Posted on

Token based authentication in ASP.NET Web API

Token based authentication

Nella “Token based authentication”, l’applicazione client invia prima una richiesta all’endpoint del server di autenticazione con le credenziali dell’utente; se il nome utente e la password sono corretti, il server di autenticazione invia un token al client come risposta. Questo token contiene dati sufficienti per identificare un determinato utente e un tempo di scadenza. L’applicazione client utilizza quindi il token per accedere alle risorse nelle richieste successive fino a quando il token risulta ancora valido (non scaduto).

Classe per validare le richieste del client

Aggiungete una classe come questa :

using Microsoft.Owin.Security.OAuth;
using System.Security.Claims;
using System.Threading.Tasks;
using Microsoft.AspNet.Identity.Owin;


namespace Mysite.Helpers
{
    public class MysiteAuthorizationServerProvider : OAuthAuthorizationServerProvider
    {
        public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
            context.Validated(); // 
        }

        public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {
            var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();
            var user = await userManager.FindAsync(context.UserName, context.Password);
            if (user == null)
            {
                context.SetError("invalid_grant", "The user name or password is incorrect.");
                return;
            }
            ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager,
            OAuthDefaults.AuthenticationType);

            context.Validated(oAuthIdentity);
        }
    }
}

Per attivare questa classe andate nel file App_Start/Startup.Auth.cs e aggiungete alla fine del metodo ConfigureAuth questo codice

var myProvider = new  MysiteAuthorizationServerProvider();
            OAuthAuthorizationServerOptions options = new OAuthAuthorizationServerOptions
            {
                AllowInsecureHttp = true,
                TokenEndpointPath = new PathString("/token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
                Provider = myProvider
            };
            app.UseOAuthAuthorizationServer(options);
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

In cui si definisce il link http://mysite/token che restituisce un token di durata 1 giorno.

Dovrete aggiungere nel file il riferimento

using Microsoft.Owin.Security.OAuth;

E’ necessario aggiungere un metodo all’autenticazione. Andate nel file IdentityModel.cs e aggiungete questo metodo :

public async Task<ClaimsIdentity> GenerateUserIdentityAsync(UserManager<ApplicationUser> manager,
            string authenticationType)
        {
           var userIdentity = await manager.CreateIdentityAsync(this, authenticationType);
           return userIdentity;
        }

TEST CON POSTMAN

Per testare il tutto facilmente potete usare Postman .

Dovrete creare con Postman una chiamata post sul vostro link http://mysite/token. Nell’headers inserite la dicitura che vedete in figura :

Nel Body inserite il tipo di autneticazione (password) il vostro username e la vostra password.

Spingete “Send”. Se tutto ha funzionato riceverete il token

Utilizzo del Token

Una volta che il client ha ricevuto il token lo può utilizzare per tutte le successive operazioni senza dover passare lo username e la password: va passato solo il token che contiene queste informazioni. Facciamo una prova, creando un metodo che richiede autenticazione all’interno di un controller :

using System;
using System.Web.Http;

namespace MySite.Controllers
{
    public class SampleController : ApiController
    {
       [Authorize]
        [HttpGet]
        public IHttpActionResult GetForAuthenticate()
        {
            var identity = (ClaimsIdentity)User.Identity;
            return Ok("Hello " + identity.Name);
        }
   }
}

Usando postman, fate una chiamata GET al link : http://MySite/api/Sample/GetForAuhenticate

Dovrete passare al link il token che avete ottenuto qualche istante prima (nel nostro esempio è valido per 1 giorno). Per farlo in postman aggiungete la chiave Authorization con valore la parola Bearer seguita dal token.

THE END

Posted on

add Web API to an asp.net mvc site

Install the Web API Client Libraries

Use NuGet Package Manager to install the Web API Client Libraries package :

  • Microsoft.AspNet.WebApi.Client
  • Microsoft.AspNet.WebApi.Core
  • Microsoft.AspNet.WebApi.WebHost

Define a Web API Routing Configuration

Add App_Start\WebApiConfig.cs

using System.Web.Http;

class WebApiConfig
{
    public static void Register(HttpConfiguration configuration)
    {
        config.Routes.MapHttpRoute(
                name: "DefaultApi",
                routeTemplate: "api/{controller}/{action}/{id}",
                defaults: new { id = RouteParameter.Optional }
            );
    }
}

Register the WebAPI Routing Configuration

If you added a new WebApiConfig.cs file, you need to register that on your Web Application’s main configuration class.

Import namespace System.Web.Http in Global.asax.cs.

Add this line before the registration of your classic routing

//api routing (before)
GlobalConfiguration.Configure(WebApiConfig.Register);
//existing normal route
RouteConfig.RegisterRoutes(RouteTable.Routes);

Create a sample Web API Controller

Create a new controller

using System;
using System.Web.Http;

namespace MySite.Controllers
{
    public class SampleController : ApiController
    {
       [HttpGet]
       public String Test()
       {
         return "Hello World!";
       }
   }
}

Based on the api routing you should call this method in your browser using

http://MySite/api/Sample/Test

with this result

<string xmlns=”http://schemas.microsoft.com/2003/10/Serialization/”>Hello World!</string>

Posted on Leave a comment

Accessing an IISExpress site from another device

You may need to access your developing site with Visual Studio from another device, for example if you want to test if the site is really responsive. You just need to make some changes.

When you open your site by visual studio, the address displayed is

http://localhost:port_number

, where port_number is the port number assigned to the project by Visual studio / IISExpress.

In your project directory you find the .vs directory. Open the file

your_project_folder\.vs\config\applicationhost.config

Here is the bindings tag. In the example you see a specific port number but you have yours.

<bindings>
 <binding protocol="http" bindingInformation="*:60132:localhost" />
</bindings>

Add a line with the ip of your computer. You can add as many as you want.

<bindings>
 <binding protocol="http" bindingInformation="*:60132:localhost" />
<binding protocol="http" bindingInformation="*:60132:192.168.1.142" />
 </bindings>

Open a dos prompt with Administrator privileges and type the command:

netsh http add urlacl url=http://192.168.1.142:60132/ user=everyone

At this point you have to create a firewall rule for your port. From the prompt prompt, launch the command:

netsh advfirewall firewall add rule name="IISExpress_website1" dir=in protocol=tcp localport=60132 profile=private remoteip=localsubnet action=allow

Now you can see the IISExpress website from any networked device using

http://192.168.1.142:60132/

Unfortunately, with this operation you’ll no more control the site using http://localhost:60132 because you need administrator privilege to use the port 60132. So you have two possibilities : first open Visual Studio with Administrator privileges; second, delete this acl:

netsh http delete urlacl url=http://192.168.1.142:60132/
Posted on Leave a comment

ASP.NET MVC: DEPLOY OF A SITE

Visual Studio allows us to publish our web site on a web server in the lan (intranet) or on an external web server, for example hosted on Azure.

In the situation of a server on the lan, you have created, through IIS, a site that resides on a certain directory, empty now, on a web server. Otherwise you have already prepared an external site.

In Visual Studio, in the right panel called “Solution Explorer” we click with the right mouse button on our project and select the “Publish” option. The “Publish” window: there are, on the left, the fourth step to do for publication.

Profile

Go to the drop down menu at the top center and choose “New Custom Profile”. Invent the name of this profile. Once inserted, you will go directly to the next step.

Connection with “Web Deploy”

Publish Metod : choose “Web Deploy”  whether you publish your site on a server on the lan, both in an external server.

Server (web server in lan) : http://myserver

Server (external, es Azure): mysite.azurewebsites.net:443

Site name (web server in lan) : name of the directory in which it is to be the site

Site name (external, es Azure) : es. mysite

User Name e Password (web server in lan) : put a administrator user of the server machine. If the machine is in a domain,  use a local administrator.

User Name e Password (esterno) : ftp user

Destination Url : web site address. es : http://……………..

Settings

In this tab the program reads from we.config the database connection strings. If your target site database is different, you need to specify the right connection. The publication will replace the target strings to the source strings. We will see later that there is a method to insert in the web.config further changes to the web.config of origin.

Preview

Here you can see the files that will be sent to the destination that is the new files or changed since the last submission. And you can publish your site!


web.config configuration

Our destination website may have other special features, specified in web.config, different from the starting site, as well as database connection strings. We can create a specific web.config for each deployment.

Position  the mouse on the project. In the “Properties”, find the directory “PublishProfiles” which contains previously saved data. Here you will find a .pubxml files for each of the deployment that you have created. Go to the file you need, push the right mouse button and select “Add Config Transform”.

If you go in the web.config you will see that there is an additional file named as your deployment. Let’s see some examples of what you can do with the tag that you set within the <configuration>

<connectionStrings>
 <add name="MyDB"
 connectionString="Data Source=ReleaseSQLServer;Initial Catalog=MyReleaseDB;Integrated Security=True"
 xdt:Transform="SetAttributes" xdt:Locator="Match(name)"/>
 </connectionStrings>

this stringa substitutes (xdt:Transform=”SetAttributes”) the attributes of the tag named  (xdt:Locator=”Match(name)) “MyDB” with these.

<appSettings><add key="myemail" value="info@contoso.com" xdt:Transform="SetAttributes" xdt:Locator="Match(key)"/></appSettings>

this stringa substitutes the attributes (xdt:Transform=”SetAttributes”) of the tag with key (xdt:Locator=”Match(key)) “myemai” with these.

<system.net>
 <mailSettings xdt:Transform="Replace">
 <smtp deliveryMethod="Network" ........................
 </smtp>
 </mailSettings>
 </system.net>

This string transform (xdt:Transform=”Replace”) entire tag mailSettings and its content.

Posted on

ASP.NET MVC EMAIL FROM SITE AND FORGOT PASSWORD

Our site needs to send emails to its users, for example when the user forgets the password. To do this comes to the rescue System.Net.Mail.SmtpClient class.

This class automatically uses the SMTP server settings stored in the Web.config file. You just have to add to that file the following tags inside the configuration tag:

<system.net>
 <mailSettings>
 <smtp deliveryMethod="Network" from="mail_from">
 <network host="my_smtp_server" port="my_smtp_server_port" userName="user_name_smtp" password="password" clientDomain="my_domain" />
 </smtp>
 </mailSettings>
 </system.net>

FORGOT DIMENTICATA

In the view Account/Login , you can see, bottom, on the left, the link to Account/ForgotPassword that is the page where the user can reset his password.

In the  controller Account, in the action post  “ForgotPassword” you make operational, removing them as a comment, the lines of code dedicated to password recovery.

In the file IdentityConfig.cs, in the function

public Task SendAsync(IdentityMessage message)

and replaced to the line

return Task.FromResult(0);

with the following lines of code

var sentFrom = "myemail@mydomain.com"
 //
 System.Net.Mail.SmtpClient client = new System.Net.Mail.SmtpClient();
 //
 client.EnableSsl = false;

// Create the message:
 var mail =
 new System.Net.Mail.MailMessage(sentFrom, message.Destination);

mail.Subject = message.Subject;
 mail.Body = message.Body;
 mail.IsBodyHtml = true;

// Send:
 return client.SendMailAsync(mail);

You have activated the password recovery