I have an ASP.NET MVC5 application which has WEB API2 project with few controllers within it. I have setup AzureAD authentication for the ASP.NET MVC5 project using AzureAD and OpenID connect and OWIN middleware.
Everything is working fine from ASP.NET MVC project point of view. The WEB API2 controller are used here to process the requests coming from angularjs, Android
and iOS app. There is a requirement for a WebAPI controller to process requests from unauthenticated clients (angularjs, Android, iOS apps) which issue AJAX requests.
Prior to the AzureAD authentication setup it was configured with on premise ADFS authentication. In this case I followed the below link to by pass on premise ADFS authentication for the
WEB API2 controllers and it worked fine for me.
Can I bypass organizational authentication for a WebAPI controller inside an MVC app?
Can anyone help me to know how to bypass the azuread authentication for the WEB API2 controllers to allow requests from unauthenticated clients in this case with some code samples ?
The web API controller is access-able for anonymous user by default. If you got the unauthenticated issue(401) when the anonymous user access that controller, please check whether there is Authorize attribute for the specific controller and remove that attribute.
Related
I'm working on a web application deployed on an azure webapp authenticated with Azure AD.
It is mostly based on the angular template for ASP.Net Core. The backend hosts the frontend in a ClientApp directory.
For the authentication, the frontend works with the msal-angular plugin which on access redirects to the Azure AD authentication page. After login, the login page redirects back to the frontend, which catch the token, and makes all the calls to the backend with the token in the authorization bearer header.
The .Net Core backend is configured with :
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureActiveDirectory", options));
Finally, to make all these works, I have in the Azure AD app registration one entry for the backend and another for the frontend.
This works well, but we want to move away from that to use the Authentication directly on the webapp.
This way we could secure even more the application which would not even be downloaded if the user is not authenticated.
How do I manage to do that ?
Do I need to remove all authentication code from the backend and frontend ?
Do I still need 2 entries in the app registration on azure AD or one is now enough ?
How will I know which user is connected ? Actually I use the IHttpContextAccessor to get the UPN Claim.
Thanks for the help
I have setup Identity server 4 for our Angular application that will interact with a WebAPI
Identityserver is supposed to be used with Hybrid flow to get the token.
I have following issue -
My Angular application is defined in a way that it supports multiple tenant with subdomain like
tenant1.abc.com
tenant2.abc.com
Now as the angular application is the same and serving the multiple tenants, How can I defined client on Identityserver as it has subdomain and Identityserver will not be able to match the Client RedirectUris
and PostLogoutURI
I'm using IdentityServer 4. I have a setup very similar to the asp.net Identity quickstart as on the IdentityServer documentation here .
I want to be able enable a single logout from the IdentityServer web application, so that when I call this POST method, it logs out from all of the connected applications.
I have an IdentityServer web application, and an MVC web application which uses Asp.net identity mediated by the IdentityServer application.
What's happening with the default setup (as per the quickstart) is that when you logout from within the IdentityServer app, if you've already logged in on the MVC web application, you will remain logged in on the MVC web application until the MVC cookie has expired.
Is there a way of adapting the quickstart so that you have a centralized sign-out method within the IdentityServer application that you can call from anywhere?
For HTTP based logout add a logoutUri to each of your clients and http://localhost:5000/account/logout should do that. You'll see an iframe with the endsession url which contains an iframe for each logoutUri that you've logged into for that session (stored in the cookie)
see:
http://docs.identityserver.io/en/release/topics/signout.html
Make sure your account controller and logged out view match the quickstart samples.
I have the following scenario:
MVC App - ASP.NET MVC application that has Identity installed in it.
SPA App - Angular SPA app that is located in an area inside the MVC App.
Web API - ASP.NET Web API service that is used by the SPA App.
Both, MVC App and Web API should use the same user accounts. So, now, I have the Identity installed in the MVC App. There would be a View in it that will load the SPA App and the SPA App is going to make requests to the Web API. But the Web API will work only if the user is authenticated, thus it needs a Bearer Token sent by the client. So, when the user gets authenticated in the MVC App and opens the View with the SPA App, I should somehow get a Token for the same user that is authenticated in the MVC App, place it in the SPA App, and send the token from the SPA App JavaScript to the Web API.
Is this possible? Or is there a better way to do it?
Here is what you can do , Create a new class library project . Move all identity component from your mvc project to that library. reference that project to web api project and mvc project .
i have done in couple of project where i need api and mvc . it works for me. Try this it will definitely work. let me know if you din't understand correctly
It is not a real answer to your question but if you use Asp.net MVC only for bootstrapping your single page application then you may have the option to use only web api authentication. After your spa is bootstrapped then you can check if you have an authenticated user and get user specific info to customize the page for your user.
In that scenario you do not need to use Asp.net MVC authentication but sometimes you may need to use Asp.net sessions for situations like captcha validation (if your captcha library requires so). For such situations you can enable sessions for your specific web-api calls like below.
//WebApi Session
protected void Application_PostAuthorizeRequest()
{
if (HttpContext.Current == null)
return;
var request = HttpContext.Current.Request;
if(RequireSession(request))
HttpContext.Current.SetSessionStateBehavior(System.Web.SessionState.SessionStateBehavior.Required);
}
private static bool RequireSession(HttpRequest request)
{
return request.AppRelativeCurrentExecutionFilePath == "~/api/user" && request.HttpMethod == "POST";
}
Not: If you enable asp.net mvc sessions for all your web-api calls than your requests will be processed sequentially. Not recommended!
Concurrent Requests and Session State
I have a web api hosted on Azure having Azure AD authentication configured and running properly (all controllers have the Authorized attribute).
The front-end runs AngularJS and authentication of the http requests is implemented by using the amazing ADAL JS library (adalAuthenticationServiceProvider).
Beside the web api I also have a SignalR hub that I'd like to 'protect'. More specifically I need to call (invoke) a method of the Hub from the AngularJS client code. Basically I need to have the Context.User populated in the Hub method.
Any idea how to also authenticate a SignalR invoke under these circumstances?
you can supply token on query parameter as suggested in https://auth0.com/blog/2014/01/15/auth-with-socket-io/ and then process token on your backend