I am using identityserver4 with aspnetIdentity for usermanagerment
the account controller from sample application is different that is from aspnetIdentity
now the Logout method that Oidc-client calls has logoutId
but as my controller is not having this How I can make it running
do I need to copy the account controller from the sample application?
Related
I have .net core 3.1 web api application deployed to Azure App Service. I want to set the authentication for APIs using Azure Active Directory with users logging through their office 365 account.
The architecture is like - I have my office 365 account ready with me. I request for a token to Azure AD. With the JWT, I get from azure AD, I should be able to call all the API endpoints in my web api application deployed in App Service.
Can you please explain what all configuration needs to be done in azure portal and code changes in startup.cs file.
Please refer to Quickstart: Protect an ASP.NET Core web API with Microsoft identity platform.
The Microsoft.AspNetCore.Authentication middleware uses a Startup
class that's executed when the hosting process initializes. In its
ConfigureServices method, the AddMicrosoftIdentityWebApi extension
method provided by Microsoft.Identity.Web is called.
public void ConfigureServices(IServiceCollection services)
{
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddMicrosoftIdentityWebApi(Configuration, "AzureAd");
}
You can protect a controller or controller methods using the
[Authorize] attribute.
namespace webapi.Controllers
{
[Authorize]
[ApiController]
[Route("[controller]")]
public class WeatherForecastController : ControllerBase
Deploying to Azure app service doesn't require more different configurations. Just modify the real API endpoint while calling it.
You can see more details from Scenario: Protected web API.
If you want to call the API from a web app, you could refer to Scenario: A web app that calls web APIs.
Remember that you need to register two Azure AD apps, one is for client app (front) and the other is for API app (backend). In the API app, you need to expose API. Then you need to configure the client app. Add the permission (scope) which is exposed by API app to the client app. These are all mentioned in the links above.
UPDATE:
I assume that you have created the two Azure AD apps on Azure portal and have configured the permissions between them. (if you haven't, please refer to Register the service app (TodoListAPI) and Register the client app (TodoListSPA))
Then you could test your API in Postman like this:
In the second screenshot:
Auth URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Client id and client secret are from the Azure AD app which represents the client app (TodoListSPA).
Scope is the app id uri which is exposed by the Azure AD app which represents the service app (TodoListAPI).
Is it possible to have an ASP.NET Core 2 with Angular 5 and Azure AD Authentication? What I mean is implement the AD Auth using ASP.NET Core 2 and when the authentication is successful, then redirect to the Angular 5 app with some claims and tokens so that any calls to an ASP.NET Core API from Angular will include the authentication token/claims.
I know there is the ADAL angular wrapper you can actually implement the Azure AD Auth, but just wanted to know if my scenario could work...
You can, I have an app doing that now. Basically your Angular frontend will redirect the user to login at Azure.. Azure will then redirect back to your angular app with the token. ADAL plugin should snag that token from the callback URL. You then make the API calls with the Token. The .Net Core backend will verify the token with Azure.
So think of it this way: User -> AngularApp -> Azure Login -> AngularApp w/token -> API Call to backend w/token -> API Backend verifies token with Azure each call
I have an ASP.NET MVC5 application which has WEB API2 project with few controllers within it. I have setup AzureAD authentication for the ASP.NET MVC5 project using AzureAD and OpenID connect and OWIN middleware.
Everything is working fine from ASP.NET MVC project point of view. The WEB API2 controller are used here to process the requests coming from angularjs, Android
and iOS app. There is a requirement for a WebAPI controller to process requests from unauthenticated clients (angularjs, Android, iOS apps) which issue AJAX requests.
Prior to the AzureAD authentication setup it was configured with on premise ADFS authentication. In this case I followed the below link to by pass on premise ADFS authentication for the
WEB API2 controllers and it worked fine for me.
Can I bypass organizational authentication for a WebAPI controller inside an MVC app?
Can anyone help me to know how to bypass the azuread authentication for the WEB API2 controllers to allow requests from unauthenticated clients in this case with some code samples ?
The web API controller is access-able for anonymous user by default. If you got the unauthenticated issue(401) when the anonymous user access that controller, please check whether there is Authorize attribute for the specific controller and remove that attribute.
I'm using IdentityServer 4. I have a setup very similar to the asp.net Identity quickstart as on the IdentityServer documentation here .
I want to be able enable a single logout from the IdentityServer web application, so that when I call this POST method, it logs out from all of the connected applications.
I have an IdentityServer web application, and an MVC web application which uses Asp.net identity mediated by the IdentityServer application.
What's happening with the default setup (as per the quickstart) is that when you logout from within the IdentityServer app, if you've already logged in on the MVC web application, you will remain logged in on the MVC web application until the MVC cookie has expired.
Is there a way of adapting the quickstart so that you have a centralized sign-out method within the IdentityServer application that you can call from anywhere?
For HTTP based logout add a logoutUri to each of your clients and http://localhost:5000/account/logout should do that. You'll see an iframe with the endsession url which contains an iframe for each logoutUri that you've logged into for that session (stored in the cookie)
see:
http://docs.identityserver.io/en/release/topics/signout.html
Make sure your account controller and logged out view match the quickstart samples.
I have a web api hosted on Azure having Azure AD authentication configured and running properly (all controllers have the Authorized attribute).
The front-end runs AngularJS and authentication of the http requests is implemented by using the amazing ADAL JS library (adalAuthenticationServiceProvider).
Beside the web api I also have a SignalR hub that I'd like to 'protect'. More specifically I need to call (invoke) a method of the Hub from the AngularJS client code. Basically I need to have the Context.User populated in the Hub method.
Any idea how to also authenticate a SignalR invoke under these circumstances?
you can supply token on query parameter as suggested in https://auth0.com/blog/2014/01/15/auth-with-socket-io/ and then process token on your backend