the API management only from the web app without Azure AD and OAuth setup.
Client side application sources are by design available in clear text to anyone using it. Any user can open developer tools in browser and look at code you've written to make app work. So even if you secure your REST API with some secret and use it in app code to talk to that REST API anyone in the world will be able to take that secret our of the app and call your REST API directly, and you would have no way to distinguish their calls from calls made by your app.
OAuth and AAD would work to a certain extent but even they allow you to authenticate user, not the app. Same user can easily trace calls made by your app to REST API and reproduce them in any other app, and you again would have to way of figuring that out.
I think your best bet is to throttle calls made by a certain user identifying it any way you want (even if by IP address).
You can use Certificate authentication from web app to api management. The ssl certficate thumbprint on you web app you can validate in api management policy.
I would like to develop a REST API app that I can access from both web app and mobile app.
The REST API need to support simple authentication that can be done in both from a web app and from a mobile app (like Xamarin.forms)
I don't need multiple users, I need simple access control to my API.
I tried to develop a Azure API app with AD authentication, but it seem like it is very difficult to add support to Azure API App.
To summarized my questions:
How to do simple authentication in Azure API App or Mobile App?
Should I use API App or Mobile App or something else?
Does it support Xamarin and Web app access?
This is way too broad. Are you doing data access? Do you need simple auth? Have you tried any of the quickstarts to try to learn about your task?
Look at Azure App Service Authentication / Authorization - it provides a server directed flow for web and mobile access
This should have been your first question. You want an ASP.NET app, running on App Service (I'm biased here). It should cover both API, Mobile and Web together.
Yes, the App Service covers all your needs.
I'm not really interested in API authentication - all I want to do is authorize a user who has access to one or many applications from a kind of portal I am designing. We are hosting the all the web applications, some are just Javascript and HTML, some are MVC.
I have created a diagram below with a user called Bob. He is a valid user and is allowed to use an application called "JS" but not MVC. How can this be implemented using Identity Server. Obviously when inside the JS application it still needs to talk to the Identity Server to make sure the current user is valid or else somebody could just copy the url of the app and use the application.
NOTE - the JS application is just a plain old HTML5 and Javascript application it is nothing fancy like an .NET MVC app.
One way to achieve this is by registering individual applications (JS and MVC app) as separate clients in IdentityServer (assuming each application has different redirect URI’s) and restricting access between those clients.
In order to restrict access between clients for an authenticated user, you need to use ICustomRequestValidator interface.
More details in this discussion board and a similar post in SO thread
I am implementing REST APIs using Flask Restful and want to add session based auth for users. Currently I am NOT implementing a web app. I am wondering if the Flask-Login extension can only be used for web apps or can I use them for my REST application too?
Altough a RESTful service should be stateless by definition,
I would avoid that one. It's more "form-oriented".
Go for OAuth2, it's the de facto standard for RESTful web services.
A good implementation is Flask-OAuthlib, available on GitHub.