locked
Authenticating with my companies JWT serving Oauth server RRS feed

  • Question

  • User149323285 posted

    Forgive how new I am to this concept. I have an app (Asp.Net web forms using the built-in forms authentication currently) that my company wants to migrate the authentication/authorization aspects to their sphere authorization/authentication services.

    What I've been told is their server utilizes JWT tokens, and for the most part complies with the Oauth standard. They have provided me with "endpoints": A "public key" endpoint, a "Users" endpoint that provides information about users etc. Also, I've been provided with a login to redirect to (e.g. https://accounts.services.qa2.qa.mycompany.com/login)

    I'm thinking/hoping I don't have to write custom methods to utilize these endpoints etc and that I can use some middleware such as app.UseOAuthAuthorizationServer to connect my app to their auth services. Problem is most of the documentation I'm reading points to well-known 3rd partys with their own middleware for this such as facebook, twitter, google etc.

    So long story short is I don't even know the right question to ask. Has anyone been here before? Can you point me to code samples or documentation that might help me do what I'm trying to do here? Any guidance would be greatly appreciated.

    Monday, September 24, 2018 4:20 PM

All replies

  • User475983607 posted

    There is no easy answer to this question.  The first step is learning OAuth.  You need to know what you're securing, what flows you're supporting, and what your clients are; ie a browser, code?  

    There's a build your own OAuth server in the learn links above which should help with the basic concepts you'll need.  Start there...

    https://docs.microsoft.com/en-us/aspnet/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

    I'm thinking/hoping I don't have to write custom methods to utilize these endpoints etc and that I can use some middleware such as app.UseOAuthAuthorizationServer to connect my app to their auth services. Problem is most of the documentation I'm reading points to well-known 3rd partys with their own middleware for this such as facebook, twitter, google etc.

    You have to read the "sphere authorization/authentication" reference documents so you know what features the service exposes and what features you need in the app.

    If we assume a browser client and a super basic flow, then you'll redirect the browser to a login page and pass along information in the URL which identifies your application with the OAuth services.  The user will login and the service will redirect back to your app where you'll validate the JWT.  On success, create an auth cookie to authenticate the user.  Authorization is another feature but requires further analysis on your side.  

    Monday, September 24, 2018 6:19 PM
  • User1724605321 posted

    Hi jmhooten ,

    You can firstly learn the OAuth 2.0 specification from below link :

    https://tools.ietf.org/html/rfc6749#section-4.1 

    Base on your requirement , you could choose different flows to completer the authentication/authorization . The OAuth 2.0 authorization code flow is described in section 4.1 of the OAuth 2.0 specification. It is used to perform authentication and authorization in most application types, including web apps and natively installed apps. Check the document and learn how the OAuth  protocol works . After that , you could manually redirect user to IDP's login page or use OWIN OAuth middleware to implement your OAuth 2.0 Authorization Server in asp.net .

    Best Regards,

    Nan Yu

    Tuesday, September 25, 2018 5:31 AM