Base solution for your next web application
Open Closed

Single Sign On Implementation #3921


User avatar
0
fabiovalerio created

Hi all,

I know that Aspnet zero supports SSO as External Login like Facebook Google+ and more.

But it's possibile to use aspnet zero as SSO provider?

We have to provide a mechanism where external portal can be use aspnet zero credentials to identify already logged-in user and call our API to retrieve some information.

Thanks


15 Answer(s)
  • User Avatar
    0
    aaron created
    Support Team

    Yes, it's possible.

    See:

  • User Avatar
    0
    fabiovalerio created

    Thanks aaron. I give it a try and report any issues!

  • User Avatar
    0
    fabiovalerio created

    <cite>aaron: </cite> Yes, it's possible.

    See:

    I did read docs and took a look on the sample ApiClient that you mentioned. BTW we need a system like FB SSO where external portal can call ANZ login form and obtain authToken!

    To accomplish with this is enough if external portal call ANZ loginUrl with returnUrl set to its url and in ANZ side append the authToke to returnUrl and redirect it ?

  • User Avatar
    0
    aaron created
    Support Team

    To accomplish with this is enough if external portal call ANZ loginUrl with returnUrl set to its url and in ANZ side append the authToken to returnUrl and redirect it?

    That's not strictly SSO. TokenAuthController already does AddSingleSignInParametersToReturnUrl and return accessToken. https://github.com/aspnetzero/aspnet-zero-core/.../TokenAuthController.cs#L104-L170

  • User Avatar
    0
    fabiovalerio created

    Thanks aaron, where is mentioned this SingleSignIn in the docs? I didn't know this feature :D I'll take a look and report to you!

  • User Avatar
    0
    aaron created
    Support Team

    It's actually used for login integration to the main application - not comprehensively documented but has a brief section here: https://www.aspnetzero.com/Documents/Development-Guide-Core#single-sign-on

    You may be able to adapt it for your requirements.

  • User Avatar
    0
    fabiovalerio created

    Yep! I think this mechanism can be enough!

    Talking about JWT tokens ... is ANZ compliant with Sliding Expiration? Can we configure it in some way?

    Thanks

  • User Avatar
    0
    aaron created
    Support Team

    SlidingExpiration is only available for cookies: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-configuration?tabs=aspnetcore2x#applications-cookie-settings

    In general, sliding expiration for accessToken is wrong - once accessToken is leaked, it can be used to indefinitely prolong the access. That's what a refresh token is for. ASP.NET Zero does not handle refresh tokens but you can refer to IdentityServer4's Token Endpoint. Note that refresh token also has to be handled client-side: when you receive 401 Error, call the endpoint, then set to new accessToken.

    If you decide to do sliding expiration, here's a third-party document on Reissusing a JWT with a New (Sliding) Expiration for WebApi.

  • User Avatar
    0
    fabiovalerio created

    Thank you aaron for clarifications!

    I think that adapt SingleSignIn mechanism is the best choice for our needs.

    If we'll have further doubts I'll write :D

    Thx a lot.

  • User Avatar
    0
    fabiovalerio created

    As said before, we are using SingleSignIn mechanism for our purpose.

    But what about SinglSignInTokenExpireUtc field? Is used or not?

    If not, where we have to change the code and implement a check on this field and drive request to a 401 status?

  • User Avatar
    0
    aaron created
    Support Team
  • User Avatar
    0
    fabiovalerio created

    Thank you, Aaron ... but is possible to integrate this check in WebApi layer? Editing some Authorization Filter?

  • User Avatar
    0
    aaron created
    Support Team

    Why would you need that? SignInToken is only used once to sign in with cookie-based authentication, not for WebApi.

  • User Avatar
    0
    fabiovalerio created

    As said at beginning of this thread, we need to allow access to our WebAPI to a third-party service. To do so, we like to use login mechanism offered by SingleSinIn where login form redirects to a specific URL passing through accessToken, memberId and tenantId. Moreover, accessToken has to be valid for 20 minutes and each request made on our webApi have to extend token validity for 20 minutes more, without releasing a new accessToken.

    In this scenario, it was helpful to use SignInToken and check its validity!

  • User Avatar
    0
    ismcagdas created
    Support Team

    Hi @fabiovalerio,

    This topic might be helpful for you #2922