8

I'm writing a fairly large application, with a HTML/CSS/JS frontend, using AngularJS and a ASP.NET MVC Web API as a backend.

I would like users to be able to authenticate, I've installed ThinkTecture AuthorizationServer on a separate machine, and there is an ADFS instance running on the Domain Controller. Currently, I'm using the web page supplied with ADFS for login, but it would be nice if I could use my own page, which would ask for the username/password combo, pass it to AuthorizationServer/ADFS, and then just use the authentication token after that.

Has anyone done something similar?

Regards, Daníel

dabs
  • 727
  • 1
  • 7
  • 23
  • Did you got any workaround for your problem? Please share your solution as I need to solve a similar problem. – KKS Jan 10 '14 at 10:16
  • I did the following: - added a /login endpoint to my API, which the user can POST to (over SSL, so username/password aren't sent in plaintext) - Used the Thinktecture.IdentityModel library in my API project to connect to AuthorizationServer (using Code Flow). The code looks like this: ` var client = new OAuth2Client( new Uri(endpoint), clientId,secret); LoginResponse response = null; AccessTokenResponse tokenResponse = null; try { tokenResponse = client.RequestAccessTokenUserName(data.user, data.pass, "read"); } catch(Exception ex) { } ` It works... – dabs Jan 10 '14 at 14:55
  • Sorry about the formatting, it got a bit out of hand... – dabs Jan 10 '14 at 15:00
  • thanks it seems you have done everything in the same project. For my case, I have already got an auth server that is ready to give JWT and a REST api to perform all my process from web client application. Should I create another layer as asp.net web api again so that the mvc app can talk to api and go to auth server and bring response back? any resource/sample will be very helpful if u got one. – KKS Jan 10 '14 at 15:02
  • Does your user base already exist in Active Directory? – dabs Jan 11 '14 at 17:58
  • yes, I have got a server that talk to active directory. This server is exposing services that is auth url and information like credentials needs to be send in request headers and this server will respond using json web token. – KKS Jan 11 '14 at 20:17

1 Answers1

3

In fact you user will be log in your SPA then you have a server side (Java or .NET or *) that get this request.

The server ask the token to ADFS , ADFS send the token and your server pass the token to AngularJS in the response via a cookie.

In Angular side nothing to do expect an http interceptor to check the status of the response (401,403) ...

The cookie will be resent automatically by AngularJS in each request if you want to know how implements an htppInterceptor on AngularJS just check :

AngularJs -.net MVC WebApi Authentication example

In this thread i explain how to implements this step.

Anyway : your SPA is a RIA ok but still the client part of a webapp. I don't think that it's really good (i think it's really bad) to let the client part contact directly the ADFS ... How to prevent Man-In-The-Middle if you do that ?

Community
  • 1
  • 1
Thomas Pons
  • 7,709
  • 3
  • 37
  • 55
  • Sounds interesting. Would the Web API project be able to handle the login request? – dabs Sep 26 '13 at 15:53
  • For me it's not really the standar but the login page is a classic MVC page then when you're logged u re in SPA ! – Thomas Pons Sep 26 '13 at 21:09
  • Anyway i can you put an example with the login on SPA side if you want – Thomas Pons Sep 26 '13 at 21:10
  • All examples would be highly appreciated :-) What I want is to host the SPA separately, and preferably without any backend code on its own - not all on my dev team are Windows users (they are students, so it's not like it is a standard dev team), so if they can run the client on whatever OS they're using, then that would be ideal, while developing the client. The API will however always be an ASP.NET Web API project, but that could be hosted on a shared server. – dabs Sep 27 '13 at 02:33