Add custom claims to identity when using Windows authentication - asp.net-mvc

I am having a difficult time understanding how to add custom claims when using Windows authentication in a .Net MVC app.
The challenge here is to populate the users's identity with custom claims from the database on login, so as to avoid making a db call every time I want to check a custom authorization attribute. But the use of Windows auth complicates things for me, as there's no login method in which to put the code that populates the roles.
Is there a method to override, or some other way to hook into the Windows auth login process?

In .NET Core 2.0 you should use IClaimsTransformation.
For example:
public class CustomClaimsTransformer : IClaimsTransformation
{
public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
{
((ClaimsIdentity)principal.Identity)
.AddClaim(new Claim(claim.Name, claim.Value)); //your values
return Task.FromResult(principal);
}
}
And add this code to Startup.cs
...
services.AddMvc();
services.AddScoped<IClaimsTransformation,CustomClaimsTransformer>(); // Add this
I don't know how to do this in ASP.NET MVC :/.
This is my first answer here :).

Related

Application_PostAuthenticateRequest equivalent in OWIN OAuth

To enable my service layer to access the current User Id anytime it needs, I use Thread.CurrentPrincipal.
The service layer is used by two front-end layers, one MVC App and one MVC Web Api used for a Mobile App.
In the web app, I use Forms Authentication and the Principal is set into Application_PostAuthenticateRequest. It works fine.
In the web Api, I use Owin. But I cannot find a way to set that Principal after each request is authenticated with the access token.
I can do it when the user logs in with its credentials by overriding GrantResourceOwnerCredentials into my OAuthAuthorizationServerProvider or when he logs with its refresh token by overriding GrantRefreshToken in the same class.
But where could I assign it for requests automatically authenticated with the access token ?
NB. I know that in my Api Controllers I can access the current User, and it is correctly set, but I don't want to pass it with each call to my service layer.
Thanks.
I found how to set it.
The bearer validation is not done by the OAuthAuthorizationServerProvider. I had to implement a custom OAuthBearerAuthenticationProvider, and override the ValidateIdentity method:
public class MyBearerAuthenticationProvider : OAuthBearerAuthenticationProvider
{
public override Task ValidateIdentity(OAuthValidateIdentityContext context)
{
Thread.CurrentPrincipal = new Principal(context.Ticket.Identity);
return base.ValidateIdentity(context);
}
}
And plug that provider into my app by using:
OAuthBearerAuthenticationOptions bearerAuthenticationOptions = new OAuthBearerAuthenticationOptions()
{
Provider = new MyBearerAuthenticationProvider()
};
app.UseOAuthBearerAuthentication(bearerAuthenticationOptions);
Unfortunately Thread.CurrentPrincipal is null in my Business Layer. I assume the token validation is done in another thread than the request execution. So I'll have to change my method.

Breeze.WebApi2 Authentication Microsoft.AspNet.Identity

Now that AS.NET WebApi2 has an integrated authorization mechanism using tokens.
How can we integrate this mechanism with Breeze.WebApi2. That is Breeze.WebApi2 and Microsoft.AspNet.Identity.
What I need is how to modify the project created using visual studio 2013 project wizard that is configured to use individual accounts in security into a breeze web api 2 server with the same security setup.
I tried it by creating a web api project with individual accounts security and then added breeze web api 2 server using nuget package but that was s bit confusing to me.
A sample code or application would be more useful for me to get started.
Thanks.
If you use the Authorize attribute you can also access the user data via the "User" variable.
[BreezeController]
[Authorize]
public class NorthwindIBModelController : ApiController {
[HttpGet]
public IQueryable<Customer> CustomerList() {
var userName = User.Identity.Name;
var filter = filter on customers;
var custs = ContextProvider.Context.Customers.Where({ some filter using userName});
}
}

Security approach for WebAPI

I currently have an ASP.NET MVC 4 website where members have an account and can log in using both Facebook and my own login form. I am then using FormsAuthentication.
I would next like to build an API, using WebAPI and expose some of my functionality to a mobile client I am planning on building.
I do not have any plans on having others consume my API, so this would just be for the client I build.
How would I go about implementing security on the WebAPI? Should I be using a token system where I can have a login form on the client, receive the credentials, log them in, and return a token which would be send back to the server on each call?
Should I implement oAuth on the server?
Try to be completely RESTful: use HTTP's built-in authentication system where authentication information is provided by the client in each request. You can also use HTTP Basic Authentication without any security concerns provided that you use SSL, otherwise HTTP Digest is also secure enough for this purpose.
You will need to implement your own HTTP Basic Authentication provider for ASP.NET, fortunately it's easy (and fun!).
It also beats other systems which require a signed URI using a querystring parameter, which is ugly and messes up lovely REStfulness, or carrying a token around (usually passed as a cookie).
Holy wars about how to do authentication in rest aside, you can just use forms authentication. If you are also using a web interface from the same site/domain and you have your authentication stuff well factored this is really convenient and easy.
you need a base class for your api controllers
public class MyApiControllerBase : ApiController
{
public MySecurityContextType SecurityContext { get; set; }
}
an ActionFilterAttribute
public class AuthenticationContextAttribute : System.Web.Http.Filters.ActionFilterAttribute
{
public override void OnActionExecuting(HttpActionContext actionContext)
{
MyApiControllerBase controller = actionContext.ControllerContext.Controller as MyApiControllerBase ;
if (controller != null)
{
var context = ((HttpContextBase)controller.Request.Properties["MS_HttpContext"]);
HttpCookie cookie = context.Request.Cookies[FormsAuthentication.FormsCookieName];
FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value);
controller.SecurityContext= ParseFormsAuthenticationTicket(ticket);
}
}
}
and code to create the ticket in the first place.
LogIn(HttpRequestBase httpRequest, string userName, string password)
{
var context = DoLoginLogic(userName,password);
FormsAuthentication.SetAuthCookie(context, usePersistentCookies);
}
Authorization will obviously need to be done in the controller methods.

What is Webform's "UrlAuthorizationModule.CheckUrlAccessForPrincipal" equivalent for MVC?

I got a problem as i am writing a custom SSO solution for my company. To mkae it simple, i've made a custom authentication httpmodule that intercepts all requests so as to check user authentication state. If not authenticated, user is redirected to my custom sso login page.
The thing is, when user is not authenticated, i'd like to check if he can access the requested page/resource... With Webforms, no problem, i add an authorization block in web.config, and i use UrlAuthorizationModule.CheckUrlAccessForPrincipal with an anonymous user. Everything works fine...
But when i apply my module to an MVC (3) web site, this does not work anymore (for obvious reasons, like the possibility to access the same controller and/or action from differents urls when using routing, and because authorizations are made through controller attributes).
How can I achieve this ?? I've been searching all day long, didn't find anything about that :/
ASP.NET MVC 3 Internet Application template includes a basic AccountController which implements the following actions (along with the associated models and views):
LogOn
Register
ChangePassword / ChangePasswordSuccess
You simply need the [Authorize] attribute on the Actions or classes you wish to secure. But if you need something really custom you can do something like I've done.
I created a custom class to override security in my application.
public class AuthorizeActivityAttribute : AuthorizeAttribute
{
protected override bool AuthorizeCore(HttpContextBase httpContext)
{
HttpContext currentContext = HttpContext.Current;
//Do your custom authentication stuff here and return true or false depending on results
Return true;
}
}
And now in my Controller I have the following:
[AuthorizeActivity]
public ActionResult Index()
{
ViewBag.Message = "Welcome";
return View();
}
I had the same problem.
See solution here: MVC equivalent of Webforms "UrlAuthorizationModule.CheckUrlAccessForPrincipal"
You would have to read the information from the other controller. This
can be done by instantiating its context and the Descriptor, then
instantiating the AuthorizationContext for that controller and read
the filter info.

OData - Data Service Simple Authentication

I would like to add simple authentication to Data Services, for now only to restrict access for particular applications by simple token.
I don't need Domain Authentication or Forms authentication.
I read a lot about authentication here:
http://franssenden.wordpress.com/2010/06/14/custom-security-odata-service-wcf-data-services/
http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2008/06/03/10482.aspx
http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2008/01/15/10119.aspx
http://mtaulty.com/CommunityServer/blogs/mike_taultys_blog/archive/2008/01/10/10100.aspx
Unfortunately it all demands a loooot of work.
Most of all creating custom IHttpModule.
There should be more simple solution.
I know that when I create object context on the client (WPF) I can add Credentials.
Uri uri = new Uri("http://localhost/myapp/odata.svc");
MyEntities ent= new MyEntities (uri);
ent.Credentials = new NetworkCredential("token", "zx5as9vxc5sa9h0vb6523cv56");
But where can I read them (without implementation of custom IHttpModule)?
I thought that I can use something in class that is implementation of Data Service for example:
protected override void OnStartProcessingRequest(ProcessRequestArgs args)
{
string cred = args.OperationContext.AbsoluteRequestUri.UserInfo;
}
I'm not familiar with UserInfo but description for it stands "Gets the user name, password, ...)
So I have two main questions:
Where can I read Credentials included by typing ent.Credentials = new NetworkCredential("token", "zx5as9vxc5sa9h0vb6523cv56");
Where can I (if I can) set UserInfo on the client app and use it in OnStartProcessingRequest method.
Regards,
Daniel SkowroĊ„ski
There's a series of post about authentication and WCF Data Services (which is the .NET implementation of the OData protocol): http://blogs.msdn.com/b/astoriateam/archive/tags/authentication/
You should be able to find lot more information there (including code samples).

Resources