I'd like to add a passwordless authentication to my Web API project so that I can get a bearer token using phone number and one-time code.
With that, I also would like to keep login/password token authentication in place (for example, for web).
Would be great to have a supported and more or less straightforward way to implement that.
Currently, only way to get token is to make a HTTP call to token endpoint and provide login/password parameters
There are several articles how to implement passwordless authentication with Auth0 and PwdLess. I don't want to use 3rd party frameworks for that.
Unless there's a RFC based standard for this it's not something we'd consider implementing, adding a custom authentication scheme (leaving aside cookies) is something we'd avoid.
@blowdart thank you for the feedback. I understand that.
What about other ways to implement that with ASP.NET Identity?
I do not want to implement passwordless by re-implementing whole OAuth bearer support that is in ASP.NET Identity
You could have your password-less flow create a JWT token, then use the standard JWT middleware for it?
@alexsorokoletov in previous version it was easy to do using custom Provider in OAuthAuthorizationServerOptions. In Your custom class (derived from OAuthAuthorizationServerProvider) all You had to do is to override GrantCustomExtension. This way You can for example give different permissions based on login type:
ClaimsIdentity oAuthIdentity = await user.GenerateUserIdentityAsync(userManager, context.Options.AuthenticationType);
oAuthIdentity.AddClaim(new Claim("SMS_CODE", "1", ClaimValueTypes.String));
var ticket = new AuthenticationTicket(oAuthIdentity, null);
context.Validated(ticket);
I'm looking for similar thing, because I'm thinking about moving my existing code to ASP.NET Core. I'd like to know how to create similar thing best way possible.
I'm looking for similar thing, because I'm thinking about moving my existing code to ASP.NET Core. I'd like to know how to create similar thing best way possible.
IdentityServer: https://identityserver.io/
@Misiu your approach looks interesting.
I'm not fond of what I ended up with.
My approach was to establish a trust between controller and custom OAuthAuthorizationServerProvider so that these guys can exchange tickets and basically run bearer tokens.
Having a JWT flow + Bearer token is an overkill when using this from mobile app, so I ended up with a simpler scheme.
I understand that there are no RFCs for passwordless but this is a real thing.
On the other hand, IdentityServer is cool but my API is running on ASP.NET Identity and I don't want to run two similar infrastructures for that simple task.
@alexsorokoletov my custom GrantCustomExtension has about 50 lines of code. In it I have support for two custom grants, first (grant_type="sms_code_request") sends code to user prone number, and second (grant_type="sms_code") validates that code and returns valid JWT token.
@brockallen won't IdentityServer be an overkill? I don't need external auth providers, just single endpoint that would allow me to generate JWT token and way to verify it using simple attribute on methods or controllers. There is OpenIdConnect and OpenIddict. Did You used them?
For example this looks like a simple way to add JWT based security.
I couldn't find any good comparison between IdentityServer and OpenIddict. Any opinions about those two would help me a lot.
@Misiu could you maybe share your HTTP request flow (from the client side)?
@alexsorokoletov I have two flows:
password, his login and passwordsms_code_request and his loginsms_code and pass his login and that one time code he got via SMS.I have this working well in WebAPI 2.2 solution using ASP.NET Identity 2.2.1.
I'm not security expert, so if You see any potential vulnerabilities please let me know.
@alexsorokoletov in previous version it was easy to do using custom Provider in OAuthAuthorizationServerOptions. I'm looking for similar thing, because I'm thinking about moving my existing code to ASP.NET Core. I'd like to know how to create similar thing best way possible.
If you like OAuthAuthorizationServerMiddleware's low-level experience, you might want to give OpenIddict's underlying OIDC framework - ASOS - a try: it was forked from OAuthAuthorizationServerMiddleware and uses the same events model. Implementing custom flows is of course definitely supported.
For more information, you can read this blog posts series I wrote last year: http://kevinchalet.com/2016/07/13/creating-your-own-openid-connect-server-with-asos-introduction/
I'm in the process of doing something like this; the flow I'm using is this:-
registration
NOTE: system doesn't hold any passwords; and a TOTP is generated by an Authenticator APP or generated by the backend system and sent to the phone if requested.
RFC7519
RFC6238
hope this helps you out @alexsorokoletov
BTW, my implementation is for IoT devices so I really don't wish to have the compute/store requirement of the current identity implementation or store passwords, which is nice but a little on the heavy side for IoT devices
@grahamehorner thank you, Grahame!
I would love to see a sample project and dive into how it works. I assume your system is based on ASPNET Identity, right?
@alexsorokoletov Here is phone number authentication with IdentityServer4 might be helpful https://github.com/Jurabek/IdentityServer4.PhoneNumberAuth
I do have similar kind of flows:
User logs in through mobile app providing username and password and then in response WebApi ( implemented using Identity and Odata v3) generates grant_type=password based bearer token and rest of the communications between client and server happen to access the controller are subject to authroze using bearer toekn which is successfully implemented.
Now I would like to add one more option QR code login on mobile app which basically requests to TOTP and when it valids then server should generate bearer token and should allow to access the controller... before I start jumping on implementing psw-less login.. is there any better way to implement QR code login where api needs bearer token to communicate after user logged in?
Most helpful comment
@alexsorokoletov I have two flows:
password, his login and passwordsms_code_requestand his loginsms_codeand pass his login and that one time code he got via SMS.I have this working well in WebAPI 2.2 solution using ASP.NET Identity 2.2.1.
I'm not security expert, so if You see any potential vulnerabilities please let me know.