Menu
I have set up an OWIN authorization server and several resource servers exposing ASP.NET Web APIs. I am serving up a JWT from the authorization server that is specific to each resource server (the idea being that each resource server needs custom claims wrapped up in its token).
These servers are all in an intranet environment where we historically have used Windows Authentication (Kerberos) to provide a single sign-on experience. This feature has been lost in my implementation because I am using the user's username and password (authenticated against AD) to grant a token. What I am wondering is if there is a way to get a single sign-on experience back - maybe by using Windows Authentication to establish the identity of a user before granting them a token?
I feel like this is somewhat unorthodox and might be dumb - so please tell me if there is a better, alternative approach to getting SSO with OAuth 2.0 in an intranet environment.
404
a) To create a web api project in windows authentication mode, follow below steps: After choosing ASP.Net Web Application, select Web API template and from the right side click Change Authentication button and select Windows Authentication.
Google APIs use the OAuth 2.0 protocol for authentication and authorization. Google supports common OAuth 2.0 scenarios such as those for web server, client-side, installed, and limited-input device applications. To begin, obtain OAuth 2.0 client credentials from the Google API Console.
OAuth2 support for IMAP, POP, SMTP protocols as described below is supported for both Microsoft 365 (which includes Office on the web) and Outlook.com users. If you're not familiar with the OAuth 2.0 protocol, start by reading the OAuth 2.0 protocol on Microsoft identity platform overview.
On the taskbar, click Start, and then click Control Panel. In Control Panel, click Programs and Features, and then click Turn Windows Features on or off. Expand Internet Information Services, then World Wide Web Services, then Security. Select Windows Authentication, and then click OK.
As it turns out, this wasn't as hard as I expected. I created a standard web API controller off of an alternative endpoint (/token/windows/). This endpoint takes an HTTP POST with the client (resource) ID the Windows user is trying to connect to. I put the standard [Authorize] attribute on the action to ensure that identity is established, then I manually create a claims identity and return a JWT to the user. From that point on the user uses the standard token refresh process.
Edit: here's a sample below that represents what I implemented. Note that this app is configured in IIS to support Windows Authentication (in addition to anonymous authentication):
[RoutePrefix("token/windows")]
public class WindowsAuthenticationController : ApiController
{
[Authorize]
[HttpPost]
[Route("{client_id}"]
public async Task<IHttpActionResult> CreateTokenForWindowsIdentity(string client_id)
{
var user = User as ClaimsPrincipal;
if (user == null) return Unauthorized(); //401
var claims = //generate claims based on the User.Identity.Name...
var identity = new ClaimsIdentity("JWT");
identity.AddClaims(claims);
//manually create JWT using whatever method you prefer,
//I used something inspired from http://bitoftech.net/2015/02/16/implement-oauth-json-web-tokens-authentication-in-asp-net-web-api-and-identity-2/
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With