REST API Token-based Authentication

Let me seperate up everything and solve approach each problem in isolation: Authentication For authentication, baseauth has the advantage that it is a mature solution on the protocol level. This means a lot of “might crop up later” problems are already solved for you. For example, with BaseAuth, user agents know the password is a … Read more

OWIN – Authentication.SignOut() doesn’t seem to remove the cookie

I had a similar problem for the past few days. Instead of Request.GetOwinContext().Authentication.authenticationManager.SignOut(); Use ONE(and only one) of these: Request.GetOwinContext().Authentication.SignOut(); Request.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie); HttpContext.Current.GetOwinContext().Authentication.SignOut(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ApplicationCookie); This article explains why your cookies don’t get deleted: I know my answer isn’t the most research-based, but to tell you the truth, I just couldn’t find WHY my provided code examples … Read more

IIS7: Setup Integrated Windows Authentication like in IIS6

To enable the Windows Authentication on IIS7 on Windows 7 machine: Go to Control Panel Click Programs >> Programs and Features Select “Turn Windows Features on or off” from left side. Expand Internet Information Services >> World Wide Web Services >> Security Select Windows Authentication and click OK. Reset the IIS and Check in IIS … Read more

Why are cookies unrecognized when a link is clicked from an external source (i.e. Excel, Word, etc…)

This is because MS Office is using Hlink.dll component to lookup if the link is Office document or something else. MS Office expect to open the document linked within documents without the aid of external browser (using Hlink.dll component of IE6). If session cookie protects website Hlink naturally is being redirected to login page and … Read more

Keycloak retrieve custom attributes to KeycloakPrincipal

To add custom attributes you need to do three things: Add attributes to admin console Add claim mapping Access claims The first one is explained pretty good here: Add claim mapping: Open the admin console of your realm. Go to Clients and open your client This only works for Settings > Access Type confidential … Read more

CSRF Token necessary when using Stateless(= Sessionless) Authentication?

I found some information about CSRF + using no cookies for authentication: “since you are not relying on cookies, you don’t need to protect against cross site requests” “If we go down the cookies way, you really need to do CSRF to avoid cross site requests. That is something we can forget when … Read more