I am adding OIDC login to a WinForms application. I set up the application using the IdentityModel.OidcClient library and pulled the boilerplace code from their WinForm Sample. The OIDC successfully shows the login form, does MFA, and I get back the tokens.
However, if I close the application and open it again, I have to authenticate again. Usually, the SSO session in the browser allows me to bypass this step. It seems the OidcClient is using a browser session that gets destroyed when the application closes and is not shared between applications.
How can I configure my application to use the SystemBrowser or another browser that will maintain those SSO cookies between executions and/or for different applications that use this component.
Thanks in advance.
First thing to check is that the session cookie that you set have an expire date in the future, otherwise it will just be a cookie that will last this browser session.
In your browser you can see that in the developer tools section, like in this example:
Alternatively, you can use a tool like Fiddler to check the response that sets the session cookie and make sure it contains a future expire date.
You can configure that in your ASP.NET application.
Related
I have an application developed in Angular JS and Webapi. I have used token based authentication using OWIN Framework. The application is deployed in a Software company and few developers who have knowledge on this techstack, use Chrome developer tool and access the api methods directly and bypass the validations in Client side. Is there a way to control this?
Please find the screen shot of chrome developer tool displaying Bearer token, Webapi method & its payload.
You can't really hide HTTP request showing up on browsers. What you can do is control who gets hold of that access token, its expiry time and what permissions and claims he has.
You can't hide the browser's activities from a user running that browser.
A token should be generated only upon successful login using right credentials and that token showing up on the developer tool can be used to call the API's from tools like the postman until it's expiry(so, set a shorter expiry).
Token A generated using credential of user A should not have the permission to manipulate data of user B and this should be handled explicitly.
So, the one option is that user A can steal his own access token and use it to manipulate only his own data unless the token is alive.
I have two applications hosted on same IIS server. These applications have same users. Once authenticated, I am creating cookie using Angular like below:
$cookies.putObject(key, cookie)
I have kept the key same for both the applications.
Now, when I login to one application, this cookie gets created. But when I try to access second application, below code reads null.
$cookies.getObject(key)
Can I read this cookie from other application so that after login to one application, user need not to enter login credentials to other application.
Thanks.
you might be able use localstore to share data but its a huge security risk. I would not do it. I recommend using sessionstore instead och cookies when it comes to authentification. In your case it's be better to use some single signed on solution. Its a lot of them out there. OR: if you host both applications. Maybe you should merge the applications into one?
I would like to create a new AngularJS, Web API Single page application. Does anyone have any examples that show how I can set up a user login screen that connects to a WEB API controller for a simple login (no need for google/facebook login etc) that uses ASP.NET Identity and without the need for user registration.
Also how can I handle showing a new view once the login has been completed. What I would like is to have a solution that does not show routing in the browser URL. So for example I would like to be able to switch from the login view and a couple of other different views without the url changing from www.abc.com.
In other words I would like to avoid showing www.abc.com/login, www.abc.com/screen1, www.abc.com/screen2
Any advice would be much appreciated.
So, instead of trying to find an example, I created one instead (link at the bottom). To explain how the functionality works, I want to go over a few things:
The new ASP.NET Identity system provides an OAuth 2.0 Bearer token implementation which can be used with clients that consume a Web API resource over HTTP. Since the authentication is not stored in a session cookie, the server is not responsible for maintaining the authentication state. The side-effect is that the consumer has to manage authenticating the server and managing the returned token. This is the system that Microsoft uses in the SPA template that it provides with VS 2013.
AngularJS makes no assumptions about authentication, so it's up to you how to authenticate.
AngularJS provides the $http service for querying remote HTTP-based services as well as $resource which is built on top of $http. Using Authorization headers with the Bearer token implementation above, you can combine both to provide authenticated access to server resources over HTTP. AngularJS allows you to set a 'default' Authorization header which it will use in every subsequent HTTP transaction.
With that in mind, the way I accomplished this is by creating a User service that handles all of the authentication details, including setting the HTTP Authorization header, between the Web API server and the SPA. Based on the authentication status of the user, you can hide certain UI elements in order to prevent navigation. However, if you also define the state as requiring authentication as a property of the resolve object for the state, a watcher set on the $stateChangeError event will capture the error and redirect the user to the login form. Upon proper authentication, it will then redirect the user to the state they were trying to navigate to.
In order to prevent authentication from being lost between browser sessions (since the client is responsible for maintaining the authentication token, and that token is maintained in memory), I also added the ability for the user to persist the authentication to a cookie. All of this is transparent to the user. For them, it is practically identical to traditional form-and-session based authentication.
I'm not sure why you want to prevent the user from seeing the routes, but I have coded it as such. I am in debt to Sedushi's Plunker example of how to use AngularUI Router to navigate in a stateful manner without using URLs. Still, I'm not sure I can personally recommend this for any application I would write on my own.
The full solution (both the WebAPI and the WebUI) is available with step-by-step instructions here.
Let me know about any specific part that is unclear, and I will try to make it more clear in the answer.
Refer the following blog for the demo of single page application (SPA) for ASP.NET Web API 2 and AngularJS, developed by the team at Marlabs.
http://weblogs.asp.net/shijuvarghese/archive/2014/01/25/demo-spa-app-for-asp-net-web-api-2-and-angularjs.aspx
The app is built with following technologies:
ASP.NET Web API 2
EF 6 Code First
AutoMapper
Autofac
Semantic UI
AngularJS 1.1.5
The application is published on github at https://github.com/MarlabsInc/webapi-angularjs-spa.
#DavidAntaramian gave a great example. But if you want a simple one, you can look to this HOL from Microsoft.
Their latest example on github uses .NET Core, but you can download release from October 2015.
I'm plan on deploy a Java application to Google AppEngine and use federated login (still experimental according to Google). The application is pretty simple Java EE application which expose RESTful interface for simple CRUD operations.
I then want to be able to authenticate to this application using Windows Client Application written in C#.
I think the application should be able to open a window with a browser in ti which will present the login page of my web application and after successful authentication I should be able to get the login token or a cookie to use in the rest of my HTTP requests.
Is it possible to do such thing using federated login? I've found a post explain how to do it using google proprietary login.
Thank you,
Ido.
I've manage to make this work much easier then I thought it would be.
When I send HTTP request to my web service I get 302 Found response with response header name Location which point to the login page.
I use WebBrowser control, register to it Navigated even and navigate to the URL in the Location header.
When the Navigated even fire I use the code from this answer to get the cookies container.
I check each cookie until I find one with the name ACSID and store it.
For every web request to my service I add cookie name ACSID with the value saved at step 4.
This is not the most secure way of doing this. I will add check for the domain of the cookie but this looks good.
The server side of the requirement is digest authentication against a custom credential store (ala a membership provider) and on the client side a silverlight application making calls to a RESTful api.
i'm looking for pointers. Out of the box it looks like Digest only works against AD. From the client side, I'm use to getting the browser to pop up a prompt for credentials --- but in this case its a sliverlight (v2) app.
Suggestions?
The authentication story, imo, is not great in Silverlight. What we typically do is rely on the fact that Silverlight requests are issued from the browser. So, they carry the cookies and headers that a browser uses (think XmlHttpRequest object, here).
What you do:
Use your provider to protect the page that Silverlight is on. The user will try to bring up the page and will get prompted for credentials.
At this point, Silverlight requests (via WebClient or anything else) will carry that authentication information. Simply protect access to assets and Silverlight will carry the authentication information to access those assets.