I'm securing a web app with identity server 4. My app is split into 2 oidc clients an ASP.Net Core MVC client and a javascript(angularjs) client which uses the oidc-client javascript library.
When a user first visits the web app we redirect for log in to identity server, which logs in the mvc client. I want to the javascript client is then logged in using the silent login feature from the oidc-library.
Is it possible?
Is it an acceptable solution?
any points will be appreciated.
Related
I am working on a webapp, the Front-end is implemented in AngularJS which talks to back-end server by invoking REST API. The back-end is Java REST Server implemented using reslet framework deployed in Jetty.
Currently, when a user logs into a web app, a REST API is invoked which then goes to the Java REST server. The server then authenticates the user.
I want to implement SSO using SAML. So when a corporate user tries to login to the app, the user must be redirected to ADFS. If the user is successfully authenticated he must be allowed to login to the app.
I want to know how do I start? I have seen sam2-js library, however it seems to be for NodeJS based server. I am not quite sure if it can be used with AngularJS on frontend.
SSO with SAML involves browser redirects so the flow is between angular and ADFS.
There's no Java backend.
So Jetty is irrelevant.
SSO has nothing to do with REST. They are two different flows handled in two different ways.
SAML is not a suitable SSO protocol for angular. That's why you can't find any examples.
You need to use OpenID Connect with ADFS 4.0. ADAL is the way to go.
I'm using IdentityServer 4. I have a setup very similar to the asp.net Identity quickstart as on the IdentityServer documentation here .
I want to be able enable a single logout from the IdentityServer web application, so that when I call this POST method, it logs out from all of the connected applications.
I have an IdentityServer web application, and an MVC web application which uses Asp.net identity mediated by the IdentityServer application.
What's happening with the default setup (as per the quickstart) is that when you logout from within the IdentityServer app, if you've already logged in on the MVC web application, you will remain logged in on the MVC web application until the MVC cookie has expired.
Is there a way of adapting the quickstart so that you have a centralized sign-out method within the IdentityServer application that you can call from anywhere?
For HTTP based logout add a logoutUri to each of your clients and http://localhost:5000/account/logout should do that. You'll see an iframe with the endsession url which contains an iframe for each logoutUri that you've logged into for that session (stored in the cookie)
see:
http://docs.identityserver.io/en/release/topics/signout.html
Make sure your account controller and logged out view match the quickstart samples.
On an ASP.NET Core project with EF Core and ASP Identity I have 3 applications:
Web API
It will be accessed by the Angular 2 application.
In the future it will also be accessed by mobile applications.
ASP.NET MVC as a container for an Angular 2 application.
ASP.NET Core Auth with Identity Server 4.
I have a few questions about using Identity Server 4:
The Auth application should be Console or ASP.NET MVC?
Where is the Login page?
Centralized in Auth application so Auth would be ASP.NET MVC / Angular 2?
Or a login in the Web Application and one in the Mobile Application?
In case the login page is centralized in Auth application as MVC/Angular2:
3.1. In the login page I might need to display a phrase from the database.
So the Auth application can call the API in that case?
3.2. How does the Auth application verify the username and password?
Does it access the API to verify it or access directly the database?
1) Not sure what you mean by "Auth application" but IdentityServer4 is middleware for ASPNET Core. So it will be your central authority for issuing tokens for authorization.
2) The login page would be hosted within The IdentityServer4 ASPNET Core application as a normal web page powered by MVC and Razor. There is a repository with examples here.
3.1)
You can do a database call and hydrate the view model with this message when a user gets directed to the login page and access that view model using normal MVC/razor patterns.
3.2)
This is up to you, you may inject a repository or store that verifies users and their passwords in the controller or some other service.
If you follow the sample many things will become much clearer. If anything is still confusing let me know.
I am developing a web application - the client is angularJS and the server is aps.net web api2 and adfs to authenticate.
I deploy my app on multiple servers (every server contain the whole app) and there is a network load balancer,
so the user (and the angularJS) contact the network load balancer.
When user enter the app, at first the server redirect him to authenticate and then the user can talk to the server.
My problem begin after the authentication, when the network load balancer redirect the user to other web api, then the "new" server doesnt know him and he cant get any data.
Is there any way to share the saml token between all my servers?
how does resetful application can authenticate in cloud (like Amazon) , when the developer doesnt know how many server does he have or to what server the user contact?
thanks for helpers :)
How can I have one web service provide a front-end authorization process (login form, Facebook login, Google login, etc.) for a second NodeJS application?
Scenario:
WEB APPLICATION # www.first_domain.com
- Hosted in IIS
- Provides a web service with OAuth support
- Web-based login form
NODE.JS APPLICATION # www.second_domain.com
- Hosted on Heroku
- Node.JS handles all api / web service calls
- AngularJS app must only call this server
I know the web application has the ability to take a URL as the return path, once a login is complete, and send the user back to the site via the browser. However, I've been told to NOT allow the Angular application to communicate with the other web application directly... IF there is another way (basically using the NodeJS application like a proxy).
Another concern I have is how to maintain the session token from the other web application. The NodeJS application has the responsibility to use the other application and web service to ensure the session remains valid.