0

I have been searching for an example on how to add a security layer for all our currently running web applications which have been developed in ASP.NET MVC and Web API. The requirement has come from the top for the current new API which will be used by some of our applications but at the same time allowing a user to use one identity.

I have been scouring the internet the whole day watching videos and reading blogs, but I cannot find a solid step by step guide and that is not ASP.NET Core based, that is easy to understand, up to date, perhaps visual and with the correct technologies to use. I have come across two main ones and not sure how they are really interlinked, i.e. IdentityServer 4 and OAuth 2, but I do understand both individually.

Does anyone have a good example or tutorial I could follow that also include authorization. Our current user store is in a SQL Server database, and the end goal is to create one security token service to authenticate all the applications and carry forward claims in JWTs. Please assist?

Donald N. Mafa
  • 5,131
  • 10
  • 39
  • 56
  • Create you own? Writing middleware in MVC is relatively easy by using global request filters etc. – Wurd Sep 27 '18 at 14:10
  • https://stackoverflow.com/questions/26755573/how-to-implement-oauth2-server-in-asp-net-mvc-5-and-web-api-2 – Fran Sep 27 '18 at 16:00
  • @Fran - Thank you for your link, it has helped a lot with regards to setting up the Auth and Resource server. However, I am trying to figure out the last bit, from my resource api, say Web API, how do I pass the username and password with every request, this does not seem to be the complete solution I am looking for. Also for an MVC client, how do you include those checks. And how do you manage Authorization??? – Donald N. Mafa Oct 02 '18 at 05:53
  • You shouldn't be sending your username password around with every request. You should be making your first call to the auth token service to get a valid token which then can be passed around in the header of every call. As long as that token is valid, then you are good. In mvc you'd have a custom action filter to validate that the token is still good before you all any action to take place. – Fran Oct 02 '18 at 11:03
  • @Fran - thank you, that makes sense, think was looking for the action filter bit, and for the api I can include the bearer token in the req.header – Donald N. Mafa Oct 02 '18 at 11:40

0 Answers0