This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 34%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Hello everyone and thanks for the help in advance. I am developing a public facing website that needs to be secured against a nonpublic facing database located on a separate server. I have read articles such as https://learn.microsoft.com/en-us/dotnet/architecture/microservices/secure-net-microservices-web-applications/ which describes using oAuth2 and the like. I am very inexperienced using this technology and feel there are somem missing pieces. My thinking is that the public facing site needs to post the user name and password to an api on the nonpublic server, authenticate the user, then issue a cookie, but I am confused about how to actually implment this. Do I need to authorize the application initally using oAuth? Do I issue the cookie from the public server? Any help would be appreciated.
If you are concerned about authentication, Azure takes care of that.
If you're concerned about authorization then your concern is valid.
My understanding is that you have a website Public Facing
This website is going to authenticate users by using Azure AD or a public form of authentication (Facebook, Twitter etc...)
Is that right?
Thanks for the response. Neither site uses Azure or any type of public authentication. The non-public api uses a SQL Server database fueled by a very large intranet. User data is maintained within the Sql database and not within AD or Azure. The public facing site needs to authenticate against this Sql database and also authorize user roles.
Got it, so you're attempting to perform authentication yourself. There is a way to do this. Way back in the year 2010, we had developed a similar application.
This is going to be unnecessarily complicated in my opinion, but one way to do this is:
1) Create a public-facing web API that can talk to this very private SQL database.
2) Ask the users to first authenticate against this public web API. The way to do this would be to use the user data maintained in the SQL database. The public web API can be accessed anonymously, but it will have to just send back a true or false for correct authentication. If true, you can then allow the user to access the website.
Is this something you can do?
Thanks for the response. Yes, I can definitely do this, but a few questions. First, you mention this is unnecessarily difficult. How would you resolve this given my current data setup? Second, since I need authorization and authenticaion, I would likely need to return more than a true/false. Additionally, I would think I would need some sort of method to actually authenticate the application itself as opposed to any app being able to access the webapi.
Hi
There are a couple of things going on in your requirement:
From fundamentals of security perspective - you should not be relying on a cookie from A in B to authenticate/authorize. So what is recommended is:
Now, in order to develop this - you will need to look for the documentation on following things:
Hope this helps.
I am puzzled by your approach. The approach suggested resolves the issue of authentication.
How does this address the roles (authorization) that the user has if you choose to authenticate the user using OAuth?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
Hi @Abhijit Shrikhande ,
The token will contain the role information, then the B could get it and check it and do something according to that role.
My thinking is that the public facing site needs to post the user name and password to an api on the nonpublic server,
Sounds correct. The community has no idea how the network is configured but usually a public facing server (Internet) is the only service allowed to access application services (web services). This is accomplished with firewall configuration.
then issue a cookie, but I am confused about how to actually implment this.
UI applications like MVC or Razor Pages still use cookie authentication to authorize requests coming from a browser (user-agent). The initial authentication request flows through the application services rather than hitting the database directly.
Use cookie authentication without ASP.NET Core Identity
Typically OAuth secures web services exposed to the public or applications running in the cloud. It's not clear from your decryption if OAuth is overkill or not.
Thanks for the response. I'm pretty much following and, in agreement, but one question. Should I make an initial call to the api without the user name and password to authenticate the app, using oAuth, then send user name and password over to the api? Or is that overkill? The real issue is the user table residing on the non-public server that needs to be validated against.
Should I make an initial call to the api without the user name and password to authenticate the app, using oAuth, then send user name and password over to the api?
What you've described is not an OAuth flow. Have you implemented an OAuth solution or investigating if you need an OAuth service?
The real issue is the user table residing on the non-public server that needs to be validated against.
It sounds like you have a standard on-premise 3-tier application; web application, application service, and database. Security between the web application (Internet) and application services (Intranet) is usually handled by network security. Only the web application can access application services. Application services has access to the database since they are both Internal. No Internet facing application can access the database directly.
Is your API exposed to the public? Can you tell us what type of clients your application supports?