I have an existing MVC .net application that uses its own forms based authentication. Currently we only have forms authentication enabled
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" />
</authentication>
We are extending this application to a new subset of users. They are already on my idserver3 and they are using few other applications through idserver3.
Now i have to also support forms authentication and Authentication using idserver3. At the time of application start up, it could be determined if that installation requires Forms or Idserver authentication.
Is it possible to add Openid connect authentication with Idserver3 without using OWIN pipeline in my .net MVC client applications?
Are you using WIF? You've tagged it with WIF. WIF doesn't implement OIDC.
idsrv3 uses OWIN on its side but OIDC / OAuth is all based on REST so you can implement the calls natively on your side if you want.
However, it makes life a lot easier if you use the OWIN stack.
Identity Server client interface is based on OWIN, so I don't think you can have both. I recently had to convert an MVC app with Forms Authentication to Identity Server and I had to remove the forms authentication to do so.
Related
My solution is structured like this:
Web Project (Default, ASP.NET MVC)
API Project (ASP.NET MVC using WebAPI controllers)
When deployed to a server, the web project will be the root and the api project will live in root\api.
I am authenticating users in the web app using FormsAuthentication.SetAuthCookie("foo",false); and so of course within a controller of the web project I have no problem reading the cookie back (HttpContext.User.Identity.Name).
I would like to be able to do the same in my API project when an ajax request is made from a page in the web project so that I can check that the user is authenticated before remitting a service.
Is this possible?
Update
I followed this MSDN article for creating authentication across applications, and I still can not read my auth cookie in the API context. I am wondering if it is because I am running in local host while the Forms node in the web configs expect a domain name:
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
I tried setting the domain to localhost:XXXX but that didn't work either. The machine keys in both applications match.
How do i implement Window Active Directory authentication for Intranet user and Forms authentication for Internet users, i found many examples online explaining each of them individually but can't get to find one that explain both implemented together.
I have my ASP MVC 4 project working with Forms Authentication but was requested to add Windows Active Directory authenticate for intranet users. How do i do it?
My existing Forms Authentication
<authentication mode="Forms">
<forms loginUrl="~/Account/Login" timeout="2880" name=".ASPXFORMSAUTH"/>
</authentication>
I am only just beginning to explore this type of situation myself so I am not going to try and give a definitive answer, but I think that you will want to start looking at Claims Based Authentication and Secure Token Services (STS)
Have a look at:
Least Privilege by Dominick Baier; as well as some of his
pluralsight courses to get a better understanding of what you're trying to achieve.
I have 2 ASP.NET MVC web applications setup under the same domain. One is just a standard MVC website. The other is a Web API project. For now I am just setup locally.
* http://localhost/myapp
* http://localhost/api
I am using forms authentication to login in to the web application and then accessing the api application via a jQuery $.get request. Is there a way to share the forms authentication from the web app with the API app? Again these are 2 separate applications but are sharing the same root domain.
I found the answer. I just needed to add a matching machineKey element to the web.config file for both of my applications.
<machineKey validationKey="..."
decryptionKey="..."
validation="SHA1"
decryption="AES"
/>
I have an ASP.NET MVC 2 application in development that uses a web service to access security information (Roles, Permissions, etc). The users of these applications will be internal Company users. This web service security mode is currently set to "None".
What kind of web service security do you recommend for my situation? Should I use certificates?
For an internal use I suggest using Windows Authentication :
<system.web>
<authentication mode="Windows" />
</system.web>
We have a small application we built in our spare time using the latest mvc3 and Entity Framework .net libraries available at the time, and deployed it. The management liked it, and they want it integrated into a heavy legacy .net 3.5 web forms application.
I need to somehow use the same authentication sessions across the two applications. I am using the same DB and Application for authentication using the .net membership and profile providers. This works fine, but users have to login separately into the MVC app even when they are already signed in for the main application. I am open to any suggestions: enabling state session at a different level, or shared cookies, etc
What is the best way to bypass this login requirement and whether I should integrate the mvc application into the webforms or keep it as an independent application? My main concerns affecting the decision would be time taken for complete integration, and later maintenance of the applications.
First, the fact one application is ASP.NET MVC does make no difference here :)
Second, here is one example of what to do from MSDN:
http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
Small snippet from that page:
<configuration>
<system.web>
<authentication mode="Forms" >
<!-- The name, protection, and path attributes must match
exactly in each Web.config file. -->
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
</authentication>
<!-- Validation and decryption keys must exactly match and cannot
be set to "AutoGenerate". The validation and decryption
algorithms must also be the same. -->
<machineKey
validationKey="C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
decryptionKey="8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
validation="SHA1" />
</system.web>
</configuration>
.
P.S.
StriplingWarrior's advice of merging both applications although not really required but may be very useful for future integrations. You may later end up doing it anyway.
Forms authentication uses cookies to track users. Cookies can only be shared between the same domain. So for example if you had app1.foo.com and app2.foo.com simply configure those two applications to share the same domain cookie. For example both web.config should share the same forms authentication configuration:
<authentication mode="Forms">
<forms
loginUrl="~/Account/LogOn"
timeout="2880"
domain="foo.com"
/>
</authentication>
You also must ensure that both application share the same machine keys because an authentication cookie emitted by app1 needs to be decrypted by app2 with the same keys.
You may want to consider simply integrating this application into your Web Forms application directly. The two can coexist in the same application.
Store the session state in a database. Store the session key in the cookies of each sessions. At the AcquireSessionState event in the life cycle's of both applications, get the session id from the cookie, load the session data from the database and update your HttpContext.User. You will then have the same authentication data in both applications.