authenticating MVC 5 application using Third part other then Social networks - asp.net-mvc

I got MVC 5 application Using asp.net identity for authentication works fine.
I want my MVC 5 application to use authentication from an already existing application with Traditional Asp.net authentication
I want Existing Traditional Asp.net authentication application to be used as single Sign-on and mvc application to use auth cookie

Sure you can.
You can create your own custom ApplicationUser (IdentityUser) and also create your own UserStore that implements the IUserStore interface.
Just check out the default ApplicationUserManager in the first line of the Create function you will see that ApplicationManager get constructed with a new UserStore. There you can plug in your custom User & UserStore.
Here is some good info.
http://www.asp.net/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity

I believe you should be able to use the old FormsAuthentication module in MVC5 application.
http://joeylicc.wordpress.com/2013/07/15/forms-authentication-in-asp-net-mvc/
Just make sure to redirect unauthorized requirest to your original login page.

Related

Additional custom logic after cookie authentication - aspnet identity, MVC5

I'm implement aspnet identity with my MVC5 project. I have configured my project to use cookie authentication, form authentication and external authentication (facebook and google). Everything work fine.
Now i have a requirement to log whenever user log in system and i need to do some further logic. For the form authentication and external authentication i have a controller action that i can add my logic. However for the case user just come back system via cookie, how do i handle it?
I'm sure there's a better way to handle this, but a basic method would be to track all activity by the user, and then use timestamps to determine when a user was last active on your site.
Discussed here: Track user activity/actions for an asp.net mvc website?
OnExecuting filters here: https://msdn.microsoft.com/en-us/library/gg416513%28VS.98%29.aspx

Single Page app using Controller - how to secure with ASP.NET Identity?

I have a single page app that uses a standard Controller (not ApiController) for retrieving all HTML views, which is done via ajax. However, WebApi is utilized using breezejs for the client to talk to the backend database. I am implementing ASP.NET identity security - should I use MVC cookie authentication or bearer token? I need the solution to illustrate a separate login page, and need a clean server side redirect.
Disclaimer
This is a relatively trivial question because it is very specific and by understanding the difference in authentication between Web API and MVC Controllers this should be fairly straight forward.
Assumptions
Your Web API Project has it's own authentication and does not talk to the MVC project to get a session user or anything
Your ASP.NET MVC Controllers are in a project using forms authentication and storing the user in a session cookie.
When I reference MVC below you undertand these are referencing ASP.NET MVC
Recommendation
What I would do is have your MVC project use OAuth for authentication and store the user in a cookie in the session that you can set and get. Then your controller actions that serve views can be decorated with the Authorize attribute. This will redirect users to the login page when they try to access a view they are not allowed to (as long as that is set up in your web.config
For the Web API Project you can't rely on Session because it sounds like you are decoupling the two projects. This is my recommendation -
When your user is successfully authenticated in your MVC Project make a request to the Web API to an open log in method. This would do some logical test and then either store the user in the DB with a session token of some sort or automatically write the user to the DB.
Now your user that is stored in session in your MVC project you can pass that down to the client and append it to the Breeze calls to your Web API and use that for authentication. You will need to explicitly set up how long that token is for and such but it is pretty easy to append this to the Breeze.js call like such -
var query = breeze.EntityQuery.from('myService').withParameters({'tokenId': thisTokenId});
Now your queries will hit the API with a tokenId parameter that it can use for authentication.
Edit
If you want to set up your ASP.NET MVC Project to use OAuth you can following along with this link -
http://www.asp.net/mvc/tutorials/security/using-oauth-providers-with-mvc
Remember that forms based authentication just means (in a nutshell) that you will provide the user some way of logging in with a form of some sort.

OAuth security for calling Controllers using Attrubutes?

Is there anyway, that you can lets say use OAuth in MVC and enable acces to a controller using Attributes like in validation process.
Lets say i have
public class myownController
{
[LoginRequired]
public ActionResult Index(){
//this can be accesed only of the user is logged in.
}
}
If you're using ASP.Net MVC 4 this should be built in using the default AuthorizeAttribute. If not I'd recommend manually integrating the standard Forms Authentication mechanisms with your chosen OAuth provider. Take a look at ASP.NET MVC Authentication - Customizing Authentication and Authorization The Right Way
Since you are using ASP.Net MVC 4, I'd highly recommend reading SimpleMembership, Membership Providers, Universal Providers and the new ASP.NET 4.5 Web Forms and ASP.NET MVC 4 templates. There are significant changes available in MVC 4 that make the entire Membership and OAuth really easy.

MVC authentication and authorization

I am using MVC 4 and am using Forms authentication. I have heard that MVC has it's own implementation of authentication and authorization but am not sure what it is and how to use it. What is MVC's implementation called and is it easy to migrate from forms to use it instead?
The answer is. Sort of.
MVC (versions 1-3) used standard Membership databsaes and Forms Authentication. MVC 4 uses standard Forms Authentication as well, but uses a system called WebSecurity to access it's membership system. WebSecurity was created for the WebMatrix project and MVC 4 has adopted it's use in the default templates.
You can still use the standard Membership system if you want, however WebSecurity (and in particular SimpleMembership) allows greater customization of the data.
MVC also can be configured in several ways for authorization. You can use the older web.config method, or you can use AuthorizationFilters such as the [Authorize] attribute. This still uses FormsAuthentication, however under the covers, it's just a way to configure the use of it.

ASP.NET MVC + LiveID --> should I use the Membership provider & Account controller?

I'd like to use LiveID on an ASP.NET MVC site. Should I still use the ASP.NET Membership provider? How about the default MVC Account controller? I have things working without either, but:
Using the Membership controller lets me see when a user last logged in.
Using the Account controller makes setting authentication cookies a bit easier.
Thoughts?
Answered here before, Peter Bromberg has a nice sample. You would still use the Membership provider albeit as a custom provider.

Resources