I'm working a .net core API application, the angular frontend sends me only username and password of the user (took from login page). My API application has to request the authentication to an ADFS 4 service based on the customer intranet.
The question is: how to call the ADFS 4 API sending Username and Password to authenticate the user? If you have any samples, could be great!
The purpose of this call to ADFS is just to see if the user is authorized to use the application or not, the web app uses its own jwt token to authorize actions or not.
Thanks to all
First you have to know the fact that accessing ADFS 4 using REST Web API is best implemented using OpenIDConnect on top of OAuth2, because authenticating Web API thru ADFS 4 requires OAuth2 for the authorization.
OAuth2 and OpenIDConnect (often called OIDConnect) are known standards, although these standards don't require JWT as part of authorization token. ADFS since ADFS 3 use and require JWT token for OAuth2, therefore you already correct on using JWT as token.
The ADFS since ADFS 3 has full support of OAuth2/OIDC, this includes grant types of implicit grant, code token, and the one that you want to implement of having username and password.
The grant type of passing username and password as part of the authentication is called "resource owner credential". This is not recommended, because it is inherently less secured that code grant and implicit grant.
If you want to have username and password to authenticate, then you have to understand that this means you cannot use recommended authentication/authorization for web API. It is common and best practice to use code grant type for Web API.
Please consult this official documentation of ADFS for developer: https://learn.microsoft.com/en-us/windows-server/identity/ad-fs/overview/ad-fs-openid-connect-oauth-flows-scenarios
UPDATE 1: You are asking about what to put in your controller. No, you can't put authentication and authorization of OAuth inside the controller. Yes, you should mark the controller with attribute of
[Authorize]but this will only mark your controller class that the web APIs are required to have authorization. The real authorization code for OAuth is always set up in the Startup.cs, inside the ConfigureServices method.For more example, look at this code sample of MS Identity in ASP.NET Core from Microsoft: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2
especially this: https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/blob/master/1-WebApp-OIDC/1-1-MyOrg/Startup.cs#L24-#L47