Is there any way to use token based and session based authentication using Web API OData. An instance is on-primes 2016.
If ADFS, then how to add web app and also how to generate api token.
Thanks
Related
I have the MultiTenant web application that internally using different services and Restapi Service and login purpose username and password validation using WSO2IS and LDAP.LDAP is configured with WSO2IS UserStore.So when customer login into web application right now implemented like checking username and password is present in LDAP directory or not. Based on the LDAP directory response logging into the application.
Now I want to implement token-based authentication when client login into the application by using he/she tenant user credential, get the token from WSO2IS server, send token at the client side. So that while calling any service or RestApi call with using that token. If after time limit if it expire than regenerate the token And when the request to any service and Rest API validate token is valid or not. So if the valid token then only backend service send response otherwise send failure response.
I am stuck in the correct approach. I need exact approach for successfully implement authorization identity management service with WSO2 to handle access token for user validation and to validate Rest Service.
You can use OpenID Connect (OIDC) [1] in order to achieve your requirement.
OpenID Connect is an authentication protocol that is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.
You can use WSO2 IS and integrate your client application with OIDC [2][3] and get an access token on behalf of the user to communicate with external APIs.
Also you can use the OAuth Introspection endpoint [4] of the WSO2 IS in order to validate the access tokens as for your requirements.
[1] https://openid.net/connect
[2] https://docs.wso2.com/display/IS570/OpenID+Connect
[3] https://docs.wso2.com/display/IS570/OpenID+Connect+Authentication
[4] https://docs.wso2.com/display/IS570/Invoke+the+OAuth+Introspection+Endpoint
Is it possible to have both token based authentication and cookie based authentication for different web api end points in the same app? Can we use app.map to do such a thing?
Is there a way to authenticate the Microsoft or google OAuth token in active directory without using an authentication server?
Here is the scenario:
A client app gets an Microsoft access_token from some external service.
Client app will make a call to some secured web API and pass that access_token along with the request header
If the access_token passed by client is valid then API will provide response to the client.
Is there a way to validate that access_token on API side?
My normal understanding about OAuth 2.0 is there needs to be an authentication server to which both the client and API would talk to as shown in the figure below:
But if the token is provided by some external service, Can we use it to validate our web API. Are there any ways to implement such authentication?
You can learn more about AAD Signing Keys and handling Key Rollover using this page: Signing key rollover in Azure Active Directory
Validation of the token, once you have the signing key, can be done using existing libraries like OWIN. You can also try following instructions like this (although it seems the document isn't 100% complete yet): Manually validating a JWT access token in a web API
This library is also available, but I think OWIN is supposed to have replaced it in general.
Also check out this blog post, which has a pretty great deep dive into token validation.
How to enable OAuth1 Server support for Jersey 2.9 based RESTful web services? Is there any example project demonstrating the required features? The user (Android App) should get HTTP 401, if he does not include authenticated token in request header.
See reference docs: https://jersey.java.net/documentation/latest/user-guide.html#d0e10946
First step in enabling Jersey OAuth 1 support is to register a
OAuth1ServerFeature instance initialized with an instance of
OAuth1Provider. Additionally, you may configure the Request Token URI
and Access Token URI - the endpoints accessible on the OAuth server
that issue Request and Access Tokens. These endpoints are defined in
the OAuth 1 specification and are contacted as part of the OAuth
authorization flow.
Should I use OAuth1 server support for securing Jersey 2.9 based web services? Is there any other better library that can be used to implement token based authentication for Jersey based RESTful web services?
In the context of a ASP.Net Web API service I am trying to connect to a SharePoint STS to read the security claims for a sharepoint user.
The user is authenticated to SharePoint 2013 using Forms based authentication.
I am on the same domain as the sharepoint site so I have access to the FedAuth cookie that sharepoint uses.
I am trying to use System.ServiceModel.Security.WSTrustChannelFactory to craft a Request for a Security Token but I am not sure what I should be using as the parameters for the WSTrustChannelFactory constructor.
I am looking for some validation that the approach I am attempting is reasonable one as well as just how I should be using the WSTrustChannelFactory.
Note:
The STS's address is available at http://localhost:32843/SecurityTokenServiceApplication/securitytoken.svc
Reading further on this I decided that I was trying to use the SharePoint STS in a way that it was not designed for (it is a relying party STS). Instead I implemented authentication using the Thinktecture Identity Server as an identity provider and authenticated both SharePoint and my Web API service using that.