In my Asp.Net Core 2.1 Web Api + Angular App setup, I am trying to reset user password token using identity framework. Token is generated by calling GeneratePasswordResetTokenAsync(), emailed and request is sent back from client, verified by ResetPasswordAsync. I have checked that the two tokens are same but still ResetPasswordAsync fails with Invalid Token result.
I am using PG SQL as database, and JWT for Authentication, The SecurityStamp is also not null, my client app is written in angular and served from a different web server than the one serving the web api. However when testing on local machine there is no problem.
I have enabled CORS in web api allowing any origin, however I have noticed that my client request contain
Origin: https://my-domain.com
Referer: https://my-domain.com/myangularapp
Please let me know if any info is missing, any help will be appreciated.
Related
I have web application which structure is as-
webapi : django web services [NOT REST] no security implemented
frontend : Angular2. authentication implemented via SAML
Database : Mongodb
Can you please suggest best way to secure webapi, as currently anyone can access web services who has server[api] url
It will be big help if you suggest the authentication and authorization flow because I am totally stuck.
Thanks in advance.
Implement an /authentication on your API which accepts Basic authentication. Make sure you do that over HTTPS. Username and password will be collected by your Angular app and sent back to /authentication. If the user authenticates, return a session token, for example JWT (check pyjwt).
All the following communications between the front and back should contain the token, which is issued only if the user authenticated. The token is inclued in the request headers and specifically in Authororization header using the Bearer schema:
Authorization: Bearer <token>
A JWT contains the username so you can use that on each future request. Furthermore, you are not required to keep record of the issued JWT since each one is self-contained and can have predetermined expiration data.
This page claims that you can access the Places Graph functionality without having a logged-in user:
You make your calls using a Client Token (from the client), and an App Access Token (from the server).
The documentation regarding Client Tokens says:
The client token is an identifier that you can embed into native mobile binaries or desktop apps to identify your app. The client token isn't meant to be a secret identifier because it's embedded in apps.
This sounds like exactly what I want--I am trying to build a website that allows users to search for Facebook places. I need to be able to build the list using an AJAX request from the client side.
I can't for the life of me find any documentation on using the Client Token to make such a request.
Please note that I cannot use an App Token because this will be deployed to a website, and Facebook specifically says not to use App Tokens in that context.
I've tried using the Client Token directly as the access_token, but then I get Invalid OAuth access token.
How can I use the Client Token to make a Places Graph API call directly to Facebook's API from the client's browser?
Note: I realize that I could send the request to my own server, then relay that request from my server to Facebook, but that is not an optimal solution for me.
In case anyone is still struggling with this like I was. You just need to use the appId and client token joined with a pipe. So "appId|clientToken".
Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?
Here is the scenario:
A client app gets an Microsoft access_token from some external service.
Client app will make a call to some secured web API and pass that access_token along with the request header
If the access_token passed by client is valid then API will provide response to the client.
Is there a way to validate that access_token on API side?
My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:
But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?
You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory
Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API
This library is also available, but I think OWIN is supposed to have replaced it in general.
Also check out this blog post, which has a pretty great deep dive into token validation.
I was wondering why my Authorization Header is not recognized. When I pass it to my server web app endpoint.
However, when I do it on my localhost it works well
These are my request headers:
PS.
I am using Django Rest Framewok on my backend and what you see is Google Chrome's Advanced REST Client for testing my APIs. Also please take note that the CORS HEADERS are allowed and Token Authentication is the method I'm Using as credentials for my endpoints.
I have a web service for which the user authentication is provided by web browser Single Sign-On authentication method , through which a human user is automatically logged in with his/her company email ID from a web browser.
I have written a java Jersey 2.x client (a non human consumer of web service). In client code I am using HttpAuth as
HttpAuthenticationFeature feature = HttpAuthenticationFeature.basic("ENTER_USERNAME_HERE", "PASSWORD_HERE");
But the client fails stating the HTTP status code as 302 (redirection error)
Then I used curl for the same and received the response as an HTML page stating
The document is moved here(<-- a link containing websso url to my resource).
After searching on SO I enabled the FollowsRedirection feature for my jersey client and now the error is changed to
Exception in thread "main" javax.ws.rs.NotAuthorizedException: HTTP 401 Unauthorized
Any pointer on how to handle this authentication problem ?
The issue was finally resolved , so I am going to answer my own question,
After all the RnD , it was clear that there isn't any sophisticated way for passing (Authenticating) the WEb SSO (Single Sign-On) from jeresy 2.x client code.
Although I found some interesting articles regarding kerberos here and here.
So , finally
I created an other URL path as
/AuthWithCert CONTEXT in server proxy configuration and added the requests coming from this path as an exclusion in webSSO login conf.
So automatically the authentication was pointed to default (HttpBasic Client Auth) without any redirection error and the client worked fine.