I have a C# ASP.NET 3.5 web application which uses forms authentication. Users log in with their username and password on login.aspx, are authenicated using a custom authentication logic and are then directed to input.aspx, where they enter some parameters and get response on output.aspx. If they try to access input.aspx without authenticating themselves, they are redirected to login.aspx.
The same users want to be able to use the functionality of this web application without using the UI, from Unix environment. So I added a web service file (.asmx) to this web application. I didn't create a separate project for this web service because the web service uses code files, code in global.asax of the existing web application and I should not duplicate that code for the web service.
The web service functionality works fine now, though I don't know how to authenticate the users. The web service client will send username and password once (maybe using a 'login' webmethod, which I can write to authenticate them) and then should be able to send multiple requests (maybe until they call a 'logout' webmethod or until their session/cookies expire).
For web requests to not get redirected to login.aspx page, I excluded the .asmx file from Forms authentication using the location tag in web.config. (I don't know if that's the way to go.) But then I am thinking that the user is not then authenticated in the web application and so the web application code that the service uses, won't be accessible, right?
I would recommend a quick read on this link (http://msdn.microsoft.com/en-us/library/ms977327.aspx) and then follow it up with this one (http://msdn.microsoft.com/en-us/library/9z52by6a(VS.80).aspx). A custom security header is probably where you want to go to secure your web service outside of forms authentication. It does mean that each method call needs to have the header supplied though.
Related
I find setting up the auth services for every website is cumbersome.
This is my scenario: I have currently three websites for example example.com, example.org and example.space and their mobile apps respectively.
I found it's tiring to configure auth for each of them separately. What I want is to create a centralise auth service running on a different port with a different database. For example on example.net:7000.
Whenever users request to be authenticated by sending their email and password to example.com/auth, example.org/auth or maybe just example.net/auth they will receive a JWT token which can be used to access the protected resources on the respective sites or their mobile apps. And it should be without opening any website from the browser in case of the mobile apps.
I mean users shouldn't be aware of this process that their credentials is being handling by a single server. It's kind of like Google where user can login on to gmail.com and also gets logged in to google.com.
I have taken a look to Openiddict but found out that it has some redirections involved (to auth a user, the user is being redirected to the auth server and then send back to the previous url). I want it to be like machine to machine communication with no user interactions involved rather than sending an JSON containing their credential in a simple HTTP POST API request.
How can I achieve this? Is there any example repository.
Note: I am using Flutter for the mobile apps.
I'm building a platform on .Net5 that will consist of at least 3 MVC web applications: User, Admin, Product. Authentication is performed on the User application where we can take a Username/Password to log the user in. The User Application also has the Forgot Password/Reset Password, etc functionality on it. Authorization is claims based. Based on this document I believe I would fall into Figure 9-2 Authentication by identity microservice, where my other microservices are web applications rather than APIs.
The issue I'm running into is trying to figure out the proper way to implement this.
Do I use JWT or Cookies for this? The article above does have a link for cookie sharing but wouldn't JWT be appropriate?
If I did use JWT, how do I pass it back to the server if I used something like #Html.ActionLink? Or is it expected that I would be using a front end framework like React and thus making any calls back to the server manually?
Again, if I'm using JWT, how would I pass it from the User application to the other applications?
We have big JSF monolithic application. We want to change the architecture of this application. Currently, my goal - change one module in our application. I need to move the logic from one module to another application which will be implemented on another stack of technologies (it will be rest-service with some js-framework on frontend).
The application should work in the same way. We should have the link to the page as it was earlier but this page should be rendered by another service. We should have the same session between these 2 applications. The user should be able to go throw the pages without an additional step of authentification.
We are planning to move also other modules, not only this one. I need a help. Do you have any thoughts how it should be implemented? any examples?
The ideal way to do this for me is using a SSO service like keycloak, as your Identity Provider. That involves porting your authentication logic to it and decouple it from your monolith. But once you rely on it as your IdP, you only share tokens between your applications and IdP. Keycloak has many adapters, for Java, Javascript, NodeJs clients.. and so on. That has the huge advantage that you can keep decoupling logic from your monolith and you don't even need new modules to be written in Java. You could even integrate it with services not written by you, it's enough for them to have Open Id Connect or SAML integrations.
KC supports both SAML and OIDC Auth protocols. With OIDC (the way to go with brand new applications), the adapter located in each of the apps checks wether the user has a valid web session or not. If not, it gets redirected to KC login page. The result of a valid login is a code which you can use to obtain an access token (a valid token to obtain resources from your app). Apart from that, the adapter ties that access token to a browser web session, which is stored in KC too. So if you try to access the other web page, the adapter checks for your web session, which finds to be valid.
You can use it to access your apps from a mobile device too, taking care of the access token management/renewal in the mobile app yourself.
See also:
The OpenId Connect protocol
I've set up an IdentityServer3 server with IdentityManager and MembershipReboot and have successfully managed to implement Bearer authentication across a few different ASP.NET Web API servers and a couple of Angular JS clients.
I'd like to be able to set up an endpoint on the IdentityServer3 Web API project itself that users can go to in order to edit their email-addresses, password, etc. In order to do this, I need to be able to use the [Authorize] attribute inside one of the controllers running on the IdentityServer3 server. I'm having trouble trying to find out how to do this.
In projects that use my IdentityServer3 server, I simply add something like:
app.UseIdentityServerBearerTokenAuthentication(...);
I wondered if I could just do the same in the server itself, but it wouldn't be Bearer token authentication in this case.
I just want to add an MVC page to the auth server that I can redirect to from the client applications to allow the user to modify their details. How can I achieve this?
There's an OWIN Context Environment extension in IdentityServer3, namely GetIdentityServerFullLoginAsync, which retrieves the logged in user (stored in a cookie).
I can create a new Action that uses this to retrieve the logged in user and display their details. I can also add endpoints for updating the password, etc, so long as I protect against CSRF in the usual MVC way.
I am developping a Restful web application with Symfony2 and I will use FosOAuthServerBundle and OAuth2,I started to read some tutorials, but one thing I didn't understand,in my application I have already an authentication system in which the admin put his login and password,but the implementation of this bundle in my application adds a second authentification system to my app,for this reason as I have understood I should add a button in my login page to use this bundle and having the access token to protect my rest web service
My question is,what are the advantages of this second authentification system,espitially my application is for one user "the administrator"??
My second question is,is it possible to combine this functionality with my login system that I have created from the beginning
thanks a lot for help
The advantage of using oAuth2 is that is standardized, so you can use any client in any language out there to get an access token.
If you have a single admin user, probably you don't need it but is up to you decide that.
I'm quite sure you can integrate your auth system to the oAuth bundle by following the symfony2 security documentation and implementing an user provider
http://symfony.com/doc/current/cookbook/security/custom_provider.html