cidaas Interceptor for ASP.NET

Web Applications commonly have a restricted area for registered users, and (almost always) another for administrators. This is often based on roles, permissions, and the scopes allowed/defined for those roles. It is thus important that the web application be properly secured. cidaas API Interceptor makes it easy to set this up in the ASP.NET MVC/Core MVC framework using the OpenID Connect (OIDC).

The ASP.NET Core 3.0 templates offer authentication in Single Page Apps (SPAs) using the support for API authorization. ASP.NET Core Identity for authenticating and storing users can be combined with cidaas for implementing OpenID Connect.

This document gives you the step-by-step description of how to integrate cidaas to your ASP.NET web application using the ASP.NET Interceptor.

If you are here, we assume you are already using ASP.NET Core 3.0 and would like to add a cidaas API Interceptor to your ASP.NET MVC and Core MVC.

Overview - cidaas Interceptor

The cidaas Interceptor works as a custom ActionFilterAttribute. It can be used to implement the logic used before or after an authentication or authorization controller action execution for your ASP.NET MVC app.

The cidaas API Interceptor helps implement a custom action filter for authentication and authorization using the ASP.NET MVC framework's base ActionFilterAttribute class.

It makes all aspects of user management easier, more secure, and more scalable on your ASP.NET MVC app. It allows you to create, edit, and securely store user accounts and related data, connect them with your application, and perform user role and scope-based checks during authentication and authorization (permit and deny access) for admin and other users.

For setting up the cidaas Interceptor, you will need to configure OpenID Connect on your ASP.NET app as shown below, and then, complete the configuration on cidaas.

OpenID Connect ASP.NET MVC App Configuration

In this section, you will find the libraries needed to configure the cidaas Interceptor and the project configuration steps to get your client id, client secret and domain details from the cidaas Admin Interface.

Libraries

This web application can be configured using the libraries Microsoft.AspNetCore.Authentication.OpenIdConnect and Microsoft.AspNetCore.Authentication.Cookies.

Project Configuration

Login to your cidaas Admin UI and navigate to Apps-> App Settings -> Edit App.

From here, copy the following values and please make a note of them.

  • ClientId - The client ID of the cidaas application.
  • ClientSecret - The client secret of the cidaas application.

You will need to paste these parameter values to set up the OIDC configuration for your cidaas app in the startup.cs file.

In your IDE, open up the appsettings.Development.json file and add the following code with the clientId and the clientSecret values pasted here as well.


"cidaas": 
{ 
  "ClientId": "{yourClientId}" ,
  "ClientSecret": "{yourClientSecret}", 
  "Domain": "https://{yourcidaasDomain}" 
}

You need to paste the ClientId and ClientSecret values again in the AddOpenIdConnect() method.


ConfigureServices():services.AddAuthentication(options=>
{  
options.DefaultScheme=CookieAuthenticationDefaults.AuthenticationScheme;
options.DefaultChallengeScheme=OpenIdConnectDefaults.AuthenticationScheme;
options.DefaultSignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
  })

.AddCookie().AddOpenIdConnect(options =>
{
options.SignInScheme = CookieAuthenticationDefaults.AuthenticationScheme;
options.Authority = Configuration["cidaas:Domain"] + "/oauth2/default"; 
options.RequireHttpsMetadata = true;  
options.ClientId = Configuration["cidaas:ClientId"]; 
options.ClientSecret = Configuration["cidaas:ClientSecret"]; 
options.ResponseType = OpenIdConnectResponseType.Code; 
options.GetClaimsFromUserInfoEndpoint = true;
<br/> 
options.Scope.Add("openid");
options.Scope.Add("profile"); 
options.SaveTokens = true; 
});

AddOpenIdConnect() indicates the usage of OpenID Connect and sets the OpenID Connection options. OpenID Connect is informed that Cookies will be the authentication scheme used and values will be set in the options pulled from this appSettings.Development.json file. The cidaas Domain value will be the path to your default authorization server.

The ResponseType option represents the authorization code flow used for authentication. Setting GetClaimsFromUserInfoEndpoint to true implies that it will need to make a call to the authorization server’s userinfo endpoint to populate the user claims.

The Scopes added here are the ones you set while creating your cidaas application under App Settings. These include, openid and profile. Setting SaveTokens to true stores the access and refresh tokens in the ASP.NET authentication properties.

Finally, OpenID Connect checks if the issuer is valid and matches the Authority value.

In the Configure() method of the Startup class in the Startup.cs file, you need to add two methods.

First, the Authentication method to turn on the Authentication Services. For that, add the following code.


app.UseAuthentication();

Then, the Authorization method to turn on Authorization Services for the ASP.NET MVC with the following code.


app.UseAuthorization();

Your app is now configured to use OAuth2 and OpenID Connect for Authentication and Authorization!

Steps to Integrate the cidaas Interceptor

The steps below will guide you in integrating the cidaas-interceptor to your ASP.Net MVC app.

Web Config file

First, you need to add the following code to your Web.config file.

<appSettings>
   ....
    <add key="user_info_by_token_url" value="<your cidaas url>/token/userinfobytoken" />
    <add key="update_token_check_url" value="<your cidaas url>/token/updateusage"/>
    <add key="tokenKey" value="access_token"/>
    <add key="updateIntervalInSec" value="5000"/>
</appSettings>

Here, you need to mention your cidaas URL for the connection strings user_info_by_token_url and update_token_check_url. The following ASP.NET MVC properties should also be added.

  1. user_info_by_token: This token is used at the UserInfo Endpoint and is a part of the OpenID Connect standard (OIDC) designed to return claims about the user that authenticated.
  2. update_token_check_url: Once the user authenticates successfully, the application will be redirected to the redirect_uri with a code as part of the URL: https://YOUR_APP/callback?code=BPPLN3Z4qCTvSNOy. This code is then exchanged with an access token called update_token_check_url using the /oauth/token endpoint.
  3. tokenKey: The Access Token (JWT) used at the Token Key Endpoint Url for token verification.
  4. updateIntervalInSec: The number of milliseconds to wait before initiating a postback.


Property Details

Field Default Value Required Max
user_info_by_token "" Yes
update_token_check_url "" Yes
tokenKey "access_token" No
updateIntervalInSec 5000 No 10000


Next, add the following codes to this file.

Check Scope

This code will allow the GetAllUsers() method on your cidaas app only if it has the read and manage scopes defined.


[Interceptor(Scopes = new String[] { "yourbusiness:read","yourbusiness:manage" })]
public JsonResult GetAllUsers()
{
 return Json(new { data = repo.getAllUsers() }, JsonRequestBehavior.AllowGet);
}

Check Role

This code will allow the GetAdminUsers() method on your cidaas app only if it has the ADMIN role defined.


[Interceptor(Roles = new String[] { "ADMIN" })]
public JsonResult GetAdminUsers()
{
 return Json(new { data = repo.GetAdminUsers() }, JsonRequestBehavior.AllowGet);
}

Check Role and Scope

This code will allow the GetAdminUsers() method on your cidaas app only if it has the ADMIN role, as well as, the read and manage scopes defined.


 [Interceptor(Roles = new String[] { "ADMIN" },Scopes = new String[] { "yourbusiness:read","yourbusiness:manage" })]
public JsonResult GetAdminUsers()
{
 return Json(new { data = repo.GetAdminUsers() }, JsonRequestBehavior.AllowGet);
}

DenyAll


[Interceptor(DenyAll = true)]
public JsonResult GetAdminUsers()
{
return Json(new { data = repo.GetAdminUsers() }, JsonRequestBehavior.AllowGet);
}

PermitAll


[Interceptor(PermitAll = true)]
public JsonResult GetAdminUsers()
{
return Json(new { data = repo.GetAdminUsers() }, JsonRequestBehavior.AllowGet);
}

//OR just ignore the interceptor code

 public JsonResult GetAdminUsers()
{
return Json(new { data = repo.GetAdminUsers() }, JsonRequestBehavior.AllowGet);
}


Note
Currently, there is no support for JWE.

Congratulations! You have now configured the cidaas Interceptor for your ASP.NET MVC application.

If you have any questions or face any issues with this configuration, please contact our support team for further assistance.

We'll be happy to help. Thank you!



results matching ""

    No results matching ""