Base solution for your next web application
Open Closed

Security concepts #11679


User avatar
0
Loizos created

What is your product version? 12.1.0 What is your product type (Angular or MVC)? Angular 15 What is product framework type (.net framework or .net core)? .NET7

Hi support,

We are deploying our Application to Azure. We have a WAF protecting both the Application and the API service. These services are hosted on separate machines with a shared database. The WAF will do TLS termination.

We understand that JWT tokens is used as the authentication mechanism. However, we’re a little unclear on how the JWT token is used when accessing the API service. We are assuming the following scenario – are we correct please?

  1. User accesses web application a. one-way TLS between the application and the WAF gives us an encrypted connection – i.e. the user is not authenticated to the WAF. b. user authenticates to the web application (username/password) and the web app returns JWT token.

  2. User then calls the API service (which is on another machine) a. We assume that the JWT token has to be sent with the request to the API service? b. JWT authentication is then done at the API service i.e. authentication is done by the back-end machine?

Questions:

  1. Do you have a basic design diagram showing the above interactions?

  2. Can we configure the JWT service ?

  3. Where is the JWT token stored? (we assume the shared DB?)

  4. We would prefer it if the authentication was done nearer to the WAF and taken off the back-end service. We are considering an API-Manager between the WAF and the API service. a. Is it possible to configure our solution so that the JWT is handled by the API-Manager and not ASPNetZero? b. Do you have any examples of this architecture or do you think that this is not a good idea?

Thanks! Loizos


3 Answer(s)
  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @Loizos

    Could you tell us what is WAF ?

    • The scenario you explained seems correct.
    1. You can take a look at https://docs.aspnetzero.com/en/aspnet-core-angular/latest/Overview-Angular
    2. What do you want to configure ?
    3. It is not stored at all. It contains the information as encrpted inside it. You can read https://jwt.io/introduction for more info.
    4. We can answer this after learning the WAF.

    Thanks,

  • User Avatar
    0
    Loizos created

    Hi Ismail,

    Thanks for the answers.

    WAF - we mean a Web Application Firewall on Azure (https://learn.microsoft.com/en-us/azure/web-application-firewall/ag/ag-overview)

    Basically a proposed security architecture to us is to deploy a WAF in front, then an API-Manager (both in DMZ) and then ASP.NET zero solutions (internal network).

    We know that you already support a number of social and external logins/authentication, however, the question is if possible to configure ASP.NET zero so that authentication is done by any of these two (WAF or API-Manager).

    Thanks, Loizos

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @Loizos

    Thanks, got it now.

    is it possible to configure ASP.NET zero so that authentication is done by any of these two (WAF or API-Manager).

    In Angular app, the client sends credentials to API application and it sends back a token. For the following requests, angular client sends this token and API app resolves the token and uses it.

    As far as I know, what you are asking is not possible. At least, I don't know how to do it.