leastprivilege / aspnetcoresecuritysamples Goto Github PK
View Code? Open in Web Editor NEWSamples for various ASP.NET Core Security Features
License: Apache License 2.0
Samples for various ASP.NET Core Security Features
License: Apache License 2.0
Can you create a sample where you have a website A that calls weather API B that depends on a call through an HttpClient to web API C to return a response to A, in this case, B and C need to be authenticated. C doesn't have any relation with A.
A passes all the time a bearer token to B(which is part of the scopes configuration on the identity server and also a valid resource)
My problem here is how to configure C correctly.
In the real-life scenario, my webapi C lives in identity and returns the tenant information on the requests. So B only asks for the tenant information to C to return the response to my website A.
Just tested the Authorization sample. The non-secured url keeps redirecting to the login view.
Steps to reproduce:
Using the secured url https://localhost:5001 shows the home page with information and links after succesful login.
I'm using Firefox 64.0.2.
Doing some test with the OIDC sample I figured out this problem:
Going to secure everything is fine but going to secure2 the result is always 401 unauthorized.
I experienced this problem in other projects after last updates.
Do you know why this is happening??
Thanks in advance.
Have a good day.
I've been working on a project and I think I have Blazor server and Blazor wasm both working independently in regards to authentication against identity server. It would be nice to just verify I'm doing best practice for Blazor wasm if you had a sample Blazor wasm project that could be added to the samples repo.
I've come across a Blazor hybrid setup as well that allows for runtime switching between server and wasm. Seems to be a good solution for getting the best performance from both server and wasm as a single experience for the user. The authentication from the hybrid project seems to be hand rolled though so I don't know how the hybrid setup would integrate into auth against an external identity server instance. I'm using the hybrid option, but for now I'm allowing server and wasm to authenticate independently. The hybrid project suggests that using cookies is a common auth mechanism that works for both server and wasm, but I wasn't sure how that fits into auth against identity server or even if what they are saying is still true when performing auth in the wasm project against identity server as OIDC code flow + PKCE seems to be the preferred authentication setup. Long story short, if you also interested in seeing if or how Blazor Hybrid could integrate against Identity Server I'd be interested in seeing it. I may pose this question to the Blazor Hybrid project as well, but I don't know if I trust their security implementation response as much as if I heard it from here.
Thanks for all you do. Feel free to cancel this out if you are not interested.
Hi first of all thank you for the really good example.
Unfortunately, I have a small problem that I can't solve.
I have modified the ValidatePrincipal
method in the AutomaticTokenManagementCookieEvents
class in such a way that i call
context.RejectPrincipal();
await context.HttpContext.SignOutAsync( context.Scheme.Name );
if the token is not valid.
I note that calling RejectPrincipal()
and await SignOutAsync
is part of Microsoft's documented recommendation for invalidating a session if the user's auth ticket cookie contains an invalid OIDC token that requires the user to re-authenticate. (https://docs.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-6.0#react-to-back-end-changes)
After await SignOutAsync
was called in the ValidatePrincipal
method I end up in the overridden SigningOut
method. There the await context.HttpContext.AuthenticateAsync() method is called. However, this does not return and is stuck in an infinite loop.
If I end up in the SigningOut
method from another context, everything goes through beautifully.
Do you have any idea what could be the reason and how I can solve the problem?
For no resason i can not view ur website from Nigeria ( http://www.leastprivilege.com)
please check
cheers
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.