locked
Using OAuth 2.0 with Windows Authentication RRS feed

  • Question

  • User-883196730 posted

    I am writing a Web API that must be accessed both from an internet application and from a desktop application.  Since we are moving our application to the internet eventually, the simplest way I can see doing this is to write a web front end (probably a SPA) that can be viewed in a browser window within our WPF application, as well as viewed over the internet. Since there is very sensitive data that will be obtained through this application, I thought that using OAuth 2.0 would be the best form of security.  All of our users are already in Active Directory, so I wrote a custom OAuthAuthorizationServerProvider that checks the user's credentials against AD and then returns a token if they are valid.  This works perfectly for anyone logging into our system with their username and password.  However, if this application is contained within our desktop application, we would like to have it validate automatically.  Obviously, I can get the user's identity with WindowsIdentity, but that only gives me the username--not the password.  I could try adding other information into the header so that my server provider could try to determine if this came from our local domain, but I was afraid this could be hacked easily.  Also, I could try setting up the web.config file to use Windows authentication, but would that prevent the application from running externally?  

    Thanks for any suggestions on how to set this up!!

    Monday, January 19, 2015 10:58 AM

Answers

  • User-734925760 posted

    Hi,

    So far as I know, if you set windows authentication, it will prevent the application from running externally. Also you can try to use AD.

    There is a document about using AD, please refer to the link below:

    http://msdn.microsoft.com/en-us/library/dn633593.aspx

    Hope it's useful for you.

    Best Regards,

    Michelle Ge

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, January 20, 2015 3:14 AM

All replies

  • User-734925760 posted

    Hi,

    So far as I know, if you set windows authentication, it will prevent the application from running externally. Also you can try to use AD.

    There is a document about using AD, please refer to the link below:

    http://msdn.microsoft.com/en-us/library/dn633593.aspx

    Hope it's useful for you.

    Best Regards,

    Michelle Ge

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, January 20, 2015 3:14 AM
  • User-883196730 posted

    Thanks!  I was hoping that somehow I could write a custom OAuthAuthorizationServerProvider that would be able to distinguish between a bearer token and the token sent through Windows authentication.  As I initially have the user's password when they log into the desktop application, I can save that in memory and pass it along if this new application is called.  I had hoped not to use the password other than in the initial login, but it should be okay. Unfortunately, we do not have Windows Server 2012, so the other options I have seen do not seem feasible. 

    Tuesday, January 20, 2015 11:49 AM