I am using abp framework with angular and sql server with out of the box identity server.
I have added facebook login which is working fine. Now I need to retrieve the access token returned by facebook login in my application layer for facebook graph api call.
ICurrentUser has no fields for the same.
Please help.
Related
I am building a web application with
Asp.net Core 2.0 Web API
AngularJS 4+
SQL Server
User signup/login only through Google/Facebook/LinkedIn. I will save user info like name and email I receive from them into SQL db table. I do not have a plan to offer manual registration on my website with email and password. I do not want to maintain user credentials, forget the password, securing user passwords and all nitty-gritty around that.
As of now, there is no plan to build a mobile app. I am learning .Net Core and stumble upon IdentityServer4 as a recommended way to provide identity in asp.net core applications. I went through all docs, example and tried out few sample application. I think I am clear how configuration and workflow of identityserver.
My questions are
Is it worth employing IdentityServer4 in my architecture since my identity is external provider only? I was thinking about using default Asp.net Identity with.AddCookie(), .AddGoogle() and .AddJwtBearer() to retrieve the cookie from Google/Facebook/LinkedIn, use AddGoogle AddFacebook AddLinkedIn middleware to handle callback, extract claimprincipal and set Jwt token for Angular JS app to use in its XMLHttp request.
What benefits do I get outsourcing this work to IdentityServer4 besides identity in one place best practice?
I appreciate your tiny or big feedback on this.
IdentityServer is great for handling many clients that access many protected resources. You seem to have one client (the so called AngularJS 4+ app) and one resource, the Asp.net Core 2.0 Web API.
A point of clarity is that you have no need for ASP.NET Identity and all those middlewares for Google, LinkedIn, etc. If your client is truly an Angular javascript application, then it does not need a server side component like ASP.NET Core- it is simply a browser application. You can use a javascript library like oidc-client and configure your external authentication providers according to their own needs. You will receive an id_token and/or access_token to store in browser and utlimately pass to your Api Resource.
Speaking of your Api Resource, this application can validate directly with the token issuer, be it Google or Facebook or whoever.
So with this setup: (a) a browser app (Angular), (b) a server WebApi (ASP.NET CORE), and (c) and an identity/access control service (Google, Facebook, etc.) you certainly do not need any additional applications that run ASP.NET Identity or IdentityServer4. Seems like it would be easier without them.
If your Angular app is actually in an ASP.NET MVC, then the same is true.
If your Angular app and your WebApi are all part on one ASP.NET project then the same is true and all you need is an identity provider to return an id_token.
On an ASP.NET Core project with EF Core and ASP Identity I have 3 applications:
Web API
It will be accessed by the Angular 2 application.
In the future it will also be accessed by mobile applications.
ASP.NET MVC as a container for an Angular 2 application.
ASP.NET Core Auth with Identity Server 4.
I have a few questions about using Identity Server 4:
The Auth application should be Console or ASP.NET MVC?
Where is the Login page?
Centralized in Auth application so Auth would be ASP.NET MVC / Angular 2?
Or a login in the Web Application and one in the Mobile Application?
In case the login page is centralized in Auth application as MVC/Angular2:
3.1. In the login page I might need to display a phrase from the database.
So the Auth application can call the API in that case?
3.2. How does the Auth application verify the username and password?
Does it access the API to verify it or access directly the database?
1) Not sure what you mean by "Auth application" but IdentityServer4 is middleware for ASPNET Core. So it will be your central authority for issuing tokens for authorization.
2) The login page would be hosted within The IdentityServer4 ASPNET Core application as a normal web page powered by MVC and Razor. There is a repository with examples here.
3.1)
You can do a database call and hydrate the view model with this message when a user gets directed to the login page and access that view model using normal MVC/razor patterns.
3.2)
This is up to you, you may inject a repository or store that verifies users and their passwords in the controller or some other service.
If you follow the sample many things will become much clearer. If anything is still confusing let me know.
I'm working on setting up a new SSO application. I would like to use ASP.NET Identity as a database to store the users data. I have a ReactJs application hosted on Node.JS and a .Net Web Api2 application. I want to protect thsi Web Api 2 using Identity Server with users from its database. In further development I'm going to create a mobile application.
I'm able to create an asp.net identity database with some users and use Resource Owner credentials, but I have couple of questions if anyone could help:
Why is Resource Owner Credentials not recommended? My current workflow is to hit the api with client&user&password and obtain a token which I store in web layer and use in Web Api requests. Web Api validates the tokens and identify the user. I read on IS page that's not recommended then what's the recommended scenario to authenticate the user?
How can I create an authenticator for mobile? Should I create my own certificate issue, store it in database as a thumbprint and use access token for that?
Thanks
In short, Resource Owner requires the credentials to be passed through the application itself, also RO doesn't give you SSO. Here's a longer answer. The recommended scenario is to use hybrid flow with PKCE enabled.
Look up TOTP. I believe it is implemented in AspNetCore.Identity with some examples.
Current State of web application:
We have an existing web application designed in AngularJs, MVC5. Authentication is happening against our custom database.
SignIn:
We did over ride Microsoft.AspNet.Identity.UserManager and other source classes to talk to our database to get user related information.
adding the results to System.Security.Claims.ClaimsIdentity.
Passing on to "Microsoft.Owin.Security.IAuthenticationManager.SignIn(params System.Security.Claims.ClaimsIdentity[] identities)
What I need SSO:
We would like to move the auhentication to SSO with SAML 2.0 token as we are planning to integrate 2 new vendors into our web application
Identity Provider:
We are implementing Identity provider in F5 Big Ip which does the authentication by providing the login page and generates the saml2 token. Our web application would be configured as Service provider. On redirect to the web application it will pass on the saml2.0 token.
Consuming SAML2.0 in MVC .net framework 4.5.2
All my application would need is to consume saml2.0 token and integrate with existing authentication pipeline.
Things to do:
Meta data from Identity provider has public key to decrypt saml2.0 token and as well a key which is used to sign the meta data file
My assumption would be parse the request for SAML 2.0 token and verify if the token is valid and use the data from the attributes and query the database for more details and insert the results into "System.Security.Claims.ClaimsIdentity" and use the existing signin operation.
Need to figure out how to configure the principle.. and do we still need Microsoft.AspNet.Identity.UserManager.
Research:
In visual studio we had identity and access tool which doesnt exist from vs2013.
Went through the article on windows identity foundation and claims identity principle
www.codeproject.com/Articles/504399/Understanding-Windows-Identity-Foundation-WIF
I know wif support saml2.0 token but not saml2 protocols.
Here are the third party tools that was suggested to be used
http://nzpcmad.blogspot.co.nz/2013/06/saml-saml-connectivity-toolkit.html
I am not sure just to consume do I need to used one of the tool? As we have our IDP configured in F5 bigip and not designed in .net
Another good article I found
http://www.primaryobjects.com/2013/08/08/using-single-sign-on-with-windows-identity-foundation-in-mvc-net/
Also saw some suggestions about Saml2SecurityTokenHandler to process saml2.0 token.
I appreciate if someone can direct me to simpler solution to integrate to my existing web app. Just need to consume saml2.0 token and integrate with existing claims based authentication.
OK - then you have to use a SAML stack as per the link you used.
Have a look at Kentor - there's some examples on the site plus I did a write up
Update:
The way SAML works is that the client needs to send an AuthnRequest to the IDP, then the user authenticates and then the IDP sends a AuthnResponse to the client. The response contains the SAML token which contains the assertions (claims).
We are planning to integrate Identity Server3 in SPA page application using AngularJS with .Net Web API.
1) Need to create identity token and oAuth token for the application and store identity token in browser cookie. So taking Hybrid approach and need to map the identity to create oauth token, so both users and api are protected. Able to create oauth token, but struggling how to do authenticate using custom login page (not using identityserver3 login page) where userid and password validated from Angularjs page and create identity token and store it in browser cookie.
Any one have implemented custom login approach with identity token creating using identityserver3?
2) How to integrate identity Server3 with Active Directory as user data store?
Please provide comments.
Thanks
Regards
Ramkumar.C
For Active Directory(AD) user store, implement Identity Server as a Relying Party to your AD implementation. You can then simply integrate it within Identity Server as an external Identity Provider. Details on how to do this are in the official documentation: https://identityserver.github.io/Documentation/docsv2/configuration/identityProviders.html.
I assume you'll be doing this over WS-Federation, so you'll need to use the Microsoft.Owin.Security.WsFederation package.
If you want to use just AD as your user store, you can disable local logins in the IdentityServerOptions, set AD as the only Identity Provider for your Client using the IdentityProviderRestrictions property or use the acr_values property of idp when using the Authorization endpoint.
Regarding custom log in page external to Identity Server, many people have asked about this on the Identity Server issue tracker. Some have made implementations, but FYI: the team behind Identity Server do not recommend this approach.