Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET Web API with OAuth2 - "Remember this browser" when using two factor authentication

In the default template for ASP.NET MVC 5, there is the option of selecting "Remember this browser" when logging in using two factor authentication.

In ASP.NET MVC, this involves configuring app.UseTwoFactorRememberBrowserCookie(); in Startup.Auth.cs and then using SignInManager.TwoFactorSignInAsync() with isPersistent: true

I would like to accomplish the same but using ASP.NET Web API with OAuth2 Bearer Tokens.

I.e. I would like the user to be able to log out (or be auto logged out). But the next time when logging in using the same browser, the user only has to provide the password, not two factor authentication.

How would I go about implementing such behavior using OAuth2 Bearer Tokens?

like image 922
Svein Fidjestøl Avatar asked Feb 02 '17 13:02

Svein Fidjestøl


People also ask

How does OAuth2 work in Web API?

For local login, Web API uses the resource owner password flow defined in OAuth2. The user enters a name and password into the client. The client sends these credentials to the authorization server. The authorization server authenticates the credentials and returns an access token.

How will you implement authentication and authorization in asp net web API?

Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.

How do I add authentication to Web API?

In IIS Manager, go to Features View, select Authentication, and enable Basic authentication. In your Web API project, add the [Authorize] attribute for any controller actions that need authentication. A client authenticates itself by setting the Authorization header in the request.


2 Answers

Well, in my opinion it's the client side's issue and I would like to rephrase your question into "What is the best place to store authentication tokens in client side?"

You have a couple of options:

  1. HTML5 Web Storage (localStorage or sessionStorage)
  2. Cookies

With option one, when the tab/browser is closed the token is still alive and next time you are automatically logged in.

$window.sessionStorage.setItem('userInfo-token', 'tokenData');

With option two you can save the token into a cookie and retrieve it when you are going to send a request to the server.

Of course both options have pros and cons, for more information I recommend you reading Where to Store your JWTs – Cookies vs HTML5 Web Storage

like image 174
Abbas Amiri Avatar answered Oct 13 '22 15:10

Abbas Amiri


I suggest that you need to take more control of the authentication solution and implement your own LoginController with a different login implementation with a "remember this browser" cookie that you create, after a successful ASP.NET Web API OAuth2 Bearer Tokens login exists, on the users browser. Just like ASP.NET MVC app.UseTwoFactorRememberBrowserCookie() does.

If the user logs in with two factor, then logs out,you place a cookie on that browser,"remember me for 30 days" cookie,next time they login,you check for the unexpired cookie and allow login with password only to a different login method other than OAuth2 Bearer Tokens.

You are in control and you do not need ASP.NET Web API OAuth2 Bearer Tokens to solve your entire login solution.

like image 27
Brian Ogden Avatar answered Oct 13 '22 15:10

Brian Ogden