Hi Nick,
Did you manage to make further progress on this?
Thanks. /tommy
@ismcagdas thank you for the responses. Fully noted that aspnetzero does not use OAuth token.
For 2FA in aspnetzero, I presume the implementation is only works for web login. Enabling it has no effect to token based login. Right?
Thanks /tommy
Hi @alper, thanks.
<cite>tteoh: </cite> @alper based on aspnetzero documentation, it only mentions token-based authentication. Could you pls elaborate how 2FA comes into play on this particular use case?
Do you mean that if I enable 2FA for web login, it will also be activated for token-based login?
Thanks for the confirmation on OAuth token replacing aspnetzero token.
Thanks, /tommy
@alper could you pls clarify relation between the 2FA and token based authentication of current aspnetzero behavior?
Thanks. /tommy
@alper based on aspnetzero documentation, it only mentions token-based authentication. Could you pls elaborate how 2FA comes into play on this particular use case?
Do you mean that if I enable 2FA for web login, it will also be activated for token-based login?
Thanks for the confirmation on OAuth token replacing aspnetzero token.
Thanks, /tommy
Hi Nick,
Could you be more specific on which ASP.Net Zero template you are using, please check: [https://aspnetzero.com/Documents/Version-Differences])
As you can that IdentityServer is only part of ASP.Net Core template. Would like to confirm your question.
I am having a similar requirement to authenticate with external system when logging into ASP.Net Zero (MVC5AJ1 template) and if external authentication is successful, then allow access to the application else login fails.
The other scenario would "First-time Login" of the user. I am thinking to allow existing flow of using Social user account. To automatically insert the user account in AbpUser table and then grant the access if the external authentication succeeds.
Look forward to further guidance from Support.
Thanks. /Tommy
<cite>alper: </cite> Hi,
How will you implement the 2 factor authentication with OAuth Token based ?
@alper For now, there is no 2-Factor requirement and we do not foresee in the future too. But mainly on "Refresh Token" to further enhance existing MVC5AJ1 Token-based Authentication to ensure Mobile Client is NOT provided with long-live Access Token but short-live with a Refresh Token. From my research, this is quite a standard practice; however, it's missing from ASPNet Zero at this moment.
There is still one thing the puzzled me until now despite the explanation given so far. What's the difference between the Access Token generated from ASPNet Zero using "OAuthBearerOptions.AccessTokenFormat.Protect(ticket)" and the one that's being generated based on OAuth that implements an Authentication Provider ("OAuthAuthorizationServerProvider") that uses "GrantResourceOwnerCredentials".
Especially, how these two tokens are affecting the Roles and Permissions set in ASPNet Zero?
We successfully implemented OAuth token. Using Postman, the Roles/Permissions assigned to the same user based on endpoints:
Both seems to behave the same way based on simple test cases. We will be very grateful if you have additional sharing.
We have to continue on with "Refresh Token" that is straining the progress right now.
Thanks. /Tommy
<cite>aaron: </cite>
<cite>tteoh: </cite> Glad you are considering Refresh Token for ASPNetZero and i presume is not ASPNetZero Core.
As stated in Version Differences:
new major features will be implemented for ASP.NET Core version (.NET Core & full .NET Framework).
@aaron, thanks for providing the link on the version difference. It certainly helps to understand the differences between .net core and non-core.
Thanks. /Tommy
@ismcagdas We managed to implement OAuth Token based the articles mentioned in the original message. My concern was whether the OAuth token behave the same way as ASPNetZero token when calling Web API/Dynamic Web API being authorized in ASPNetZero. Based on our testing using Postman, both tokens provide the same test result.
Glad you are considering Refresh Token for ASPNetZero and i presume is not ASPNetZero Core. You might want to check out this article: [http://bitoftech.net/2014/07/16/enable-oauth-refresh-tokens-angularjs-app-using-asp-net-web-api-2-owin/]). We are attempting to implement this pattern.
Wouldn't you consider the Refresh Token of ASPNetZero Core with Xamarin be applied to ASPNetZero?
Thanks. /Tommy
Dear Support,
Urgently, appreciate Your advise as this will impact a project that we will be undertaking.
I have checked the standard asp.net web api with individual account (membership), which differs from the way token is generated by aspnetzero.
Appreciate your inputs on why aspnetzero has a different implementation when it comes to token generation.
As mentioned earlier, the goal is to implement a Refresh Token mechanism to existing aspnetzero /Authenticate end point.
Thanks.