Hello dear contributors!
I am stalling again, I have researched for a tutorial or some directions as to how to adapt this wonderful tutorial:
http://msdn.microsoft.com/en-us/WAZPlatformTrainingCourse_ACSAndWindowsPhone7
To a in browser silverlight application instead of the windows phone ? I'd like to keep the current model, with public and private databases and ideally plug the silverlight application into the azure social games pack :
https://github.com/WindowsAzure-Toolkits/wa-toolkit-games
Which uses a similar ACS pattern, the directions I need are regarding the client handling of Oauth2.
Thanks in advance for any help in this matter.
If it's an in-browser silverlight application, why don't you treat it as a regular website? The flow will be something like
The user browse your app
Before you send the XAP, your website shows the list of identity providers. The user pick one and gets redirected to log in.
User logs in and you will get a token posted to your app (which is the Social Gaming Toolkit). The good news is that the Social Gaming Toolkit already provides integration with ACS on the website so there is not much work to do. The user will get a cookie generated by Windows Identity Foundation with the claims inside (no silverlight involved for now).
Now you send the XAP and the Silverlight app gets loaded
From now on every request done from the XAP to your app (which will have the Social Games Toolkit) will have the Principal populated because the WIF cookie is sent in every request.
If you want to change the user experience a bit and instead of showing the identity provider list in a regular HTML/asp.net page, you want to do it from the Silverlight app (like the Windows Phone lab shows). Then you only need to consume the ACS JSON endpoint which lists your identity providers from your Silverlight app.
The toolkit is already doing that and you can extract the basic ideas from:
https://github.com/WindowsAzure-Toolkits/wa-toolkit-games/blob/master/code/SocialGames.Web/Services/AuthService.cs#L29
The request to get the list of identity providers in JSON looks like this:
https://your_servicenamespace.accesscontrol.windows.net/v2/metadata/IdentityProviders.js?protocol=wsfederation&realm=your_application_realm&version=1.0&context=some_contextual_data_youwanttokeepacrossredirects"
Finally, this lab should help you as well
http://msdn.microsoft.com/en-us/IdentityTrainingCourse_SilverligthAndIdentity2010
FWIW, the way the Windows Phone will works is by using the JavaScript notify endpoint in ACS, which is different from what I described above.
The flow is something like
Phone shows the login options (Facebook, LiveID, etc.)
User click on one of them
User is redirected to ACS and then redirected to the chosen identity provider
User logs in and some kind of token is sent back to ACS (depending on the identity provider)
At this point ACS will render an HTML page with a bit of JavaScript. This will instruct the browser (which is hosted in your Windows Phone) to send an external signal with a payload (the token in this case).
window.external.Notify('THE_TOKEN');
The phone app will detect the notification and grabs the token
I'm not sure how the JavaScript notify mechanism will work on a Silverlight in-browser application because you are already in the browser. But if you try that, keep us posted.
Matias
Related
I'm trying to implement IdentityServer3 into my architectural mix. I like the idea of registering Clients, Users, and Scopes. What I do not like is using IdentityServer3's built in login and registration forms.
I have 4 different apps that need to use my IdentityServer3 implementation (aka TokenServer). These 4 apps are AngularJs apps. I have various C# .Net WebAPI services supplying data to these 4 apps. Right now each of these 4 apps have their own authentication and registration process. I need to consolidate authentication piece using IdentityServer3.
Each of these 4 apps have different account registration/authentication needs. There's a mix bag of 3rd party authentication (Facebook, Google) as well as traditional forms authentication against an account the user has registered with.
So, I cannot have any of my AngularJs apps use the default Login/Registration forms that come with IdentityServer3. I've spent a lot of time now trying to find a way to turn off the default views and just wire each of my AngularJs apps to my TokenServer. I simply want to POST login credentials to the /token endpoint and return a token that can be used in subsequent calls to my WebAPI. I want to replace the authentication process I have for each app with IdentityServer3 without changing the existing login/registration UIs.
I cannot find a sample app or even documentation that shows how to do this. Is it even possible to 'turn off' every one of IdentityServer3's UI views and use my AngularJs client's login and registration forms?
Please point me in the right direction. Thanks for your time.
It seems you want to use the OAuth 2.0 resource owner flow - which means - your app posts credentials to the token endpoint and gets back an access token. That is totally possible - you will miss out on some features like federation and SSO. But these are the known constraints of this flow.
If you want to use a redirect based flow (which gives you SSO and e.g. Google logins etc) - you need to redirect. You can replace any of the IdentityServer views with your own. The documentation and samples have plenty of information how to do that.
https://identityserver.github.io/Documentation/docsv2/advanced/customizingViews.html
https://github.com/IdentityServer/IdentityServer3.Samples/tree/master/source/CustomViewService
I'm currently try to develop an Office web addin, integrated in the Outlook (Read and Compose).
Everything works fine, except the authentication process.
Indeed, We have to authenticate the user from within Azure AD to access another application (our own application using the Azure AD Architecture where we need to call some web apis)
The solution I used is issued from this great article from Richard diZerega :
Connecting to SharePoint from Azure web app
This solution (we opt for the last scenario) works fine in our Desktop and Web based solution.
But it clearely doesn't work in phone web app , IOS app.
The problem comes from the popup Windows allowing the user to log in.
Actually, window.open, window.location.replace etc ... don't work "as expected" in our Outlook frame.
Everytime it open a popup window. (This is a good solution when the user use the desktop or web Outlook application)
I remember read somewhere that the Office Window where the plugin is loaded, is a secured Window where we can't do any sort of redirection.
I tried to work with ADAL.js, enabling the implicit flow of course, but the problem is the same. We need to redirect the frame to the Azure AD login page.
Finally, the question is : How to deal with an OAuth2/OpenID authentication in an Outlook web addin, and when we want it to work with all kind of devices ?
Login in Adal.Js is a page redirect by default. You don't have pop up issue. Adal.Js gets idtoken initially to be used for your own back end. It also does iframe requests to get access tokens for API endpoints. Office365 APIs support CORS api requests and you can use adal.js to send requests. Tokens will be attached to the requests if you define the endpoints in the config.
You can read about examples here: https://blogs.office.com/2015/03/06/increasing-opportunities-javascript-developers-office-365-platform/
or here : http://www.andrewconnell.com/blog/adal-js-cors-with-o365-apis-files-sharepoint
In mirror api glassware we identify users by the unique user id generated and sent to the glassware by Google-oauth... But my glassware contains a gdk counterpart which needs to send information to the mirror api service. My question is that how do we send such information (e.g. an url request to the glassware mirror-api service) automatically in the background, without using "google notification by sharing with a specific contact", so that we can uniquely identify the user from mirror api glassware side as well as extract the information for the rest of the purpose.
Is there any glass Id that I can send along with the request from gdk and on the mirror-api side get the user's google account from this glass Id and using some other api generate the user Id from the google account just like google-oauth. Once we have the user Id, we can send static timeline cards to that user using simple mirror-api.
Please guide me with whatever solutions available other than "notification subscription".
I've already asked a question like this here: How to call the Mirror API from GDK?
It's seeming like the answer right now is that we can't communicate between the two APIs and everything in Mirror is separate from GDK. I've been doing some digging, trying to get things like the device's contact list since the Mirror documentation refers to your app adding a Contact but it seems like it doesn't use the same Content Providers as Android for this.
From the other thread, my best two ideas for binding a GDK app to a User is to:
1) Generate a QR code on your web service side and scan that in, it will have an encoded authentication token the app will be able to use to identify the user. Obviously this requires integration with the ZXing library and working with the camera.
2) Generate or allow the user to enter a phrase on the web service side that can be treated as a bearer token. In the GDK, prompt the user to speak this phrase and then pass it to your web service, which will reply with a similar authentication token to tie the app to the user. As odd as this is, I do kindof like it since it's simpler from a GDK implementation side.
An application that uses the Mirror API is more likely than not some type of a web service. Why can you not invoke HTTP commands from Glass to your application being hosted on a server?
The Mirror API is a set of REST commands invoked to a Google Server. That same google server then syncs to Glass where Glass will pull the updated content with HTTP requests.
Simply put, create a path in your web app that accepts HTTP commands.
I have the following scenario I want to complete:
Website running some HTTP(S) services
that returns data for a user.
Same website is additionally hosting a Silverlight 4 app which calls these
services.
The Silverlight app is integrating with Facebook using the Facebook Developer Toolkit (http://facebooktoolkit.codeplex.com/).
I have not fully decided whether I want Facebook-integration to be a "opt-in" option such as Spotify, or if I want to "lock" down my service with Facebook-only authentication. That's another discussion.
How do I protect my API Key and Secret that I receive from Facebook in a Silverlight app? To me it's obvious that this is impossible as the code is running on the client, but is there a way I can make it harder or should I just live with the fact that third parties could potentially "act" as my own app?
Using the Facebook Developer Toolkit, there is a following C# method in Silverlight that is executed from the JavaScript when the user has fully authenticated with Facebook using the Facebook Connect APIs.
[ScriptableMember]
public void LoggedIn(string sessionKey, string secret, int expires, long userId)
{
this.SessionKey = sessionKey;
this.UserId = userId;
Obvious the problem here is the fact that JavaScript is injection the userId, which is nothing but a simple number. This means anyone could potentially inject a different userId in JavaScript and have my app think it's someone else. This means someone could hijack the data within the services running on my website.
The alternative that comes to mind is authenticating the users on my website, this way I'm never exposing any secrets and I can return an auth-cookie to the users after the initial authentication. Though this scenario doesn't work very well in an out-of-browser scenario where the user is running the Silverlight app locally and not from my website.
I had the exact same problem and this is my work around:
Do the Authentication in ASP.NET or MVC
Pass the AccessToken (string) through the parameters of your SL App.
Create a new FB App object using the AccessToken in SL.
The access token doesn't reveal your information, but it does give you the UserID and access to API calls in Silverlight. Worst case scenario is someone tries to mess with the AccessToken, but FB can probably trace back what user the token was originally assigned to.
http://facebooksdk.codeplex.com/
I would not add the API Secret in your Silverlight app. You need to find a way to do it through calls to the server.
I admit I don't know the Facebook Connect APIs that well, it's something that I will be looking into soon, since I need to do something similar for my Silverlight app.
The server side of the requirement is digest authentication against a custom credential store (ala a membership provider) and on the client side a silverlight application making calls to a RESTful api.
i'm looking for pointers. Out of the box it looks like Digest only works against AD. From the client side, I'm use to getting the browser to pop up a prompt for credentials --- but in this case its a sliverlight (v2) app.
Suggestions?
The authentication story, imo, is not great in Silverlight. What we typically do is rely on the fact that Silverlight requests are issued from the browser. So, they carry the cookies and headers that a browser uses (think XmlHttpRequest object, here).
What you do:
Use your provider to protect the page that Silverlight is on. The user will try to bring up the page and will get prompted for credentials.
At this point, Silverlight requests (via WebClient or anything else) will carry that authentication information. Simply protect access to assets and Silverlight will carry the authentication information to access those assets.