I'm about to start a project with WPF which uses a web service to get info etc.
A username and password is required to authenticate you and get data which belongs to you.
I would like my WPF application to store the username and password. But I don't want to store it. So I was thinking. It would be cool if after I login for the first time it would generate a certificate at the WCF end and give it to the WPF application which can be used for each and every call.
Is what I'm thinking possible? Another problem I would like to tackle is how do I avoid someone copying and pasting the certificate?
Update
Based on #zamd suggestion. This is what I would like to solve.
Webservice uses WCF Web Api
Site has forms authentication
Site signs in with Username and Password which is validated by a Token Service
Webservice can authenticate the users token provided by the Token Service
I found this very useful blog article http://weblogs.asp.net/cibrax/archive/2011/02/04/authenticating-clients-in-the-new-wcf-http-stack.aspx but I would like to use Forms Authentication to get the SAML Token
You should look into Claims-based-security and SAML Token.
At login, you application should go to your service or a 'security service' also known as 'Security Token Service' and get a SAML token in exchange of a userName/Password pair. SAML tokens are usually secured for the receipient and can be safely stored on the client side until they are expired.
Every time you need to call WCF service, you can use this SAML token for rich authentiction and authorization.
Your understanding of Certificate base authentication is incorrect. Certificates are used for establishing SSL connection, are used to encrypt data using asymmetric encryption and authenticate user but to authenticate user against a certificate the certificate should be installed on the user's system and not provided by the WCF service. This requires one to setup a PKI infrastructure.
The other options you can look at is to use
ASP.Net form authentication with running WCF service in ASP.Net compatibility mode. In this case once authenticated only the auth cookie would pass there after.
Look at this question for some other ways User/Pass Authentication using RESTful WCF & Windows Forms
If you have to use username/password combination then you can get Windows to store it for you under Windows 7, Windows Server 2008 (and perhaps Vista) using the Windows Credential Manager. You need to fall down to p/invoke calls (
http://pinvoke.net/default.aspx/advapi32/CredRead.html and http://pinvoke.net/default.aspx/advapi32/CredWrite.html) for this.
The only issue I had with this is that it didn't work on Windows Server 2003 even though the documentation says that it is a supported OS.
Related
I have been looking into using an identity provider (IDP) to provide user authentication for a Windows Forms client. The user credentials will be hosted by Auth0. After creating a trial account with Auth0 I have downloaded a sample C# Windows Forms client application that can be used to authenticate to the Auth0 IDP using OpenID Connect ("OIDC"). The WinForms sample application pops up a web browser component, displays the Auth0 login screen, I login to the Auth0 IDP (having setup some test credentials in Auth0) and the WinForms application then is sent an authentication token. All well and good, and if I try to login a second time I no longer need to enter my credentials.
However... the company that I will be fetching authentication data from in production would like to use SAML. Is there any way to do this? Based on what I have read, SAML needs a "Service Provider" that will receive credentials from the IDP. The Service Provider is (typically?) a web site. That does not seem to match very well with what I am trying to do (authenticate a windows client). Is there any way of using SAML to do essentially what I have done using OIDC (fetch authentication information for a user from an IDP)? Would I need to develop a separate Service Provider component for this?
Sounds like what you've done so far is fine architecturally:
A modern desktop app following OIDC standards
This puts you in a good position architecturally, where:
Your app gets tokens from Auth0 using OIDC
Auth0 can reach out and do federated authentication with other standards based identity providers, which could be SAML, OIDC, WS-Federation or anything else
This can be done without changing any code in your app - and your app does not need to understand SAML
Feels like you need to set up a federated connection from Auth0 to the SAML Service Provider, and most commonly this involves these steps:
You give the partner your Entity Id and Response URL, to post tokens to
They give you am Entity Id, Public Key Certificate and request URL
You configure rules around account linking, so that users can be matched between their system and yours
There are prerequisites though, and the external identity provider needs to be SAML 2.0 compliant. My Federated Logins Article may help you to understand the general concepts, though I do not drill into SAML details here.
I'm working with a company that has a WinForms application running on a corporate windows network. The application currently connects to a web application server that has its own private username/password store. The web app server has JSP based UIs, but also has some web services which support JWT based authentication.
The company would like to use use accounts from its windows domain to authenticate the users rather than using a separate set of usernames and passwords. The company's domain has an AD FS server and the web application is a SAML service provider.
The question is, is it possible to use the identity information from the original windows login to get a SAML token from ADFS and then use that token to talk to web services on the web application machine?
We're looking at Windows Identity Foundation built into the .net framework as a possibility. Open ID Connect also seems like a possibility, but we don't want to have to present the user a web page for them to log in; we want to use the original windows login identity information to automatically grant access to the service provider.
Is this possible?
SAML support is already built into the web application, but if necessary we could add support for OpenID Connect.
ADFS does have the ability to generate JWT tokens but sadly not for SAML.
There is no way to convert a SAML token to a JWT one that is signed.
SAML doesn't really have support for web API / web services.
WS-Fed does but it's WCF not web API.
The easiest way is to convert to OpenID Connect. That does deliver a JWT token that you can use to authenticate to a web API. You need ADFS 4.0 to do this.
New to Azure AD... So please don't be too harsh if this is off target. :-)
Technology Stack - Latest Angular 2 with C# Middle tier and latest .Net Framework.
Ideally, What we want to do is use Azure AD B2C to store user credentials and to do the authentication - but we want our 'own' forms on our site to do the login Forms capture and logging - then pass the credentials through an API (REST?) Call (using MS Graph SDK?) to Azure AD B2C and then check the call return for the Authorization content message.
Couple of reasons - control of the application flow, Logging and the "flickering of the URL" (i.e. going from our site URL to login.microsoft... URL and then back to our sites URL).
Is this doable without doing a hack?
Thank you in advance for your help and patience!
You are looking for the "Resource Owner Password Credentials".
This is not currently supported for Azure AD B2C, but you can give user feedback to the B2C team that you want this through the Azure Feedback Forum: Add support for Resource Owner Password Credentials flow in Azure AD B2C and headless authentication in Microsoft Authentication Library
You should also see updates at that location if and when they implement this feature.
The resource owner password credentials flow is now in preview.
In Azure Active Directory (Azure AD) B2C, the following options are
supported:
Native Client: User interaction during authentication happens when
code runs on a user-side device. The device can be a mobile
application that's running in a native operating system, such as
Android, or running in a browser, such as JavaScript.
Public client flow: Only user credentials, gathered by an application, are sent in
the API call. The credentials of the application are not sent.
Add new claims: The ID token contents can be changed to add new claims.
The following flows are not supported:
Server-to-server: The identity protection system needs a reliable IP
address gathered from the caller (the native client) as part of the
interaction. In a server-side API call, only the server’s IP address
is used. If a dynamic threshold of failed authentications is exceeded,
the identity protection system may identify a repeated IP address as
an attacker.
Confidential client flow: The application client ID is
validated, but the application secret is not validated.
From here.
Note that one disadvantage of doing what you're requesting is precisely that you can do "login forms capture and logging", so your application has a chance to see the credentials and perhaps take copies of them; thus your users have to trust you to behave.
The normal web-based flow means that your application doesn't need to be trusted; it never even sees the password at all.
My current setup is a fairly simple one. I am running Identity Server 3 which is used to provide oauth access tokens which can be used against and a number of our web api endpoints. The identity server has custom user service which authenticates requests against a custom user table in our sql database.
We have a new 3rd party software provider, this provider requires that our users (staff in our call centre) logon to their application via a proprietary login, not against our existing user accounts. We have built an api for this 3rd party which they required for their integration, as with the rest of our api's this is secured using oauth bearer tokens via identity server.
Our staff are all locally logged on to an active directory domain. Is it possible to configure identity server to issues auth tokens for a user who is already authenticated against active directory? I like to achieve this without prompting the user for their credentials again.
I've read around and at this point I'm very lost as to the correct approach, some form of federation seems appropriate, but I couldn’t find a reasonable introduction / walkthrough to help me get started.
What is an appropriate approach and are they any relatively easy to consume primers on the subject?
Yes, you should be able to make it work. The samples contain a windows auth provider. Using this, your identity server would authenticate people in without prompting for a password. Once authenticated, it would then issue tokens same as any other auth. You may need to a bit of experimenting to get it working, but from what you've said it should work in your situation.
I'm tried to build a new rich application and i'm having some problems designing the authentication process.
I've only two requirements :
An API needs to be available
An ADFS needs to be used to authentication
My first thoughts was to build the API and to use Angular.js for the frontend. However, I can't see how the authentication should work.
My API needs to be available though scripts. As far as I saw, the ADFS authentication always display t the webpage for the authentication process.
API are usually secured with OAuth2. We used an client id and a client secret to generate a token. But I can't have this behavior with an ADFS.
The only solution I see is to provide two authentications behavior with my application. One with the ADFS for the web access and in the web interface, add a possibility to generate a client id and a client secret associated with an user account that could be used for the API to the headless authentication.
Someone has already faced this kind of scenario?
Thanks a lot!
I assume the 'ADFS needs to be used for authentication' really means 'users should be able to use their Active Directory domain credentials to authenticate'.
If that is the case, you should take a look at Thinktecture IdentityServer. It's an OAuth2 authorization server that you can use with a Active Directory identity provider.
P.S. ADFS 3.0 that comes with Windows 2012R2 only supports the authorization code grant, which is not suitable for JavaScript apps.