Hi, I'm using MVC5AJ1.
Now, I'm referencing two articles, which are (<a class="postlink" href="http://www.cnblogs.com/sheng-jie/p/6755187.html#autoid-3-2-0">http://www.cnblogs.com/sheng-jie/p/6755 ... toid-3-2-0</a>) and (<a class="postlink" href="http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/">http://bitoftech.net/2014/06/01/token-b ... -identity/</a>). I'm trying to apply OAuth in abp and use it to receive token. And I'm wondering why the way to receive the current token in ABP and OAuth token are different. And also, I have made a comparison between the current token in ABP and OAuth token as image shown below.
[attachment=1:1br6odl9]Capture.PNG[/attachment:1br6odl9]
- Why Abp doesn't has to implement SimpleAuthorizationServerProvider, but OAuth did implemented?
- Why the returned results of ABP and OAuth are different?
[attachment=0:1br6odl9]Capture.PNG[/attachment:1br6odl9] 3. I'm wondering what does Protect method does?
return new AjaxResponse(OAuthBearerOptions.AccessTokenFormat.Protect(ticket));
- Can OAuth be implemented in ABP and work with existing permission setting in ABP?
Thanks.
21 Answer(s)
-
0
Hi,
- The example you show uses Token Based Auth, not Oauth.
- ABP wraps the result but since Token Based Auth and Oauth are different, having different result is normal.
- It is OWIN's code but as far as I can check, it encrypts and encodes the token.
- If you wanto AspNet Zero to act as OAuth server, you can try to integrate Identity Server into your application.
-
0
Hi,
With reference to both answers 1 and 2, my understanding is AspNetZero just using OWIN to generate access token but it’s not OAuth token implementation.
Could you point me to some articles that are token based authorization coz google tends to return OAuth. That’s why I complied the table to see the difference.
My ultimate goal is to extend current token authentication with “Refresh token” so that the mobile app does not need to sign in again. Not necessary had to be OAuth.
Appreciate your advice.
Thanks.
-
0
Dear Support,
Urgently, appreciate Your advise as this will impact a project that we will be undertaking.
I have checked the standard asp.net web api with individual account (membership), which differs from the way token is generated by aspnetzero.
Appreciate your inputs on why aspnetzero has a different implementation when it comes to token generation.
As mentioned earlier, the goal is to implement a Refresh Token mechanism to existing aspnetzero /Authenticate end point.
Thanks.
-
0
@tteoh we are also working on implementing refresh token in AspNet Zero. We don't know how to do it yet. If we can complete it, we can share the results.
You can use DontWrapResult attribute if you don't want ABP to wrap your result. You can even create a second Action for this because using DontWrapResult attribute in the original Action might break your web app.
-
0
hi @tteoh
there's a token refresh procedure in the Xamarin application with the current authentication mechanism. See the code that auto refreshes before the token expires... <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/af4213c936be456c8473234fabba7946e770d783/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Application.Client/ApiClient/AccessTokenManager.cs#L89">https://github.com/aspnetzero/aspnet-ze ... ger.cs#L89</a>
-
0
@ismcagdas We managed to implement OAuth Token based the articles mentioned in the original message. My concern was whether the OAuth token behave the same way as ASPNetZero token when calling Web API/Dynamic Web API being authorized in ASPNetZero. Based on our testing using Postman, both tokens provide the same test result.
Glad you are considering Refresh Token for ASPNetZero and i presume is not ASPNetZero Core. You might want to check out this article: [http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/]). We are attempting to implement this pattern.
Wouldn't you consider the Refresh Token of ASPNetZero Core with Xamarin be applied to ASPNetZero?
Thanks. /Tommy
-
0
<cite>tteoh: </cite> Glad you are considering Refresh Token for ASPNetZero and i presume is not ASPNetZero Core.
As stated in Version Differences:
new major features will be implemented for ASP.NET Core version (.NET Core & full .NET Framework).
-
0
Hi,
How will you implement the 2 factor authentication with OAuth Token based ?
-
0
<cite>aaron: </cite>
<cite>tteoh: </cite> Glad you are considering Refresh Token for ASPNetZero and i presume is not ASPNetZero Core.
As stated in Version Differences:
new major features will be implemented for ASP.NET Core version (.NET Core & full .NET Framework).
@aaron, thanks for providing the link on the version difference. It certainly helps to understand the differences between .net core and non-core.
Thanks. /Tommy
-
0
<cite>alper: </cite> Hi,
How will you implement the 2 factor authentication with OAuth Token based ?
@alper For now, there is no 2-Factor requirement and we do not foresee in the future too. But mainly on "Refresh Token" to further enhance existing MVC5AJ1 Token-based Authentication to ensure Mobile Client is NOT provided with long-live Access Token but short-live with a Refresh Token. From my research, this is quite a standard practice; however, it's missing from ASPNet Zero at this moment.
There is still one thing the puzzled me until now despite the explanation given so far. What's the difference between the Access Token generated from ASPNet Zero using "OAuthBearerOptions.AccessTokenFormat.Protect(ticket)" and the one that's being generated based on OAuth that implements an Authentication Provider ("OAuthAuthorizationServerProvider") that uses "GrantResourceOwnerCredentials".
Especially, how these two tokens are affecting the Roles and Permissions set in ASPNet Zero?
We successfully implemented OAuth token. Using Postman, the Roles/Permissions assigned to the same user based on endpoints:
- ../api/Account/Authenticate
- ../token
Both seems to behave the same way based on simple test cases. We will be very grateful if you have additional sharing.
We have to continue on with "Refresh Token" that is straining the progress right now.
Thanks. /Tommy
-
0
Hi,
If you have replaced the AspNet Zero's own token mechanism with standard OAuth then it's OK. Because the main reason AspNet Zero has it's own token system is 2FA. If you don't need it then you can go with OAuth.
By the way,
OAuthBearerOptions.AccessTokenFormat.Protect(ticket)encrypts the ticket and it's Microsoft code. <a class="postlink" href="https://github.com/aspnet/AspNetKatana/blob/9f6e09af6bf203744feb5347121fe25f6eec06d8/src/Microsoft.Owin.Security/DataProtection/IDataProtector.cs">https://github.com/aspnet/AspNetKatana/ ... otector.cs</a>
-
0
@alper based on aspnetzero documentation, it only mentions token-based authentication. Could you pls elaborate how 2FA comes into play on this particular use case?
Do you mean that if I enable 2FA for web login, it will also be activated for token-based login?
Thanks for the confirmation on OAuth token replacing aspnetzero token.
Thanks, /tommy
-
0
<cite>tteoh: </cite> @alper based on aspnetzero documentation, it only mentions token-based authentication. Could you pls elaborate how 2FA comes into play on this particular use case?
Do you mean that if I enable 2FA for web login, it will also be activated for token-based login?
Thanks for the confirmation on OAuth token replacing aspnetzero token.
Thanks, /tommy
@alper could you pls clarify relation between the 2FA and token based authentication of current aspnetzero behavior?
Thanks. /tommy
-
0
Hi @tteoh,
Authentication terminology is confusing most of the time. I suggest you to read about those on the web.
Basically AspNet Zero's Angular application uses token based auth. You can also enable 2FA in AspNet Zero. You can check 2FA on tihs document <a class="postlink" href="https://aspnetzero.com/Documents/Development-Guide-Angular#two-factor-login">https://aspnetzero.com/Documents/Develo ... ctor-login</a>.
But don't forget that, AspNet Zero doesn't use OAuth internally.
-
0
@ismcagdas thank you for the responses. Fully noted that aspnetzero does not use OAuth token.
For 2FA in aspnetzero, I presume the implementation is only works for web login. Enabling it has no effect to token based login. Right?
Thanks /tommy
-
0
Hi,
Actually 2FA is implemented in Token auth as well, see <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Controllers/TokenAuthController.cs#L136">https://github.com/aspnetzero/aspnet-ze ... er.cs#L136</a>.
You can check angular app to see how it works. If a 2FA token is required, API returns RequiresTwoFactorVerification = true. Then, user need to pass TwoFactorVerificationCode (<a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Models/TokenAuth/AuthenticateModel.cs#L18">https://github.com/aspnetzero/aspnet-ze ... del.cs#L18</a>) to TokenAuthController's Authenticate action again.
-
0
<cite>ismcagdas: </cite> Hi,
Actually 2FA is implemented in Token auth as well, see <a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Controllers/TokenAuthController.cs#L136">https://github.com/aspnetzero/aspnet-ze ... er.cs#L136</a>.
You can check angular app to see how it works. If a 2FA token is required, API returns RequiresTwoFactorVerification = true. Then, user need to pass TwoFactorVerificationCode (<a class="postlink" href="https://github.com/aspnetzero/aspnet-zero-core/blob/dev/aspnet-core/src/MyCompanyName.AbpZeroTemplate.Web.Core/Models/TokenAuth/AuthenticateModel.cs#L18">https://github.com/aspnetzero/aspnet-ze ... del.cs#L18</a>) to TokenAuthController's Authenticate action again.
@ismcagdas the link you provided on the implementation is on aspnetzero core template but for our case, we are using non-core template.
We ended up requiring to implement 2FA by leveraging on the libraries provided by Identity Framework. Taking the 2FA for the web login as reference and reimplement UserDeviceManager and MobileSignInManager under the WebApi project.
Thanks. /tommy
-
0
<cite>alper: </cite> Hi,
How will you implement the 2 factor authentication with OAuth Token based ?
@alper need to retract my previous comment that 2FA was not needed. We ended up having to implement 2FA adopting the approach implemented in ANZ (non-core) under WebApi project.
Just something that we discovered was the 2FA token digit is hard coded to 6 and expiry time to 3 mins.
We have to build custom table to handle expiration.
We also realized the existing codes reference to 2FA cookies. Shall we be concerned about this?
Thanks /tommy
-
0
Hi,
We also realized the existing codes reference to 2FA cookies. Shall we be concerned about this?
Why do you think this could create a problem ? I can't think of a problem.
-
0
<cite>ismcagdas: </cite> Hi,
We also realized the existing codes reference to 2FA cookies. Shall we be concerned about this?
Why do you think this could create a problem ? I can't think of a problem.
@ismcagdas we took the 2FA for the web client and made it work with mobile client. Cookies only used by web browser from understanding. Perhaps, I wrongly understood this.
Through the conversation, glad to know 2FA is supported for mobile for aspnetzero core template.
We didn’t use the aspnetzero core template that already shipped with xamarin due to learning curve on .net core and angular, the new development approach. Hope we r able to make the transition next year.
Thanks. /tommy
-
0
Thanks :)
