I have a requirement where I have a Client application i.e (MVC Application) and Identity Server 4 application where I need to authenticate the users from MVC application.
Now I am able to authenticate the In Memory static users as well as AspNetIdentity users with Identity Server 4.
But how can I use my custom database with Identity Server 4 to authenticate users.
e.g I have a table with following columns:
UserName, Password, Role, IsActive
I want to authenticate the users from this table with Identity Server 4.
Please help me out with this.
Thanks,
Naveen
It is pretty much up to you how you do it. Your controllers responsible for handling the login interactions need to have the required dependencies injected into their instances. So you can imagine injecting your own IUserService, or IUserRepository, or IUserStore to do this. And then you can implement an IProfileService based off those interfaces as well.
Related
I have an intranet application with Windows Authentication. And I want to have a database table that contains the allowed users that can access the application.
I want to get the username after someone try to log into (successfully, thinking about the user existence into domain), to check if it is present into database to allow the access, besides that, redirect to a static HTML saying he can't access the application.
How can I achieve something like that?
And about the [Authorize], User Roles that ASP.NET Identity provides can be used in Windows Authentication mode to solve this problem?
I have an application consisting of (simplified) 3 parts:
an Security-Token-Service (handling OAuth2 and OpendId-Connect) with its own seperated database (actually it's Identity Server 4 with ASP.NET Core Identity)
an API (with a seperated database)
and a SPA communicating with the API
Now the problem is that the database of the STS holds the user data and in the API-DB there is also a table user-accounts with the work-load-data for each user.
Currently I create the API-DB user-account on the first login of the user. Which works.
I am just wondering if there is a protocol (extension) defining a way to sync created/deleted users between an STS and other server applications.
Might be worth having a read of this and evaluating whether it fits your use-case:
https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management
Looking for a bit of advice regarding best practice regarding multiple user stores.
Currently I have Identity Server 3 set up using a factory method to connect to an Asp.Net Identity V2 user store.
I have two MVC Relying Party applications, both using OWIN to pass un-authenticated requests to the Identity Server.
Within Identity Server, both RP client applications are set up using Hybrid flow.
Now my question:
I want to have the Identity Server use mutiple user stores (in my case, we have users authenticating via our Identity V2 Store and also via ADFS)
I'm not sure how to detect or tell the which kind of user is connecting to the RP client application, and I'm not sure how to pass this information to Identity Server so that it can make a decision on which user store to use.
Any help greatly appreciated.
I have an app that uses my own membership system. It uses ASP.NET MVC 3 which I'm updating to ASP.NET MVC 5. It's not possible to change the membership to use a new one like ASP.NET Identity. But, for the authentication side, do you think it is a good idea to replace my auth-ticket system with OWIN.Security? Are there any traps that I should know about?
The Katana security middleware is independent from ASP.NET Identity. You can use them both or just one.
There are some cases where it makes very good sense to use just the Owin/Katana middleware, but not involve aspnet identity.
I just rolled up a prototype webforms application using OpenID Connect against an Azure Domain. My domain is Federated with an on-prem ADFS. By the time I got OpenID Connect and the GraphAPI working, I realized that I didn't really need much from aspnet identity.
I use the GraphAPI to grab extra info about the user and their group memberships, and I am adding that info as claims on the user principal... my site's code can operate against just the information in the claims.
Of course, if you want to do any custom profile or role stuff in your application, it probably makes sense to link it to aspnet identity too.. create an aspnet identity user when a new user authenticates, map that user's AD groups to roles, etc. Then you can manage application specific data for the user directly in the application via aspnet identity, while relying on Azure AD for the core authentication, basic profile, and group/role assignments.
I'm working on an MVC4 site using SimpleMembership to handle user accounts and role based authentication. We have another site and we'd like to implement a single sign on system allowing users from the existing site to log in to the one I am building. What would be the best way to achieve this and hopefully leverage to the existing roles based authorization I'm using on the MVC4 site. Is it possible to have multiple membership providers (i.e. use the built in one and if the user is not found, attempt to authenticate via a custom provider that I'll write (once I work out how!). Or would it be better to abandon the built in membership/roles and roll my own?
I also thought of letting WebSecurity check the local database and if the user is not found, query the 2nd database and if the users credentials are valid, create a local account for them. One issue with this approach is if a user called Fred registers on the MVC site, and then a user from the other site called Fred logs in, we couldn't create them a local account with the same username. We could prefix/suffix the username with some text to indicate that they are from the other site but then we lose the single sign on feature.
We will also want to integrate AD authentication for staff in the future.
So essentially I'm looking for the best way to authenticate users from multiple databases and keep using roles based authentication?
I've also done a little digging was wondering if ADFS might be useful for this.
Any help or advice would be greatly appreciated!
I recommend the use of an Identity server to handle all your login request and switching to a claim based authentication instead of a role based authentication if you can.
I personally went with Thinktecture IdentityServer
pluralsight.com have a good course on it.
Thinktecture IdentityServer is build on top of simple Membership and it supports multiple protocol such as
WS-Federation
WS-Trust
OpenID Connect
OAuth2
ADFS Integration
Simple HTTP
I recommend checking it
Good Luck