I want to seed some user profile data in an ASP.NET MVC 4 application so that I can run some (browser) automated UI tests (for secured areas of the application).
I don't want to store any passwords so I'm only using external OAuth/OpenID authentication providers, e.g. Google.
Is there any reason not to include my Google OpenID URL in a data seed method (which will be committed to a public GitHub repository)? Should the ProviderUserId field (in the webpages_OAuthMembership table by default) be kept private/secret?
Are there any better approaches to UI testing a public MVC 4 internet application that only uses external authentication providers?
Related
Basically, I have 2 sets of projects, 1 contains the Web API Services and the other is the Web Portal which extracts data from the database through the API. However, following the set-up of ASP.Net Identity, the login process is all client-side. Is there any way where I can shift the Identity login to be performed through the API rather than having it directly connecting to my database?
I've tried installing Identity onto the API itself, but I'm also unclear how it is able to authenticate the user even if I pass the data to it.
On IIS I have a login website which is used to get credentials from user and authenticate him. Authentication is done through:
FormsAuthentication.SetAuthCookie
Login application is written in asp.net webapplication.
Now there is another .NET CORE mvc web application which will sit as a child web application to this login website and needs to authenticate through login application.
By default child web application does not comes under login page.
How I can put this web application to use login from parent website?
HttpContext.User.Identity.IsAuthenticated in mvc core child application returns false and can't read logged in user.
You cannot. Traditional web-based auth and specifically FormsAuth utilizes cookies to persist the login state. Cookies are domain-bound, and auth cookies are also encrypted. You can only access the cookie in the first place if both apps are on the same domain, and even then, one can only read it if they can both encrypt and decrypt in the same way. The method of encryption has changed between ASP.NET and ASP.NET Core, so that's out of the window off the bat. ASP.NET used machine keys whereas ASP.NET Core utilizes the Data Protection API.
There's one minor exception, in an ASP.NET MVC 5 site, you can utilize the Data Protection API, through its support of OWIN. The two apps, then, can be made to encrypt/decrypt in the same way. However, by the very fact that you're using FormsAuth means that you cannot achieve this. FormsAuth can only use machine keys, so you'd have to migrate the legacy app to using ASP.NET Identity at the very least, first.
I have a C# MVC 5 website that will be called from a legacy 3.5 asp.net application that has performed all the pre-authentication of users. The idea is that the legacy app will generate a "token" (guid) with a matching database entry containing all relevant user information. The token will be passed to the MVC site via the url.
The MVC application needs to authenticate the user via the token received in the querystring and validate via the same database entry (the token will only remain valid for a very short period - say 60 seconds) with that expiry being stipulated and controlled at the database. Once the user is authenticated the user access should be maintained for a given time. I am open to using readonly session state and having access for life of the session or alternatively open to suggestions for handling expiry some other way.
I'm not particularly well versed in aspects of security for .NET having only really used "standard" forms authentication in .NET ASP and even less familiar with MVC.
The closest thing I've found to this concept is the below thread however there is simply not enough detail in the solution for someone with my lack of knowledge / experience to implement, also it's fairly old so may be outdated?
Authenticating users with auth token in query string with ASP.NET MVC
I have an application consisting of (simplified) 3 parts:
an Security-Token-Service (handling OAuth2 and OpendId-Connect) with its own seperated database (actually it's Identity Server 4 with ASP.NET Core Identity)
an API (with a seperated database)
and a SPA communicating with the API
Now the problem is that the database of the STS holds the user data and in the API-DB there is also a table user-accounts with the work-load-data for each user.
Currently I create the API-DB user-account on the first login of the user. Which works.
I am just wondering if there is a protocol (extension) defining a way to sync created/deleted users between an STS and other server applications.
Might be worth having a read of this and evaluating whether it fits your use-case:
https://en.wikipedia.org/wiki/System_for_Cross-domain_Identity_Management
We have a multiple applications under one domain, and every application is built in asp.net mvc. Currently single sign on is facilitated using forms authentication, shared machine key. All applications are on same server for now.
For one our new application we considering asp.net core with framework option. We have an Accounts application which handles authentication(login/logout) for existing application. And we have build STS, using Identity Server3 into the same application.
www.mydomain/Accounts
www.mydomain/app1
www.mydomain/app2
www.mydomain/asp.netcoreApp1
The new test asp.net core application(client) using openIdConnect communicates with STS, Identity Server3 and is working fine.
Challenge: Have to facilitate single sign on between existing applications, which uses Forms Authentication, and new Asp.Net Core.
Operational/Environment Facts:
All applications are on same machine.
Access to machine key.
On navigation from app1 to asp.net core cookies are available in Request header.
Problem Scenarios:
If user successfully logins to app1 and navigates to asp.net core the user has to logon again for authorized access. No issue with anonymous access.
Similar to #1 vice versa case.
If user logout in any one of the application then user should be log out from all the applications.
Since test application built using Asp.net core with framework option, will FormsAuthentication be compatible? direct me to documentation or code snippet?
Please share your ideas.