Category Archives: WebAPI

OAuth and OpenID Connect using IdentityServer

04 Saturday Apr 2020

Posted by in ASP.NET Core, OAuth2.0/OpenIDConnect, WebAPI

Leave a comment

Tags

, , ,

In article  we looked at use of JSON Web Token (JWT) for authentication with that foundation knowledge in place in this article we look at IdentityServer4  that provides end points for OpenID Connect (for authentication) and OAuth 2.0 (for authorization) to ASP.NET Core application.

Common protocols used for Authentication include SAML, WS-Fed, OpenID Connect. OpenID Connect in combination with OAuth 2.0 is designed for API. The following table highlights the differences between OpenID Connect and OAuth 2.0

 

OpenIDConnect

For a good example of authentication using OpenID Connect refer to article where we looked at providing login mechanism to Power Apps Portal through Open ID Connect using Google as Identity Provider, a capture or network traffic is as per below:

OpenIDConnect1

In the highlighted content the following will refer to OpenID Connect protocol

  • id_token is returned in JSON Web Token format
  • scope=openid is used for authentication

Being Authentication only framework what OpenID Connect does not do is provide access to the resources in the application and this is where Authorization Framework (Delegated Authorization) based on OAuth 2.0 protocol comes into effect.

The table highlighted some of the terms used in OAuth 2.0 to understand it better we will build an sample application for the following scenario the sample source code is at Git:

OpenIDConnect2

  1. Clients sends a request for authorization token from Secure Token Service (STS) API that has a reference to Identity Server4.
  2. The token presented to the client from STS will be in JSON Web Token format.
  3. The JSON Web Token with will be passed to the Web API method
  4. Dataset will be returned to the client.

The process of granting Client application to call the methods within WebAPI is commonly referred to as a OAuth flow and involves the steps involved in granting consent (permission) to invoked the methods in WebAPI

The sample code solution structure has the following highlighted projects:

OpenIDConnect3

 

IdentityServer(SecureTokenService)> SEIS.IdentitySrv

WebAPI > SEIS.Registration.Api

Client > ConsoleAppClient

An understanding of ADFS concepts will be helpful, the steps described below are synonymous to setting up relying party trust in ADFS.

Step 1: Build and Configure Secure Token Service 

ASP.NET Core provides built in DI (Dependency Inject) and this capability is used to set up STS.

OpenIDConnect4

IdentityServer needs to have following information

  • Clients trying to access WebAPI
  • List of API end points IdentityServer is trying to secure

In our sample scenario they will be ConsoleApp (Client), RegistrationAPI. The plumbing  code will be in Startup.cs

OpenIDConnect5

Config.GetAllApiResources() and Config.GetAllClients() will have pointers to WebAPI and ConsoleApp Client respectively

OpenIDConnect9

This will setup STS with known clients and API resources

Step 2: Build WebAPI and configure to use STS

Using DI (dependency injection) in Starup.cs specify the Secure Token Service (STS) under ConfigureServices method

OpenIDConnect6

Now indicate to use authentication

OpenIDConnect7

The above will set up API to accept access token from STS.  To add permissions to Controller method(s) we need to add Authorize attribute

OpenIDConnect8

Step 3: Build ConsoleApp to request AccessToken from STS before invoking WebAPI methods

The first step for ConsoleApp client will be to request AccessToken from STS and then pass the token using SetBearerToken method of HttpClient object before calling the WebAPI methods

OpenIDConnect10

Result of ConsoleApp client

OpenIDConnect11

The access_token issued by STS confirms to JSON Web Token Format (reference) decoding this at jwt.io will show the following result

OpenIDConnect12

 

 

 

 

Running WebAPI in IIS Express ASP.NET Core 3.0

26 Wednesday Feb 2020

Posted by in ASP.NET Core, WebAPI

Leave a comment

Tags

,

While creating Web API project targeting ASP.NET Core 3.0 using the template the following the settings in launchSetting.json file

IISExpress

Given iisExpress was selected as hosting platform the expectation is that the end point is accessible in the browser, but instead received the following:

IISExpress1

The error is referring to a setting in IIS even though the WebApi is configured to run under IIS Express within Visual Studio IDE. The solution will be to open Configuration Editor in IIS and set Impersonate t= False as indicated below

IISExpress2

 

Navigate to system.web/identity and set impersonate = false and restart IIS

IISExpress3

The WebApi should now be accessible in the browser

IISExpress4

 

 

 

 

Illustrative sample of Authentication using JSON Web Token(JWT)

22 Saturday Feb 2020

Posted by in ASP.NET Core, WebAPI

1 Comment

Tags

, ,

In the article we looked a aspects of authentication/authorization frameworks that can be used in COTS and bespoke applications. This article will look at Web API authentication using JWT. The sample source code can be obtained from here

The sample code will demonstrate the following scenario

JWTSample1

The User data-model used in the sample application has the attributes as per table below

JWTSample

 

  1. Console App will invoke a post request with username and password to Gateway Api based on Ocelot api gateway and works well for Microservices architecture.  In architecture pattern consisting of several microservices, ocelot provides a simple configurable end point to communicate with each microservice.

JWTSample2

 

“/authentication/authenticate” > pointer to authentication controller and authenticate method within the microservice Web API. 

The JSON file for Ocelot API will consists of ReRoutes specified as a combination of DownstreamPathTemplate and UpstreamPathTemplate.

JWTSample3

The output of the Console App will be as per below, the returned JWT token will be in the format [Header].[Payload].[Signature]

JWTSample4

If we decode the JWT token in the debugger at jwt.io we will get the user information.

JWTSample5

JWTSample6

 

A Comparison of Authentication and Authorization Frameworks

20 Thursday Feb 2020

Posted by in ADFS 4.0, ASP.NET Core, Dynamics 365, WebAPI

3 Comments

Tags

, ,

To provide Single Sign On (SSO) mechanism for users different authentication frameworks are in place viz., WS-Federation (WS-Fed), SAML, OAuth, Open ID and OpenID Connect.

WS-Fed and SAML (Security Assertion Mark-up Language) are still in use in corporate networks to allow users to connect to COTS (Commercial off the Shelf) products and bespoke applications. Federation (aka delegating authentication/authorization) is achieved using Active Directory Federation Services (ADFS) installed and configured on Windows Server OS.

The three essential components of federation are:

  • Sign-in protocol > What is the mechanism to access the application
  • Authentication protocol > How the user is verified
  • Token Type > Once the user validated what is returned back to the user after successful identification

In the article configuring Dynamics CRM platform for Claims Based Authentication was discussed. Let us look at capture of traffic in Fiddler to see what information gets passed on in Request and Response.

Request

Fiddler

As highlighted accessing https://crm.idynamics.dev/seis will route the request to https://adfs.idynamics.dev containing the following parameter(s)

wa=wsignin1.0 > Indicates ADFS service to invoke login

wtrealm=https%3a%2f%2fcrm.idynamics.dev%2f > Client application using ADFS service

wctx=rm%3d1%26id%3da33a2f6c-768e-48aa-9c3c-b594ef0f60b5%26ru%3d%252fseis%252fdefault.aspx%26crmorgid%3dfa61533b-ea52-ea11-83b5-0017fb000002 > Session data sent back

wct=2020-02-20T09%3a53%3a23Z > Time the application is accessed

wauth=urn%3afederation%3aauthentication%3awindows > Mode of Authentication

Response

Fiddler1

The response will confirm to SAML 1.1 as per specification and the following will be included as part of the “wresult” urn:oasis:names:tc:SAML:1.0:assertion

OAuth/Open ID/ OpenId Connect essentially use JWT (JSON Web Token).

JSON web token stores user information viz., id, permission set (aka claim rules) etc., in a compact format so information can be transmitted securely between client and server. The token will in the form of a string will be digitally signed using HMAC algorithm or RSA.
Available security algorithms are defined as constant string values in SecurityAlgorithms class of Microsoft.IdentityModel.Tokens namespace and in the sample project demonstrating Authentication using JWT we will be using HMAC algorithm.
JWT structure will consists of three parts [Header].[Payload].[Signature] represented as Base64-URL string
Header: A combination of token type + signing algorithm identified by claim set
typ (for token type) and alg (for signing algorithm) represented in JSON format this would look like the one below:

{
“alg”: “HS256”,
“typ:”JWT”
}
Payload: Consisting of claims about the user. A claim is represented as key/value pair combination. There are three types of claims Registered, Public and Private. The key part of the claim is limited to 3 characters
Registered: Predefined claims and can be viewed here

Public: Custom defined claims but need to be registered in public registry at

Private: Agreed custom claims between to applications.

Signature: Verifies that the message is not tampered during transmission.

Non-interactive User Account

25 Saturday Jan 2020

Posted by in Dynamics 365 CE Online, WebAPI

Leave a comment

Tags

, ,

Dynamics 365 CE apps can be integrated with other solutions to provide 360-degree view of the customer and the integration requires exchange of data to and from various other applications. To facilitate data exchange a non-interactive user can be created in Dynamics 365 CE instance and upto a maximum of 5 non-interactive users can be created

Process of creating a non-interactive user starts by:

  • Creating a user in Office 365 admin center and assigning a licence then in CRM assign CAL

NonInteractiveUser1

  • Assign Non-interactive user role in CRM organization

NonInteractiveUser2

  • Deallocate the licence by unchecking Licencses in Microsoft 365 admin center

Swagger UI in ASP.NET Core WebAPI

16 Wednesday Oct 2019

Posted by in ASP.NET Core, WebAPI

Leave a comment

Tags

Webservices (ASMX and WCF) provided description of the services through WSDL. The WSDL file contains detailed information about the service in XML format including format of the messages, protocols used for the service etc. In ASP.NET Core WebApi project there is no user interface to obtained information about API and this context Swagger comes to the aid by providing a mechanism to visually present information about the WebApi.

The steps to include Swagger support in WebApi project include:

  • Create a ASP.NET Core WebAPI project
  • Add a reference to Nuget package Swashbuckle.AspNetCore
  • In the Startup.cs file make the following modifications to ConfigureServices and Configure method

swaggerui1

The IncludeXmlComments will show more descriptive information against each verb in WebApi and for this the comments should be generated out to an XML file and the build settings in the project will facilitate that as shown below:

swaggerui2

swaggerui3

  • In the Debug tab on project properties window under Launch browser enter “swagger”

swaggerui4

  • Now run the WebAPI project and the Swagger UI will look like the one below:

swaggerui5

How to view JSON data in IE instead of default download dialog

16 Wednesday Oct 2019

Posted by in ASP.NET Core, WebAPI

Leave a comment

Tags

Save the following setting as <somename>.reg file and invoke

Windows Registry Editor Version 5.00
;
; Tell IE to open JSON documents in the browser.
; 25336920-03F9-11cf-8FD0-00AA00686F13 is the CLSID for the “Browse in place” .
;
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/json]
“CLSID”=”{25336920-03F9-11cf-8FD0-00AA00686F13}”
“Encoding”=hex:08,00,00,00
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\application/x-json]
“CLSID”=”{25336920-03F9-11cf-8FD0-00AA00686F13}”
“Encoding”=hex:08,00,00,00
[HKEY_CLASSES_ROOT\MIME\Database\Content Type\text/json]
“CLSID”=”{25336920-03F9-11cf-8FD0-00AA00686F13}”
“Encoding”=hex:08,00,00,00