We have a multiple applications under one domain, and every application is built in asp.net mvc. Currently single sign on is facilitated using forms authentication, shared machine key. All applications are on same server for now.
For one our new application we considering asp.net core with framework option. We have an Accounts application which handles authentication(login/logout) for existing application. And we have build STS, using Identity Server3 into the same application.
www.mydomain/Accounts
www.mydomain/app1
www.mydomain/app2
www.mydomain/asp.netcoreApp1
The new test asp.net core application(client) using openIdConnect communicates with STS, Identity Server3 and is working fine.
Challenge: Have to facilitate single sign on between existing applications, which uses Forms Authentication, and new Asp.Net Core.
Operational/Environment Facts:
All applications are on same machine.
Access to machine key.
On navigation from app1 to asp.net core cookies are available in Request header.
Problem Scenarios:
If user successfully logins to app1 and navigates to asp.net core the user has to logon again for authorized access. No issue with anonymous access.
Similar to #1 vice versa case.
If user logout in any one of the application then user should be log out from all the applications.
Since test application built using Asp.net core with framework option, will FormsAuthentication be compatible? direct me to documentation or code snippet?
Please share your ideas.
Related
On IIS I have a login website which is used to get credentials from user and authenticate him. Authentication is done through:
FormsAuthentication.SetAuthCookie
Login application is written in asp.net webapplication.
Now there is another .NET CORE mvc web application which will sit as a child web application to this login website and needs to authenticate through login application.
By default child web application does not comes under login page.
How I can put this web application to use login from parent website?
HttpContext.User.Identity.IsAuthenticated in mvc core child application returns false and can't read logged in user.
You cannot. Traditional web-based auth and specifically FormsAuth utilizes cookies to persist the login state. Cookies are domain-bound, and auth cookies are also encrypted. You can only access the cookie in the first place if both apps are on the same domain, and even then, one can only read it if they can both encrypt and decrypt in the same way. The method of encryption has changed between ASP.NET and ASP.NET Core, so that's out of the window off the bat. ASP.NET used machine keys whereas ASP.NET Core utilizes the Data Protection API.
There's one minor exception, in an ASP.NET MVC 5 site, you can utilize the Data Protection API, through its support of OWIN. The two apps, then, can be made to encrypt/decrypt in the same way. However, by the very fact that you're using FormsAuth means that you cannot achieve this. FormsAuth can only use machine keys, so you'd have to migrate the legacy app to using ASP.NET Identity at the very least, first.
I am going to create an web app using Dot Net Core. In future, i will also create mobile application for the same application. Now, i am in thinking the architecture of the project. I want to use WEB API core using Asp.net Identity Core. Also, i will consume WEB API in MVC Core application. But the question i have in mind that how i can handle ASP.net identity with MVC and WEB API? Do i need to include in MVC as well or only in WEB API?
I tried to think hard but still confuse. Need suggestions.
You can use token based authentication .
In a resource owner flow scenario , your client app( mvc application/native application) will consume your web api by providing user's credential , web api will validate the credential(using ASP.NET Core Identity) in database , If the username and password are correct then a JWT authentication token and the user details are returned. Your client app could validate the token and sign in user :
ASP.NET Core 2.2 - JWT Authentication Tutorial with Example API
Tutorial built with
Token Authentication in ASP.NET Core 2.0 - A Complete Guide
In addition, IdentityServer4 is a good choice when you want to roll your own full-fledged OpenID Connect authorization server that can handle complex use cases like federation and single sign-on.
So your question is maybe a bit open-ended for Stackoverflow and you don't really show what you have tried so far.
I will try to answer though. First you just need to start out with a template for your project. Start an MVC project in which you can easily have API endpoints as well. I would suggest splitting those in two projects for clarity - but if it is just a small personal project then you probably are fine having them in the same project. Microsoft have a pretty good resource on MVC:
Microsoft MVC walkthrough
For the Identity part. You would need some kind of authority for it to work. I suggest you take a look at IdentityServer4. Which offers an excellent walk-through of how to set it up and how to integrate it with Asp.NET Core Identity:
IdentityServer4
I have read all the stack overflow posts and other blogs regarding mixed-mode authentication. I could not find a step by step implementation anywhere.
So here is my scenario. I have developed asp.net MVC 4.5 and asp.net identity 2.0 for individual user accounts. Some of our clients use active directory to authenticate their users whereas others use individual user accounts. Also, those that use active Directory can also remotely access the web portal and in that case authentication would be from database(Form Authentication/individual user account authentication).
My findings so far
create another web application. If this client does not use "active Directory", then redirect to login screen, else, authenticate from active directory (but how?)
Some of the links show that there is no need to create another web application like
Mixed mode authentication with OWIN
ASP.NET Identity + Windows Authentication (Mix mode - Forms + Windows)
ASP.NET MVC and mixed mode authentication
Truly confused as to what to do and how to do..most solutions seem vague and general
There's no need to create a second web application.
Owin is designed to let you use all available providers (such as, Windows authentication and form-based authentication) given that you enable them in IIS.
Briefly, you have to
Enable Anonymous and Windows authentication on IIS - Authentication
(with server or site scope as it best fits to you)
Anonymous authentication - Edit - Use Application Pool Identity
I recently implemented just this kind of authentication on an MVC project and it works like a charm. I suggest you to read this post https://github.com/MohammadYounes/MVC5-MixedAuth it's been really helpful to me.
I have one ASP.NET MVC 5 application wherein I have implemented ASP.NET Identity. That is, all stuff related to Login, Registration, Edit User, Manage Users, etcs has been implemented there.
Now there is another MVC 5 application where I want to consume the User account related activities from the above MVC 5 application. (Similar to single signon).
How can I implement this kind of architecture?
Configure both applications to point to the same database for the membership information used by ASP.NET Identity and then configure both applications to share cookies as described in this article.
Scenario:
I have an ASP.NET MVC 2 site using ASP.NET Forms Authentication.
The site includes a Silverlight 4 application that needs to securely call internal web services.
The web services also need to be publically exposed for third party authenticated access.
Challenges:
Securely accessing webservices from Silverlight using the current users identity without requiring the user to re-login in in the Silverlight application.
Providing a secure way for third party applications to access the same webservices the same users credentials, ideally with out using ASP.NET Forms Authentication.
Additional details and limitations:
This application is hosted in Azure.
We would rather NOT use RIA Services if at all possible.
Solutions Under Consideration:
I think that if the webservices are part of the same MVC site that hosts the Silverlight application then forms authentication should probably "just work" from Silverlight based on the users forms auth cookies. But this seems to rule out the possibility of hosting the webservices seperately (which is desirable in our scenario).
For third-party access to the web services I'm guessing that seperate endpoints with a different authenication solution is probably the right answer, but I would rather only support one version of the services if possible...
Questions:
Can anybody point me towards any sample applications that implements something like this?
How would you recommend implementing this solution?
You can extend WCF to use Membership as authencation store and reuse the FormsAuth Cookie (send by the MVC site) to the browser by the Silverlight app.
I would recommend using an STS with Windows Identity Foundation so you can have your app use claims identity and then change authentication outside the app. For third party you can use Windows Azure Access Control Service (ACS). We are updating our guidance on this and you can look at the new code to show you how to do this at our codeplex site. The original book is available at Amazon. I would focus on the updated guide because it has ACS has websites and an active client talking to WCF. The client is WPF but it would similar for Silverlight.