I'm working through the example AccountController and trying to implement my own. I'm trying to do OAuth (via GMail) and so I've got it working all the way through ExternalLoginCallback(string). The example does OAuthWebSecurity.Login. When I try to also do that, I get:
You must call the "WebSecurity.InitializeDatabaseConnection" method before you call any other method of the "WebSecurity" class.
After digging in, it appears that InitializeDatabaseConnection uses Entity Framework to configure a database on SQL Server. I'm not using SQL Server (Mongo DB), so I can't use this method. How do I use ServiceStack auth with MVC and no SQL Server?
Related
I am currently developing an ASP.Net MVC web application that requires username and password authentication. I started looking into using ASP.Net Identity for this however I have a very important requirement, the requirement is that the web application itself has no direct access to any databases, all DB Access is to be exposed to the application via an internal REST service. This is due to certain security polices we follow.
I realise that ASP.Net identity is capable of supporting external authentication methods but my question is split into 2 parts.
1) How would I configure ASP.Net Identity to use my custom REST service for authentication?
2) How would I go about developing a service that can be used by Identity for authentication ? (what would need to be returned from the service to ASP.Net Identity)
Any help on this would be most appreciated.
I just did what you are asking about. First, as FPar suggested, you need to implement an IUserStore and pass that to your UserManager. Your custom IUserStore will implement the interface, I used Resharper to generate stubs, but instead of using entity framework, you will use HttpClient to make calls to your REST service.
The REST service will have one action on a controller, I called my identityController, for each of the interface methods you actually need. I implemented the userstore, userloginstore and the rolestore, with code for about 10 calls I actually used. The identitycontroller then is what actually accesses the database.
I also retained the fully async pattern, using async REST calls and Database looks, both with and without entity framework. A shortened version of my data access code is in another question here, regarding IUserLoginStore::AddLoginAsync. In that class I actually used the original entityframework implementation of the user store for part of work, and eventually settled on plain (except for async) ado.net for the parts I couldn't make work that way. The tables are simple enough, using your ORM of choice would not take a lot of time.
Good luck!
You want to implement your own IUserStore and then pass a reference to the UserManager. Look into the Startup and the IdentityConfig files in the standarad ASP.NET MVC with individual user account authentication, to see, how to use them.
You can look here for an IUserStore implementation with entity framework. This is a template, you could start from and change it to your needs. However, you don't have to implement all interfaces, just implement the interfaces, you really need. The UserManager is able to handle that (it throws an exception, if you call a method, that requires an interface, that you don't implement.)
These are two excellent articles on this subject:
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
http://www.codeproject.com/Articles/762428/ASP-NET-MVC-and-Identity-Understanding-the-Basics
I have a single page app that uses a standard Controller (not ApiController) for retrieving all HTML views, which is done via ajax. However, WebApi is utilized using breezejs for the client to talk to the backend database. I am implementing ASP.NET identity security - should I use MVC cookie authentication or bearer token? I need the solution to illustrate a separate login page, and need a clean server side redirect.
Disclaimer
This is a relatively trivial question because it is very specific and by understanding the difference in authentication between Web API and MVC Controllers this should be fairly straight forward.
Assumptions
Your Web API Project has it's own authentication and does not talk to the MVC project to get a session user or anything
Your ASP.NET MVC Controllers are in a project using forms authentication and storing the user in a session cookie.
When I reference MVC below you undertand these are referencing ASP.NET MVC
Recommendation
What I would do is have your MVC project use OAuth for authentication and store the user in a cookie in the session that you can set and get. Then your controller actions that serve views can be decorated with the Authorize attribute. This will redirect users to the login page when they try to access a view they are not allowed to (as long as that is set up in your web.config
For the Web API Project you can't rely on Session because it sounds like you are decoupling the two projects. This is my recommendation -
When your user is successfully authenticated in your MVC Project make a request to the Web API to an open log in method. This would do some logical test and then either store the user in the DB with a session token of some sort or automatically write the user to the DB.
Now your user that is stored in session in your MVC project you can pass that down to the client and append it to the Breeze calls to your Web API and use that for authentication. You will need to explicitly set up how long that token is for and such but it is pretty easy to append this to the Breeze.js call like such -
var query = breeze.EntityQuery.from('myService').withParameters({'tokenId': thisTokenId});
Now your queries will hit the API with a tokenId parameter that it can use for authentication.
Edit
If you want to set up your ASP.NET MVC Project to use OAuth you can following along with this link -
http://www.asp.net/mvc/tutorials/security/using-oauth-providers-with-mvc
Remember that forms based authentication just means (in a nutshell) that you will provide the user some way of logging in with a form of some sort.
My web database server is being moved from the DMZ to the company LAN (don't ask why!). The downside of this is that my MVC 4 website is now gonna have to talk to an app server with web services (or web api) to get to the database. This isn't a major headache for most of my stuff, but I'm using the SimpleMembershipProvider for user authentication and that seems to need direct access to the database.
Is there any way to get SimpleMembership to talk to a web service or do I have to use a custom membership provider instead ?
I'm faced with the same situation, and while I haven't written or tested the code yet, I'll be writing a class to inherit from SimpleMembershipProvider and overriding the methods to call methods from the service (web api).
Is this the approach you ended up using?
I have recently started implementing OAuth in an ASP.Net MVC 4 project.
I have written a custom membership provider. All methods are complete in this ExtendedMembershipProvider.
When trying to use the default MVC 4 Account Controller login callback all works fine. The problem I do have is the line that calls:
OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false))
The above throws a NotImplementedException. This seems weird seeing I know that all my membership methods are complete.
The stack trace shows anything before this code as "external" so i am wondering where the issue lies?
I have a feeling that this is caused by not using a user profile provider. The OAuthWebSecurity methods all seem to attempt to talk to the Profile provider as this is where OAuth information is stored.
I've written my own repository methods to avoid using the OAuthWebSecurity classes, and instead just used the 'result' to pull the info back from DotNetOAuth manually.
All,
I have a ASP.NET Web API project that is making a REST call to my service layer in another project. The service project's data access is via Entity Framework 4.3. The connection string in the web.config files is set to use Integrated Security.
What is happening is, the name of the server, "server A", is being passed to the service layer, and failing authentication against SQL Server. There isn't a user account named "server A."
More specifically this is what the architecture looks like
jquery file making an api controller via POST to a method within the API controller
API controller method references the service layer DLL, and calls a method within the service class
The service class is calling a method in a repository class that uses DbContext to connect to SQl Server 2008 table.
Is there something specific I need to be doing when using the Web API framework in order to pass the correct user name down to EF?
Any help would be appreciated.
Derek
The problem is double hop impersonation. You can read about it by this link.
But i'm not sure that such impersonation is possible via REST. I recommend you use database via special account, not integrated security.