Support forum for ASP.NET Zero (https://aspnetzero.com/).
By tteoh
#30893
alper wrote:Hi,

How will you implement the 2 factor authentication with OAuth Token based ?


@alper For now, there is no 2-Factor requirement and we do not foresee in the future too. But mainly on "Refresh Token" to further enhance existing MVC5AJ1 Token-based Authentication to ensure Mobile Client is NOT provided with long-live Access Token but short-live with a Refresh Token. From my research, this is quite a standard practice; however, it's missing from ASPNet Zero at this moment.

There is still one thing the puzzled me until now despite the explanation given so far. What's the difference between the Access Token generated from ASPNet Zero using "OAuthBearerOptions.AccessTokenFormat.Protect(ticket)" and the one that's being generated based on OAuth that implements an Authentication Provider ("OAuthAuthorizationServerProvider") that uses "GrantResourceOwnerCredentials".

Especially, how these two tokens are affecting the Roles and Permissions set in ASPNet Zero?

We successfully implemented OAuth token. Using Postman, the Roles/Permissions assigned to the same user based on endpoints:
1) ../api/Account/Authenticate
2) ../token

Both seems to behave the same way based on simple test cases. We will be very grateful if you have additional sharing.

We have to continue on with "Refresh Token" that is straining the progress right now.

Thanks.
/Tommy
User avatar
By alper
#30909 Hi,

If you have replaced the AspNet Zero's own token mechanism with standard OAuth then it's OK. Because the main reason AspNet Zero has it's own token system is 2FA. If you don't need it then you can go with OAuth.

By the way,

Code: Select all OAuthBearerOptions.AccessTokenFormat.Protect(ticket)
encrypts the ticket and it's Microsoft code.
https://github.com/aspnet/AspNetKatana/ ... otector.cs
By tteoh
#30928 @alper based on aspnetzero documentation, it only mentions token-based authentication. Could you pls elaborate how 2FA comes into play on this particular use case?

Do you mean that if I enable 2FA for web login, it will also be activated for token-based login?

Thanks for the confirmation on OAuth token replacing aspnetzero token.

Thanks,
/tommy
By tteoh
#30965
tteoh wrote:@alper based on aspnetzero documentation, it only mentions token-based authentication. Could you pls elaborate how 2FA comes into play on this particular use case?

Do you mean that if I enable 2FA for web login, it will also be activated for token-based login?

Thanks for the confirmation on OAuth token replacing aspnetzero token.

Thanks,
/tommy


@alper could you pls clarify relation between the 2FA and token based authentication of current aspnetzero behavior?

Thanks.
/tommy
By ismcagdas
#30978 Hi @tteoh,

Authentication terminology is confusing most of the time. I suggest you to read about those on the web.

Basically AspNet Zero's Angular application uses token based auth. You can also enable 2FA in AspNet Zero.
You can check 2FA on tihs document https://aspnetzero.com/Documents/Develo ... ctor-login.

But don't forget that, AspNet Zero doesn't use OAuth internally.
By ismcagdas
#31061 Hi,

Actually 2FA is implemented in Token auth as well, see https://github.com/aspnetzero/aspnet-ze ... er.cs#L136.

You can check angular app to see how it works. If a 2FA token is required, API returns RequiresTwoFactorVerification = true.
Then, user need to pass TwoFactorVerificationCode (https://github.com/aspnetzero/aspnet-ze ... del.cs#L18) to TokenAuthController's Authenticate action again.
By tteoh
#31430
ismcagdas wrote:Hi,

Actually 2FA is implemented in Token auth as well, see https://github.com/aspnetzero/aspnet-ze ... er.cs#L136.

You can check angular app to see how it works. If a 2FA token is required, API returns RequiresTwoFactorVerification = true.
Then, user need to pass TwoFactorVerificationCode (https://github.com/aspnetzero/aspnet-ze ... del.cs#L18) to TokenAuthController's Authenticate action again.


@ismcagdas the link you provided on the implementation is on aspnetzero core template but for our case, we are using non-core template.

We ended up requiring to implement 2FA by leveraging on the libraries provided by Identity Framework. Taking the 2FA for the web login as reference and reimplement UserDeviceManager and MobileSignInManager under the WebApi project.

Thanks.
/tommy
By tteoh
#31492
alper wrote:Hi,

How will you implement the 2 factor authentication with OAuth Token based ?


@alper need to retract my previous comment that 2FA was not needed. We ended up having to implement 2FA adopting the approach implemented in ANZ (non-core) under WebApi project.

Just something that we discovered was the 2FA token digit is hard coded to 6 and expiry time to 3 mins.

We have to build custom table to handle expiration.

We also realized the existing codes reference to 2FA cookies. Shall we be concerned about this?

Thanks
/tommy