Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET 5 (vNext) / Web API / OAuth / OpenID / Tokens / Cookies / What do I really need?

I have an existing project that I am looking to migrate to ASP.NET 5.

Currently it is a simple ASP.NET Web Forms project that references 2 DLLs:

  • Domain.dll that contains all the business logic
  • Data.dll that contains all the data access code

Normally I shouldn't have to touch those 2 DLLs which are currently working fine. Now I'd like to replace the ASP.NET Web Forms project by 2 new components:

  • A front-end SPA with angular2
  • A Web API back-end with ASP.NET 5 (vNext)

I've been playing with the templates available in VS2015, I've also been reading everything I could about authentication and I must say, I am now getting even more confused as to what I really need... :(

Do I need MVC in my back-end API? All the examples are done with ASP.NET MVC, but if I have a fully working SPA front-end, Don't I just need a simple RESTful service?

What do I need for authentication? Do I need ASP.NET Identity? Is Identity the new version of the old Membership? Does it take care of the creation of tokens? I already have a production database with all my users and hashed passwords. My Domain.dll assembly also has all the necessary code for validating users credentials.

What do I need if I want to allow other login services like Google or Facebook? I've created some web applications using both, ASP.NET 4.5 and ASP.NET 5 templates, to see how things are done, but that's where confusion got worse. ASP.NET 4.5 template uses Owin stuff (which I'm not familiar with), and ASP.NET 5 template doesn't.

Ideally here's what I'd really want: I'd like to create a Web API project with the minimum amount of dependencies, I'd like to avoid using sessions and cookies and I'd like to be able to use Google's and Facebook's services for logging in.

Thanks!

like image 973
Seb Avatar asked Nov 10 '15 14:11

Seb


People also ask

How to implement Cookie authentication in ASP NET?

Similar to other middleware components in ASP.NET, Cookie Authentication is also a middleware component, which you need to plug into ASP.NET pipeline. For implementing cookie authentication, you require reference of Cookie middleware, here is the project.json file.

How to do token based authentication using OWIN and identity?

The following is the procedure to do Token Based Authentication using ASP.NET Web API, OWIN and Identity. Create an empty solution for the project template "ASP.NET Web Application" and add a core reference of the Web API and set the authentication to “No Authentication”.

What is OAuth2 and OpenID Connect in ASP NET Core?

OAuth2 and OpenID Connect in ASP.NET Core are standard popular protocols for implementation of Security feature to protect your application and data from unauthorized access. OAuth2 is an authorization protocol i.e. it allows clients to access protected resources like Web API by issuing access tokens to the client.

What is a web API Token?

The token is generated from the server and our web API has a built-in way to understand this token and perform authentication. This type of authentication does not require cookies, so this authentication type can be used with mobile applications.


1 Answers

I'll say that... it sounds like a full rewrite.

Let's go over your points...

Do I need MVC in my back-end API?

In ASP.NET 5 we don't really have MVC and WebAPI anymore. They are both very similar in concepts and have been merged. It's all about what you return. If you return an IActionResult, it will kick in the Razor and ViewEngines. If you return an object, then it will try to serialize your object based on HTTP Headers (what WebApi does).

Don't I just need a simple RESTful service?

If you have a full front-end SPA app with Angular? Yep. That's all you need and this whole MVC thing is not mandatory. You just need to create a web api. Microsoft have a nice tutorial right here on how to do it.

What do I need for authentication?

I would highly recommend an SSO. This mitigate the need to re-implement the authentication yourself. If you are more of a public application, try to support Facebook/Twitter/Google. If it's a business application, Azure AD can do the job but at that point, it's specific to what your client have so... it might not be the best solution.

Do I need ASP.NET Identity?

No but for ASP.NET 5/MVC6, it's the only one that exist right now so for the moment? Yes you do but the whole ASP.NET system is made to be replaceable at every place in the system. Identity does not use the older membership system. It uses claims and that's a whole different subject.

Identity will take care of everything you need to authenticate every request (tokens and more). The good news? It supports Facebook, Google and many others.

More info here

Basically, ASP.NET 5 is a huge pipeline with dependency injection as a first class citizen. Adding element to the pipeline makes them available to those later in the pipeline.

This pipeline is configured in Startup.cs and is separated in 2 steps. ConfigureServices which is where the dependency injection is configured and Configure where the actual elements of the pipeline are added. Want to replace the default logger? ConfigureServices. Want to add an element in the pipeline? Configure.

That's it really!

Recommended reading:

  • Migrating an ASP.NET MVC 5 app to ASP.NET 5
  • The State of Security in ASP.NET 5 and MVC 6: Claims & Authentication
  • The State of Security in ASP.NET 5 and MVC 6: OAuth 2.0, OpenID Connect and IdentityServer
like image 144
Maxime Rouiller Avatar answered Oct 16 '22 05:10

Maxime Rouiller