I have a web application that is a single page Javascript (ReactJS) application with a .NET Core backend. I want to add Active Directory authentication and the Azure portal gives several choices, most noticeably signing in with Javascript or .NET Core.
In my situation, which should I choose and why?
My .NET Core code contacts the Azure IoT Hub, if that's any help to decide which way to go.
In my opinion , you should create a Login controller in your Dot net core solution where you should write your authentication and authorization feature. Here is how the complete flow would look like:
Create a new controller with an attribute ,call it LoginController, with login and other functionality . Protect it with Azure AD ( you will find many sources for the same)
Create a React app , which would internally raise a Fetch request to your controller for authentication.
Once the above request is completed successfully, store the JWT base token in session storage or in cookies.
Use the stored JWT token , for all you consecutive call
Please check below link for additional reference:
Active Directory Authentication with .NET Core Web API and React
Authentication in .net Core with ReactJS SPA
Hope it helps.
Related
I have a web application with Angular front-end and a back-end developed using the Nest.JS framework.
The back-end RESTful API endpoints are secured with an SSO and JWT authentication.
Using the same web application I created a desktop application with the help of the NW.JS.
The application setup is successful and can run on the desktop OS.
Now I need to use the same back-end RESTful API endpoints without the SSO but with JWT for the desktop application.
In some situations (ex. checking for updates), I only need to use the SSO login.
How can I use the Nest.JS server endpoints for this kind of use cases.
Is there a conditional way to write annotations/middleware that we can use to check the app is running on WEB or Desktop and bypass the SSO login?
Also this should be a much secure way to protect the endpoint in both situations.
NOTE: Identifying the running environment is also has configured and running well in the application.
Thank you very much
How would you call the secured REST api from the Javascript script application that doesn't have the login?
I have a Javascript application (React) that doesn't have a user login. It needs to call some REST api services that uses Oauth (Azure Ad -
WindowsAzureActiveDirectoryBearerAuthentication).
Those REST services have CORS enabled.
I also registered my web application in Azure Ad.
The issue is that the javascript application needs to call https://login.microsoftonline.com/{{tenantId}}/oauth2/token to get the access token. I found no way to enable the CORS for that URL. My JS application doens't have any login so I can't show the login screen in popup or use adal js.
The solution that I come up with is that I put my Javascript application in NodeJS (Express). The JS call the NodeJS that calls the login.microsoftonline.com to get the token and pass it when calling other secured REST services.
It works great but I think there might be some security issues around that.
Is there any better way to design this kind of application?
What you are doing is the proper approach. It keeps all the Oauth tokens secure on your server without having to expose them client side.
That is the main reason most Oauth2 API's don't implement CORS
Given:
Asp MVC Core Client
JavaScript client hosted by ASP MVC Core
Asp Web Api
All are authenticating with IdentityServer
Problem
For a normal user the auth is done with asp core and the oidc client. I use the access token in asp core to access the api.
Now a javascript function wants to access the an authorized api and needs for this the access_token.
What is the best practice to have it in javascript
I see primarily two option
1.) I make a "silent" auth in javascript with a oidc client . (Feels like duplicate work)
2.) I store the access_token in a cookie where javascript could pick it up ( pot. unsecured)
3.) (Feels like a smell) Making an authorized endpoint like /me/token returning the access_token
What is the intended way in this scenario ?
You could render on an MVC view a script tag which configures your AJAX headers so you can add the authorization header with the access_token you have in MVC.
Tokens are secure due the facted they are signed so you can change them without knowing the key to sign and limited in time. Also tokens need to be verified before you should use them.
I am building a HTML/JavaScript application using AngularJS. It doesn't have a backend except some Perl scripts that spit JSON through a URL through which I display the data. One of the pages on this dashboard needs privileged access for which I had to add LDAP authorization.
The application is deployed on a WAMP server. Active directory is being used in the organization; but I am not quite sure how to establish the authentication in a pure html application without a backend. What is the usual process followed to handle such authorizations and how to achieve it?
You should write a web service (REST) in any language you want (JAVA C# PHP Node.js ...) who autenticate against your Open LDAP server and you'll consume it in AngularJS.
It's quite a classic problem.
Appears to be a perfect candidate for OpenID Connect. Use one of the many available libraries available.
I am attempting to write a plugin for a webapp that integrates it with facebook using the Javascript API. The application is installed by our customers on their own servers each with their own site names. This poses a problem to me as Facebook wants me to specify a site url for the application. This url is going to be different for every customer. Creating a new application for each customer is not an option.
In my research of this problem it seems that I have to pretend to be a desktop app and follow that authentication path. I cannot figure out how to do this.
Anyone have any idea how this can be done?
Are you going to host the app as a canvas app or outside facebook?
Is the url important to you? There is a strict one-to-one relation between base-url and application.
What many apps do is host the apps as directories in their domain. For example http://crazy-fb-app.com/customername
That's your options basically if you want to use Javascript SDK.
If you're going to be using server side technology you could have the user authorize the application while requesting permission to access user's data while he's offline. in that case you will receive a non-expiring (or long-expiring) authentication token which you can use from the server to make Graph API calls on behalf of the user. For some stuff you can obtain an Application Auth token (which is shorter and non-user-specific) to make calls to the graph.
Rotem