Add AWS Cognito authentication to a Blazor WebAssembly standalone app
I cannot find a step by step guide for using AWS Cognito in a Blazor WebAssembly standalone app for net 8 Microsoft did produce a https://learn.microsoft.com/en-us/aspnet/core/blazor/security/webassembly/standalone-with-authentication-library?view=aspnetcore-8.0&tabs=visual-studiobut not for Cognito. I did find a very good https://danieldonbavand.com/2024/04/10/securing-digital-identities-streamlining-authentication-with-aws-cognito-in-blazor-net-8-applications/comment-page-1/?unapproved=1695&moderation-hash=19e62c931277bbedb6ae1de7fa29b4d1#respond for adding Cognito but to a Blazor web app which does require a server.On .NET Live - Better paranoid than offline: Secure ASP.NET Core apps
Did you know that nine out of ten web apps have security vulnerabilities? In this week's episode, community MVP Christian Wenz shows us the most common vulnerabilities for ASP.NET Core apps and how to fix them. Featuring: Christian Wenz (@chwenz) #securityAzure Developers - .NET Day 2023
Experience Cloud Computing in Full Force with .NET on Azure. See the full agenda: https://learn.microsoft.com/events/learn-events/azuredeveloper-dotnetday/ As a .NET developer building for the cloud, do you want to stay ahead of the curve and maximize your potential? Join us to discover the latest services and features in Azure designed specifically for .NET developers. You'll learn cutting-edge cloud development techniques that can save you time and money, while providing your customers with the best experience possible. During the event, you'll hear directly from the experts behind the most sought-after cloud services for developers, spanning app development/compute, data services, serverless computing, cloud-native computing, and developer productivity. Don't miss this chance to participate and engage with the team throughout the day. Join us and take your cloud development skills to the next level! #azure #azuredevelopers #azurefunctions #azurecontainerapps #azuredevcli
Combine Google Authentication & JWT Tokens using Cookie Authorization
* Edit: project is only a web-api, front-end will be developed in react(next.js) Hi guys! I'm a TypeScript Fullstack developer and I'm new to .NET and ASP.NET and basically this is one of my first projects using C# and .NET. My project's architecture requires a kind of different than out-of-the-box way of identifying users. I want Google Authentication which will create a local account (which I can relate other entities to) And JWT Tokens (access, refresh) generated and sent as cookies to the client and each protected endpoint to be using these cookies to authorize the requesting user. I haven't figured out a way of implementing this and still using mostly OOTB tools in order to keep modifications little as possible. Any tips and tricks on how to implement it? * Edit2: Just to be clear, I know how to create endpoints, and protected endpoints using the built in identity framework, using roles, etc... Its this combination of Google Auth, generating tokens, sending them to client as cookies basically is where my difficulty relies. * I have almost a blank new project, already set up with only google credentials
Path Traversal Issue
public bool Example (string getinput) { var example = System.Web.Security.AntiXss.AntiXssEncoder.HtmlFormUrlEncode(getinput); } Method Example gets dynamic data from the getinput element. This element’s value then flows through the code and is eventually used in a file path for local disk access in another log file. This may cause a Path Traversal vulnerability. Here we used AntiXssEncoder to the getinput but still we have the path traversal vulnerability is there any solution for that.
Blazor server app with Windows authentication getting 401 unauthorized
I'm building a Blazor server application for an internal company use and using Windows authentication. The app is supposed to field updates from another app via an exposed controller. I am trying to test the controller and getting a 401 unauthorized however I try to hit it (Postman, browser, test Console app, from within the Blazor server app itself, etc.). I'm running .NET 6 and scaffolded the app using Visual Studio and selecting Windows Authentication from the Create Project wizard for Blazor server app. I'm running the app from Visual Studio using IIS Express option. Here is the simple test I set up in the Console app just trying to get a positive response from the controller: public async Task GetUpdateTestTimerResult() { var client = new HttpClient(); client.BaseAddress = new Uri("http://localhost:40871"); var url = "api/updateTest"; var value = await JsonSerializer.DeserializeAsync (await client.GetStreamAsync(url), new JsonSerializerOptions() { PropertyNameCaseInsensitive = true }); return value; } I've tried setting the AllowAnonymous attribute on the controller but no dice there. How do I expose a controller that will allow an outside application (also internal to the company/on premises) access?
.Net 8 web API with identity Bearer token
I am using .NET 8 Bearer Token not JWT token and I want to check if it is expired from my client app. Is there any way I can decode it or at least check if it is expired or not? Is there a way I can create a service that decode the token or check it is expired or no? Also, how can I know what is the secret key of the token? Program.cs: using EmployeeManagement.Database; using EmployeeManagement.Entities; using EmployeeManagement.Shared.Common; using EmployeeManagement.Shared.Configrations; using EmployeeManagement.Shared.Services.Department; using EmployeeManagement.Shared.Services.Employee; using EmployeeManagement.Shared.Services.UserRole; using EmployeeManagement.Shared.Services.VacationRequests; using FluentValidation; using FluentValidation.AspNetCore; using Microsoft.AspNetCore.Authentication.Certificate; using Microsoft.AspNetCore.Hosting; using Microsoft.AspNetCore.Identity; using Microsoft.EntityFrameworkCore; using Microsoft.Extensions.DependencyInjection; using Microsoft.OpenApi.Models; using Swashbuckle.AspNetCore.Filters; var builder = WebApplication.CreateBuilder(args); // Add services to the container. builder.Services.AddControllers(); // Learn more about configuring Swagger/OpenAPI at https://aka.ms/aspnetcore/swashbuckle builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen(options => { options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme { In = ParameterLocation.Header, Name = "Authorization", Type = SecuritySchemeType.ApiKey }); options.OperationFilter<SecurityRequirementsOperationFilter>(); }); builder.Services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(builder.Configuration.GetConnectionString("DefaultConnection") ?? throw new InvalidOperationException( "Connection string Not found"))); builder.Services.AddAuthorization(); builder.Services.AddIdentityApiEndpoints<ApplicationUser>() .AddRoles<IdentityRole>() .AddEntityFrameworkStores<ApplicationDbContext>(); builder.Services.AddAuthentication().AddJwtBearer(); builder.Services.AddCors(options => { options.AddPolicy("AllowOrigin", options => options.AllowAnyOrigin().AllowAnyHeader().AllowAnyMethod()); }); builder.Services.AddAutoMapper( typeof(EmployeeMapperConfig), typeof(UserRoleReMapperConfig), typeof(DepartmentMapperConfig), typeof(VacationRequestsMapperConfig), typeof(ApplicationUserMapperConfig) ); builder.Services.AddScoped<IEmployeeService, EmployeeService>(); builder.Services.AddScoped<IUserRole, UserRoleService>(); builder.Services.AddScoped<IDepartmentService, DepartmentServices>(); builder.Services.AddScoped<IVacationRequestsService, VacationRequestsService>(); builder.Services.AddFluentValidation(); builder.Services.AddValidatorsFromAssemblyContaining<IAssemblyMarker>(); var app = builder.Build(); // Configure the HTTP request pipeline. if (app.Environment.IsDevelopment()) { app.UseSwagger(); app.UseSwaggerUI(); } app.MapIdentityApi<ApplicationUser>(); app.UseCors(options => options.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader()); app.UseHttpsRedirection(); app.UseAuthorization(); app.MapControllers(); app.Run(); Angular app: Here I got an exception when I decode the Toke, the exception shows that the token is not in a proper JWT format, because it is Bearer token not a JWT. I want to create my own API and call it here to validate the Token. import { HttpInterceptorFn } from '@angular/common/http'; import { inject } from '@angular/core'; import { jwtDecode } from 'jwt-decode'; import { EmployeeManagementWebAPIService } from '../api/employee-management-web-api.service'; import { RefreshRequest } from '../model/refresh-request'; import { Router } from '@angular/router'; export const tokenInterceptorInterceptor: HttpInterceptorFn = (req, next) => { console.log("tokenInterceptorInterceptor+++"); let authService = inject(EmployeeManagementWebAPIService); let router = inject(Router); const AccessToken = localStorage.getItem('AccessToken'); const RefreshToken = localStorage.getItem('RefreshToken'); if (AccessToken) { console.log("tokenInterceptorInterceptor++999+"+AccessToken); try{ let decodedToken = jwtDecode(AccessToken); console.log("decodedToken+++" + decodedToken); const isExpired = decodedToken && decodedToken.exp ? decodedToken.exp < Date.now() / 1000 : false; if (isExpired) { console.log('token is expired'); const refreshRequest: RefreshRequest = { refreshToken: RefreshToken, }; authService.refreshPost(refreshRequest).subscribe( (newToken: any) => { localStorage.setItem('AccessToken', newToken); req.clone({ setHeaders: { Authorization: `Bearer ${newToken}`, 'Content-Type': 'application/json', // Set content type here }, }); console.log('Refresh token successful:', newToken); }, (error) => { // Handle error response here localStorage.removeItem("AccessToken"); router.navigateByUrl('/login'); console.error('Error refreshing token:', error); } ); } else{ console.error('Token not expired'); } }catch(e){ console.log("invalid token" , e); localStorage.removeItem("AccessToken"); router.navigateByUrl('/login'); } } else{ console.error('Token Not found'); router.navigateByUrl('/login'); } return next(req); }; my login response: { "tokenType": "Bearer", "accessToken": "", "expiresIn": 3600, "refreshToken": "" }
Threading problems in SignalR Hub
Hello, I implemented a SignalR Hub to make a game server. The idea is that when a room is full (4 people in it) I run a new game. A game: 1. We notify everybody 2. The first player send one data. 3. We switch to next one 4. while the game isn't finished: Ask the current player two data. Switch to next player My problem is that with that simple system, once the client sent the data, the server do nothing, that's why I think there is a data race somewhere that I don't see. Here is my https://github.com/mehdi-arch/okeygameserver in OkeyServer/ you have the server code, in OkeyScript/ you have all the functions needed for game logic. Thanks in advance for your help.
No Registered Service for IEmailSender
Hello all, I am using ASP.Net Core Web API (.Net Core 😎 to create a web app and API, when i added default Identity and Areas Pages i am getting an error for IEmailSender Service not beeing registered even though i dont need and have registered a mock class for it. Thank you Program.cs using Microsoft.AspNetCore.Identity; using Microsoft.OpenApi.Models; using Microsoft.EntityFrameworkCore; using ProMateAPI.Data; using ProMate.Library; using Swashbuckle.AspNetCore.Filters; using ProMateAPI.Utility; using Microsoft.AspNetCore.Identity.UI.Services; using Microsoft.Extensions.DependencyInjection; var builder = WebApplication.CreateBuilder(args); // Add services to the container. var connectionString = builder.Configuration.GetConnectionString("DefaultConnection") ?? throw new InvalidOperationException("Connection string 'DefaultConnection' not found."); builder.Services.AddDbContext<ApplicationDbContext>(options => options.UseSqlServer(connectionString)); builder.Services.AddDatabaseDeveloperPageExceptionFilter(); // this would be enabled if we only needed the defaults for users and such //builder.Services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true) // .AddEntityFrameworkStores<ApplicationDbContext>(); // builder.Services.AddDbContext<TContext>(options => options.UseSqlServer(builder.Configuration.GetConnectionString("Default"))); builder.Services.AddDbContext<ProMateContext>(); builder.Services.AddControllersWithViews(); builder.Services.AddRazorPages(); builder.Services.AddEndpointsApiExplorer(); builder.Services.AddSwaggerGen(options => { options.AddSecurityDefinition("oauth2", new OpenApiSecurityScheme { In = ParameterLocation.Header, Name = "Authorization", Type = SecuritySchemeType.ApiKey, }); options.OperationFilter<SecurityRequirementsOperationFilter>(); }); /* * options => { options.SignIn.RequireConfirmedAccount = false; options.SignIn.RequireConfirmedAccount = false; } * * */ builder.Services.AddScoped<IEmailSender, MyEmailSender>(); builder.Services.AddIdentity<IdentityUser, IdentityRole>().AddEntityFrameworkStores<ApplicationDbContext>(); ////builder.Services.AddIdentityApiEndpoints<IdentityUser>().AddEntityFrameworkStores<ApplicationDbContext>(); builder.Services.AddAuthentication(); builder.Services.AddAuthorization(); var app = builder.Build(); // Configure the HTTP request pipeline. if (app.Environment.IsDevelopment()) { app.UseSwagger(); app.UseSwaggerUI(); app.UseMigrationsEndPoint(); } else { app.UseExceptionHandler("/Home/Error"); // The default HSTS value is 30 days. You may want to change this for production scenarios, see https://aka.ms/aspnetcore-hsts. app.UseHsts(); } app.MapIdentityApi<IdentityUser>(); app.UseHttpsRedirection(); app.UseStaticFiles(); app.UseRouting(); app.UseAuthorization(); app.MapControllerRoute( name: "default", pattern: "{controller=Home}/{action=Index}/{id?}"); app.MapRazorPages(); app.Run(); ------------- MyEmailSender.cs using Microsoft.AspNetCore.Identity; using Microsoft.AspNetCore.Identity.UI.Services; using System; using System.Collections.Generic; using System.Linq; using System.Net.Mail; using System.Text; using System.Threading.Tasks; namespace ProMateAPI.Utility; public class MyEmailSender : IEmailSender { public Task SendEmailAsync(string email, string subject, string htmlMessage) { return Task.CompletedTask; } } ----------------- Register.html.cs // Licensed to the .NET Foundation under one or more agreements. // The .NET Foundation licenses this file to you under the MIT license. #nullable disable using System; using System.Collections.Generic; using System.ComponentModel.DataAnnotations; using System.Linq; using System.Text; using System.Text.Encodings.Web; using System.Threading; using System.Threading.Tasks; using Microsoft.AspNetCore.Authentication; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Identity; using Microsoft.AspNetCore.Identity.UI.Services; using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Mvc.RazorPages; using Microsoft.AspNetCore.WebUtilities; using Microsoft.Extensions.Logging; using ProMateAPI.Utility; namespace ProMateAPI.Areas.Identity.Pages.Account { public class RegisterModel : PageModel { private readonly SignInManager<IdentityUser> _signInManager; private readonly UserManager<IdentityUser> _userManager; private readonly RoleManager<IdentityRole> _roleManager; private readonly IUserStore<IdentityUser> _userStore; private readonly IUserEmailStore<IdentityUser> _emailStore; private readonly ILogger<RegisterModel> _logger; //private readonly IEmailSender _emailSender; // IEmailSender emailSender public RegisterModel( UserManager<IdentityUser> userManager, RoleManager<IdentityRole> roleManager, IUserStore<IdentityUser> userStore, SignInManager<IdentityUser> signInManager, ILogger<RegisterModel> logger ) { _userManager = userManager; _roleManager = roleManager; _userStore = userStore; _emailStore = GetEmailStore(); _signInManager = signInManager; _logger = logger; //_emailSender = emailSender; } /// <summary> /// This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used /// directly from your code. This API may change or be removed in future releases. /// </summary> [BindProperty] public InputModel Input { get; set; } /// <summary> /// This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used /// directly from your code. This API may change or be removed in future releases. /// </summary> public string ReturnUrl { get; set; } /// <summary> /// This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used /// directly from your code. This API may change or be removed in future releases. /// </summary> public IList<AuthenticationScheme> ExternalLogins { get; set; } /// <summary> /// This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used /// directly from your code. This API may change or be removed in future releases. /// </summary> public class InputModel { /// <summary> /// This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used /// directly from your code. This API may change or be removed in future releases. /// </summary> [Required] [EmailAddress] [Display(Name = "Email")] public string Email { get; set; } /// <summary> /// This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used /// directly from your code. This API may change or be removed in future releases. /// </summary> [Required] [StringLength(100, ErrorMessage = "The {0} must be at least {2} and at max {1} characters long.", MinimumLength = 6)] [DataType(DataType.Password)] [Display(Name = "Password")] public string Password { get; set; } /// <summary> /// This API supports the ASP.NET Core Identity default UI infrastructure and is not intended to be used /// directly from your code. This API may change or be removed in future releases. /// </summary> [DataType(DataType.Password)] [Display(Name = "Confirm password")] [Compare("Password", ErrorMessage = "The password and confirmation password do not match.")] public string ConfirmPassword { get; set; } } public async Task OnGetAsync(string returnUrl = null) { // creates missing roles if (!_roleManager.RoleExistsAsync(SD.Roles.Customer.ToString()).GetAwaiter().GetResult()) { foreach (var r in Enum.GetValues(typeof(SD.Roles))) { _roleManager.CreateAsync(new IdentityRole(r.ToString())).GetAwaiter().GetResult(); } } ReturnUrl = returnUrl; ExternalLogins = (await _signInManager.GetExternalAuthenticationSchemesAsync()).ToList(); } public async Task<IActionResult> OnPostAsync(string returnUrl = null) { returnUrl ??= Url.Content("~/"); ExternalLogins = (await _signInManager.GetExternalAuthenticationSchemesAsync()).ToList(); if (ModelState.IsValid) { var user = CreateUser(); await _userStore.SetUserNameAsync(user, Input.Email, CancellationToken.None); await _emailStore.SetEmailAsync(user, Input.Email, CancellationToken.None); var result = await _userManager.CreateAsync(user, Input.Password); if (result.Succeeded) { _logger.LogInformation("User created a new account with password."); var userId = await _userManager.GetUserIdAsync(user); var code = await _userManager.GenerateEmailConfirmationTokenAsync(user); code = WebEncoders.Base64UrlEncode(Encoding.UTF8.GetBytes(code)); var callbackUrl = Url.Page( "/Account/ConfirmEmail", pageHandler: null, values: new { area = "Identity", userId = userId, code = code, returnUrl = returnUrl }, protocol: Request.Scheme); //await _emailSender.SendEmailAsync(Input.Email, "Confirm your email", // $"Please confirm your account by <a href='{HtmlEncoder.Default.Encode(callbackUrl)}'>clicking here</a>."); if (_userManager.Options.SignIn.RequireConfirmedAccount) { return RedirectToPage("RegisterConfirmation", new { email = Input.Email, returnUrl = returnUrl }); } else { await _signInManager.SignInAsync(user, isPersistent: false); return LocalRedirect(returnUrl); } } foreach (var error in result.Errors) { ModelState.AddModelError(string.Empty, error.Description); } } // If we got this far, something failed, redisplay form return Page(); } private IdentityUser CreateUser() { try { return Activator.CreateInstance<IdentityUser>(); } catch { throw new InvalidOperationException($"Can't create an instance of '{nameof(IdentityUser)}'. " + $"Ensure that '{nameof(IdentityUser)}' is not an abstract class and has a parameterless constructor, or alternatively " + $"override the register page in /Areas/Identity/Pages/Account/Register.cshtml"); } } private IUserEmailStore<IdentityUser> GetEmailStore() { if (!_userManager.SupportsUserEmail) { throw new NotSupportedException("The default UI requires a user store with email support."); } return (IUserEmailStore<IdentityUser>)_userStore; } } }Generate custom PasswordHash with Microsoft.AspNet.Identity
Hi , I'm using VS2022 and I want to override the Default PasswordHash. I want to include when the user is created in the Hash Password the username for example. I found some code but it is for the Core. And I'm not using the core I have created a MyCustomPasswordHash which inherits from IPasswordHasher. But it doesn't contain the user. If I override the methods it contains only the passwords. Is it possible to override the default behavior of PasswordHash and make it work in Microsoft.AspNet.Identity.Owin ???
