Hi all,
I know that Aspnet zero supports SSO as External Login like Facebook Google+ and more.
But it's possibile to use aspnet zero as SSO provider?
We have to provide a mechanism where external portal can be use aspnet zero credentials to identify already logged-in user and call our API to retrieve some information.
Thanks
15 Answer(s)
-
0
Yes, it's possible.
See:
- ASP.NET Zero development guide for basic configuration.
- IdentityServer4's own documentation to understand and configure IdentityServer4.
-
0
Thanks aaron. I give it a try and report any issues!
-
0
<cite>aaron: </cite> Yes, it's possible.
See:
- ASP.NET Zero development guide for basic configuration.
- IdentityServer4's own documentation to understand and configure IdentityServer4.
I did read docs and took a look on the sample ApiClient that you mentioned. BTW we need a system like FB SSO where external portal can call ANZ login form and obtain authToken!
To accomplish with this is enough if external portal call ANZ loginUrl with returnUrl set to its url and in ANZ side append the authToke to returnUrl and redirect it ?
-
0
To accomplish with this is enough if external portal call ANZ loginUrl with returnUrl set to its url and in ANZ side append the authToken to returnUrl and redirect it?
That's not strictly SSO. TokenAuthController already does AddSingleSignInParametersToReturnUrl and return accessToken. https://github.com/aspnetzero/aspnet-zero-core/.../TokenAuthController.cs#L104-L170
-
0
Thanks aaron, where is mentioned this SingleSignIn in the docs? I didn't know this feature :D I'll take a look and report to you!
-
0
It's actually used for login integration to the main application - not comprehensively documented but has a brief section here: https://www.aspnetzero.com/Documents/Development-Guide-Core#single-sign-on
You may be able to adapt it for your requirements.
-
0
Yep! I think this mechanism can be enough!
Talking about JWT tokens ... is ANZ compliant with Sliding Expiration? Can we configure it in some way?
Thanks
-
0
SlidingExpiration is only available for cookies: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?tabs=aspnetcore2x#applications-cookie-settings
In general, sliding expiration for accessToken is wrong - once accessToken is leaked, it can be used to indefinitely prolong the access. That's what a refresh token is for. ASP.NET Zero does not handle refresh tokens but you can refer to IdentityServer4's Token Endpoint. Note that refresh token also has to be handled client-side: when you receive 401 Error, call the endpoint, then set to new accessToken.
If you decide to do sliding expiration, here's a third-party document on Reissusing a JWT with a New (Sliding) Expiration for WebApi.
-
0
Thank you aaron for clarifications!
I think that adapt SingleSignIn mechanism is the best choice for our needs.
If we'll have further doubts I'll write :D
Thx a lot.
-
0
As said before, we are using SingleSignIn mechanism for our purpose.
But what about SinglSignInTokenExpireUtc field? Is used or not?
If not, where we have to change the code and implement a check on this field and drive request to a 401 status?
-
0
-
0
Thank you, Aaron ... but is possible to integrate this check in WebApi layer? Editing some Authorization Filter?
-
0
Why would you need that? SignInToken is only used once to sign in with cookie-based authentication, not for WebApi.
-
0
As said at beginning of this thread, we need to allow access to our WebAPI to a third-party service. To do so, we like to use login mechanism offered by SingleSinIn where login form redirects to a specific URL passing through accessToken, memberId and tenantId. Moreover, accessToken has to be valid for 20 minutes and each request made on our webApi have to extend token validity for 20 minutes more, without releasing a new accessToken.
In this scenario, it was helpful to use SignInToken and check its validity!
