IdentityServer 4 - How to logout of all MVC apps? - identityserver4

I'm using IdentityServer 4. I have a setup very similar to the asp.net Identity quickstart as on the IdentityServer documentation here .
I want to be able enable a single logout from the IdentityServer web application, so that when I call this POST method, it logs out from all of the connected applications.
I have an IdentityServer web application, and an MVC web application which uses Asp.net identity mediated by the IdentityServer application.
What's happening with the default setup (as per the quickstart) is that when you logout from within the IdentityServer app, if you've already logged in on the MVC web application, you will remain logged in on the MVC web application until the MVC cookie has expired.
Is there a way of adapting the quickstart so that you have a centralized sign-out method within the IdentityServer application that you can call from anywhere?

For HTTP based logout add a logoutUri to each of your clients and http://localhost:5000/account/logout should do that. You'll see an iframe with the endsession url which contains an iframe for each logoutUri that you've logged into for that session (stored in the cookie)
see:
http://docs.identityserver.io/en/release/topics/signout.html
Make sure your account controller and logged out view match the quickstart samples.

Related

Migrate from msal angular to azure webapp authentication

I'm working on a web application deployed on an azure webapp authenticated with Azure AD.
It is mostly based on the angular template for ASP.Net Core. The backend hosts the frontend in a ClientApp directory.
For the authentication, the frontend works with the msal-angular plugin which on access redirects to the Azure AD authentication page. After login, the login page redirects back to the frontend, which catch the token, and makes all the calls to the backend with the token in the authorization bearer header.
The .Net Core backend is configured with :
services.AddAuthentication(AzureADDefaults.BearerAuthenticationScheme)
.AddAzureADBearer(options => Configuration.Bind("AzureActiveDirectory", options));
Finally, to make all these works, I have in the Azure AD app registration one entry for the backend and another for the frontend.
This works well, but we want to move away from that to use the Authentication directly on the webapp.
This way we could secure even more the application which would not even be downloaded if the user is not authenticated.
How do I manage to do that ?
Do I need to remove all authentication code from the backend and frontend ?
Do I still need 2 entries in the app registration on azure AD or one is now enough ?
How will I know which user is connected ? Actually I use the IHttpContextAccessor to get the UPN Claim.
Thanks for the help

How to bypass AzureAD authentication using OpenID and Owin middleware for Web API 2 controller within ASP.NET MVC project

I have an ASP.NET MVC5 application which has WEB API2 project with few controllers within it. I have setup AzureAD authentication for the ASP.NET MVC5 project using AzureAD and OpenID connect and OWIN middleware.
Everything is working fine from ASP.NET MVC project point of view. The WEB API2 controller are used here to process the requests coming from angularjs, Android
and iOS app. There is a requirement for a WebAPI controller to process requests from unauthenticated clients (angularjs, Android, iOS apps) which issue AJAX requests.
Prior to the AzureAD authentication setup it was configured with on premise ADFS authentication. In this case I followed the below link to by pass on premise ADFS authentication for the
WEB API2 controllers and it worked fine for me.
Can I bypass organizational authentication for a WebAPI controller inside an MVC app?
Can anyone help me to know how to bypass the azuread authentication for the WEB API2 controllers to allow requests from unauthenticated clients in this case with some code samples ?
The web API controller is access-able for anonymous user by default. If you got the unauthenticated issue(401) when the anonymous user access that controller, please check whether there is Authorize attribute for the specific controller and remove that attribute.

Where is Login on App using Identity Server 4?

On an ASP.NET Core project with EF Core and ASP Identity I have 3 applications:
Web API
It will be accessed by the Angular 2 application.
In the future it will also be accessed by mobile applications.
ASP.NET MVC as a container for an Angular 2 application.
ASP.NET Core Auth with Identity Server 4.
I have a few questions about using Identity Server 4:
The Auth application should be Console or ASP.NET MVC?
Where is the Login page?
Centralized in Auth application so Auth would be ASP.NET MVC / Angular 2?
Or a login in the Web Application and one in the Mobile Application?
In case the login page is centralized in Auth application as MVC/Angular2:
3.1. In the login page I might need to display a phrase from the database.
So the Auth application can call the API in that case?
3.2. How does the Auth application verify the username and password?
Does it access the API to verify it or access directly the database?
1) Not sure what you mean by "Auth application" but IdentityServer4 is middleware for ASPNET Core. So it will be your central authority for issuing tokens for authorization.
2) The login page would be hosted within The IdentityServer4 ASPNET Core application as a normal web page powered by MVC and Razor. There is a repository with examples here.
3.1)
You can do a database call and hydrate the view model with this message when a user gets directed to the login page and access that view model using normal MVC/razor patterns.
3.2)
This is up to you, you may inject a repository or store that verifies users and their passwords in the controller or some other service.
If you follow the sample many things will become much clearer. If anything is still confusing let me know.

Implicit flow silent login from an existing cookie

I'm securing a web app with identity server 4. My app is split into 2 oidc clients an ASP.Net Core MVC client and a javascript(angularjs) client which uses the oidc-client javascript library.
When a user first visits the web app we redirect for log in to identity server, which logs in the mvc client. I want to the javascript client is then logged in using the silent login feature from the oidc-library.
Is it possible?
Is it an acceptable solution?
any points will be appreciated.

How to use the same Identity in ASP.NET Web API and MVC?

I have the following scenario:
MVC App - ASP.NET MVC application that has Identity installed in it.
SPA App - Angular SPA app that is located in an area inside the MVC App.
Web API - ASP.NET Web API service that is used by the SPA App.
Both, MVC App and Web API should use the same user accounts. So, now, I have the Identity installed in the MVC App. There would be a View in it that will load the SPA App and the SPA App is going to make requests to the Web API. But the Web API will work only if the user is authenticated, thus it needs a Bearer Token sent by the client. So, when the user gets authenticated in the MVC App and opens the View with the SPA App, I should somehow get a Token for the same user that is authenticated in the MVC App, place it in the SPA App, and send the token from the SPA App JavaScript to the Web API.
Is this possible? Or is there a better way to do it?
Here is what you can do , Create a new class library project . Move all identity component from your mvc project to that library. reference that project to web api project and mvc project .
i have done in couple of project where i need api and mvc . it works for me. Try this it will definitely work. let me know if you din't understand correctly
It is not a real answer to your question but if you use Asp.net MVC only for bootstrapping your single page application then you may have the option to use only web api authentication. After your spa is bootstrapped then you can check if you have an authenticated user and get user specific info to customize the page for your user.
In that scenario you do not need to use Asp.net MVC authentication but sometimes you may need to use Asp.net sessions for situations like captcha validation (if your captcha library requires so). For such situations you can enable sessions for your specific web-api calls like below.
//WebApi Session
protected void Application_PostAuthorizeRequest()
{
if (HttpContext.Current == null)
return;
var request = HttpContext.Current.Request;
if(RequireSession(request))
HttpContext.Current.SetSessionStateBehavior(System.Web.SessionState.SessionStateBehavior.Required);
}
private static bool RequireSession(HttpRequest request)
{
return request.AppRelativeCurrentExecutionFilePath == "~/api/user" && request.HttpMethod == "POST";
}
Not: If you enable asp.net mvc sessions for all your web-api calls than your requests will be processed sequentially. Not recommended!
Concurrent Requests and Session State

Resources