Showing posts with label Authentication. Show all posts
Showing posts with label Authentication. Show all posts

Friday, June 5, 2020

Making a call to Retail Server APIs

This article will talk about how to make a call to Retail APIs(non anonymousand what all information is required to get the response.

I started by generating the access token using username-password flow and obviously the client id as shown in below image:

Then I tried to make a call to an API using Postman as shown below:

And here is the 401 Unauthorized error ☹ and the reason is - Microsoft_Dynamics_Commerce_Runtime_DeviceTokenNotPresent

After spending hours, I got to know that Retail APIs can’t be called just by passing the access token. In order to make API call successful, there is one additional information ‘devicetoken’, which needs to be sent. 

Now where to pass this information?

Well, fortunately I was able to figure it out. This devicetoken has to be passed as an header while making API call as shown below:

Once device token is passed, I received the expected response from the API. 

Hope I saved your hours. Enjoy troubleshooting!

Monday, June 3, 2019

Creating ASP.NET Core 2.2 Application Step-by-Step

This article will walk you through the creation of ASP.NET Core application using ASP.NET Core 2.2 from scratch, by utilizing the capabilities of package manager, EF Core, Identity API, Razor Class Library, etc. So, rather than being more theoretical, this article will focus mainly on the implementation part. Wherever required, I’ll throw some light on the conceptual part too. To know more, you can either go here or here.

Monday, March 18, 2019

Understanding concepts - OpenId, OAuth and SAML

I was going through some of the forums related to security concepts and found one topic which is very much communal, and many people posted questions about their confusion on the terms related to Authorization, Authentication and Security protocols. 

So, I thought to write something about these terms in layman, which is more towards the concept and less towards technical aspects. 

Before we start, let's have a look at the question, which really lighten the spark in me - - What's the difference between OpenID and OAuth? Hope you are with me to get started.

Well, one of the major aims of any application is to make it secure and easy to use without imposing much work on the end user. Now, in order to fulfill this aim, we have to look into a few of the major security aspects in terms of protocols, usage and scenarios. And that's why this article is.

What is Authentication and Authorization?
In simple terms, authentication is the process to verify whether the user is the intended user rather than any fake identity. In fact, it is the same who it claims to be. Whereas authorization deals with accessing resources. Authorization tells which resources user can access and till how much extent. So, in most of the applications these both terms run hand-in-hand.

SSO is an authentication mechanism in which user can log in to one application using some sort of credentials and accesses another application without re-entering the credentials. In this scenario, same credentials can be used to log in to another application. 

Best real-world example can be – our internal corporate portal in which we can find links of many other applications. So, once we are logged in to the portal, we need not to authenticate our self again and again to use other applications (apart from few more secure apps).

Benefits of going with SSO are quite pleasant as:
  • User needs to remember only one set of credentials and the same can be used with other related applications
  • Maintaining credentials in one place saves space as well as reducing cost.
How to implement this SSO?
Here come the security protocols, or say jargons like SAML, OAuth, OpenID, etc. Confused? Scratching your head? 
No need to worry. Sit back and relax. We do have ready made APIs to rescue us. 😊

Now before jumping straight into coding, let’s first get the gist of these jargons.

OpenID is used for authentication purpose and allows us to use an existing account to log in to numerous sites. It was founded by a non-profit organization named as OpenID Foundation. Today this open standard is accepted by many giants like Microsoft, Google, Facebook, AOL, and many more.

How to get an OpenID account?
Getting an OpenID account is very simple as it can be obtained through any of the OpenId providers (as listed above). Once the account is obtained, the user can log in to any web site which supports OpenID authentication. 

As an example, you can imagine your account accepting a google email id for authentication. In this example, Google is the Identity Provider and is the Relying Party. Below figure will you clear idea on what we just understood.

Please note that all this communication is happening because of the common trust factor between an identity provider and relying party, which is OpenID.

How Authentication is taking place?
Continuing with the same example of the blogger web site, the user hits the URL of and lands on the login page. There he enters his google credentials. Post that, request went to google for account verification. On successful verification by Google, the user is redirected back to the Blogger along with a token (we will discuss about the token shortly. But at this point, you can imagine it as a label which tells the blogger that this user is verified by google and blogger can rely on him). Hereon, Blogger trusts this token and initiates the session for the user.

OAuth is short for Open Authorization and is mainly used for access delegation via token-based authentication. Using this access delegation, application can access resources on the resource server on behalf of the user without the need of re-entering the credentials. This is achieved by using the tokens issued by an identity provider, with the user’s consent. 

Let’s understand this with an example, say you are going out of town and you want your friend Alen to stay and take care of your home. Of course, you have handover the keys to Alen. 

Which means Alen can enter the house and access the resources inside the house. In this analogy, home is the resource server, Alen is the client, door lock is the identity provider and I/house owner is the user. Makes sense?

Let’s change the thought process a bit. At present, until I’m back,  Alen is occupying home in my absence. Which means Alen is the owner of the house. Although it is for the time being but still Alen can be considered as an owner of the home. Such fable is termed as pseudo-authentication.

OpenID Connect
In order to implement a complete security solution, both OpenID and OAuth should go together. This togetherness is termed as OpenID Connect, wherein authentication is supported by OpenID and authorization is supported by OAuth2.

SAML is short for Security Markup Assertion Language and is an open standard for both authentication and authorization. It uses XML for all its transactions with a purpose of allowing identity providers to pass credentials to service providers. In most of the real-world scenarios, identity providers and service providers are totally separate entities. 

Now, for both to work on SSO mechanism, some sort of centralized user management is required and here comes in SAML assertions. There are three types of assertions:
  • Authentication: Tells that user is authenticated at what time and by using what method
  • Attribute: This is a piece of data which provides information about the user with some specific attributes
  • Authorization: Tells that user is granted or denied the access of any resource

Here is the summarized view taken from Jaime's blog about what each one of these does.

Token (or assertion) format
Year created
Current version
OpenID Connect
SAML 2.0
HTTP Redirect (GET) binding, SAML SOAP binding, HTTP POST binding, and others
Security Risks
OAuth 2.0 does not support signature, encryption, channel binding, or client verification.  Instead, it relies completely on TLS for confidentiality.
Identity providers have a log of OpenID logins, making a compromised account a bigger privacy breach
XML Signature Wrapping to impersonate any user
Best suited for
API authorization
Single sign-on for consumer apps
Single sign-on for enterprise
Note:  not well suited for mobile
Hope you enjoyed reading!

Tuesday, July 17, 2018

Authentication using External Providers(Hotmail)

In my previous article, I wrote about how to authenticate by creating new user accounts. Now what if, anyone doesn’t want to add another pair of user id password to his memory and want to use the existing ones which he/she is using very frequently in his/her day-to-day life. Well, here comes the external providers in the picture.
In this article, I won’t be covering the basics on how to create a website from scratch as it is already covered in an earlier article. So, let’s quickly jump on to the login screen and on right hand side, you will see the text as ‘Use another service to log in.’ as shown in below image:

Above screenshot also provides a hyperlink, which will guide us on how to setup the authentication using external providers.
What are external providers?
There is a huge list of authentication providers. The most common one’s are Twitter, Facebook, Google and Microsoft. This list is not restricted till here as it can be any other custom provider. Throughout this article, I’ll be driving you to setup the authentication with Hotmail account.
Steps to setup authentication with Hotmail account
Navigate to and do login using existing Hotmail Id as shown below:

On successful login, you will land upon below page:

Next is to click on ‘Add an app’ button, which is shown on top right corner. This will take you to:

In the above dialog, provide the application name and click on ‘Create’ button. Here you can also take a path of guidance by clicking on checkbox ‘Let us help you get started’. Once you click on Create button, an Application Id will be generated for you as shown below: 

Next, we have to work on adding application secrets.
Adding Application Secrets
Now click on ‘Generate New Password’ button. On click of this button, a password will be generated by you like shown below:

Copy this newly generated password and temporarily save it somewhere as you will need this password during the application configuration along with Application Id.
Adding Platform
Click on App platform on Registration screen. Here, for demo purpose I'm choosing Web. You can choose others too.
Next is to construct an URL, which is a combination of our application URL and signin host. This is what how it looks:

Click on the Save button and you are done with the configuration. Next, we have to associate this configuration with our application. So, let’s go ahead and quickly update our application using User Secrets as shown below: 

and place the following code in secrets.json:

  "Authentication:Microsoft:ApplicationId": "654e030a-a10b-40ee-82db-1bf0185aebc0",
  "Authentication:Microsoft:Password": "XXXXXXXXXXX"
Same lines of code you can write in Startup.cs also but we are maintaining the secrets in different file so that it can be changed easily while moving to production.
Next is to configure the identity in Startup.cs:

public void ConfigureServices(IServiceCollection services)
       services.AddDbContext<ApplicationDbContext>(options =>

       services.AddIdentity<ApplicationUser, IdentityRole>()

       services.AddAuthentication().AddMicrosoftAccount(options => 
                options.ClientId = Configuration["Authentication:Microsoft:ApplicationId"];
                options.ClientSecret = Configuration["Authentication:Microsoft:Password"];

                .AddRazorPagesOptions(options =>
         services.AddSingleton<IEmailSender, EmailSender>();
If you want to know more about setting up authentication, the official Microsoft article can also be referred.  
We are almost there. Save your application and click on Login button. You will notice that the Microsoft button is appearing on the right side. Click on that, provide your Hotmail credentials and on successful login you will land upon below screen:

On click of yes, below screen will be shown:

Quickly click on register and see the magic. You will notice that you are now logged in with your Hotmail id as shown below:

Whatever we did can also be done through a guided process which we came across during our configuration process in the form of a hyperlink. Additionally, you can also follow this link.
Hope you enjoyed learning.