MVC authentication and authorization - asp.net-mvc

I am using MVC 4 and am using Forms authentication. I have heard that MVC has it's own implementation of authentication and authorization but am not sure what it is and how to use it. What is MVC's implementation called and is it easy to migrate from forms to use it instead?

The answer is. Sort of.
MVC (versions 1-3) used standard Membership databsaes and Forms Authentication. MVC 4 uses standard Forms Authentication as well, but uses a system called WebSecurity to access it's membership system. WebSecurity was created for the WebMatrix project and MVC 4 has adopted it's use in the default templates.
You can still use the standard Membership system if you want, however WebSecurity (and in particular SimpleMembership) allows greater customization of the data.
MVC also can be configured in several ways for authorization. You can use the older web.config method, or you can use AuthorizationFilters such as the [Authorize] attribute. This still uses FormsAuthentication, however under the covers, it's just a way to configure the use of it.

Related

Create and set the same structure and vales Cookie as the one created by FormsAuthentication.SetAuthCookie

I have an application ASP.NET Core 2.1 and I want to create a cookie like a cookie created by FormsAuthentication.SetAuthCookie of ASP.NET MVC 4.5. Is It possible?
In the MVC I have this:
// some data put into Session like this, Session("FirstName") = objUser.FirstName
FormsAuthentication.SetAuthCookie(objUser.UserName, False)
What you're asking isn't strictly possible. Even if you could get the two cookies to look the same, they'd be encrypted differently, such that one site wouldn't be able to read the cookie set by another.
That said, the ability does technically exist to share cookies between ASP.NET Core and ASP.NET MVC. However, it requires the ASP.NET MVC project to switch to using the Data Protection API, versus the old-school machineKey encryption. The ASP.NET Core docs have more information.
Even with that, though, it's not going to work with FormsAuth (which uses ASP.NET Membership). You'd need to also update your MVC project to utilize ASP.NET Identity. Again, consult the documentation.

Kentico 11 MFA in MVC

We are looking to utilize Multi Factor Authentication in a custom MVC App which connects to Kentico. I want to ensure i'm getting the right direction, is this the starting point: https://docs.kentico.com/k11/managing-users/user-registration-and-authentication/configuring-multi-factor-authentication#Configuringmulti-factorauthentication-Customizingmulti-factorauthentication
can we leverage the Kentico API to utilize the MFA functionality or do we have to write our own?
Given, the fact that Kentico MVC memebership is built on a good part on ASP.NET Identity it seems easier, to actually implement this with NET Identity.
Kentico MVC package is available on github for review. Package implements a user store in which Kentico (application) users are loaded per request and this store manages their authentication.
Store implements IUserTwoFactorStore which means store can be used with above idenity for multi factor authentication. It also has a retrieval method:
GetTwoFactorEnabledAsync
while SetTwoFactorEnabledAsync throws NotImplemented exception. Meaning you can have users stored and managed within Kentico backend and you can enable MF authentication for them via administration interface, while you can use .NET methods to have MF authentication on MVC site.
It seems easier than to actually reference Kentico DLLs for MF authentication in MVC project.

authenticating MVC 5 application using Third part other then Social networks

I got MVC 5 application Using asp.net identity for authentication works fine.
I want my MVC 5 application to use authentication from an already existing application with Traditional Asp.net authentication
I want Existing Traditional Asp.net authentication application to be used as single Sign-on and mvc application to use auth cookie
Sure you can.
You can create your own custom ApplicationUser (IdentityUser) and also create your own UserStore that implements the IUserStore interface.
Just check out the default ApplicationUserManager in the first line of the Create function you will see that ApplicationManager get constructed with a new UserStore. There you can plug in your custom User & UserStore.
Here is some good info.
http://www.asp.net/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity
I believe you should be able to use the old FormsAuthentication module in MVC5 application.
http://joeylicc.wordpress.com/2013/07/15/forms-authentication-in-asp-net-mvc/
Just make sure to redirect unauthorized requirest to your original login page.

OAuth security for calling Controllers using Attrubutes?

Is there anyway, that you can lets say use OAuth in MVC and enable acces to a controller using Attributes like in validation process.
Lets say i have
public class myownController
{
[LoginRequired]
public ActionResult Index(){
//this can be accesed only of the user is logged in.
}
}
If you're using ASP.Net MVC 4 this should be built in using the default AuthorizeAttribute. If not I'd recommend manually integrating the standard Forms Authentication mechanisms with your chosen OAuth provider. Take a look at ASP.NET MVC Authentication - Customizing Authentication and Authorization The Right Way
Since you are using ASP.Net MVC 4, I'd highly recommend reading SimpleMembership, Membership Providers, Universal Providers and the new ASP.NET 4.5 Web Forms and ASP.NET MVC 4 templates. There are significant changes available in MVC 4 that make the entire Membership and OAuth really easy.

Asp.net mvc4 authentication through WCF

I have a requirement for project to build a ASP.NET MVC4 (razor engine) "Front-end" and a WCF service as "backend" (with a sql server 2012 database).
A requirement is to login, register etc. I want to put this logic in the backend, but in the front-end I would like to make use of the [AllowAnonymous] and the logic to authenticate a user with roles (for example use of formauthentication, webmatrix.WebSecurity, Membership provider?).
Is it possible to realize? Do I have to create a login and register (and roles etc.) features by myself? Or can I use a built-in features/libraries of the ASP.NET MVC or WCF? Or both?
Could you give some examples/suggestions/tutorials to realize this?
Thanks in advance
I think this should work for you:
http://msdn.microsoft.com/en-us/library/bb386582.aspx
Edit: To elaborate you can use custom logic for WCF authentication including calling the ASP.NET membership providers which should work fine with MVC and the security attributes you mentioned.
Or is the WCF service on another server and you want to call from your ASP.NET controller to your WCF service for authentication? This is a bit more complex, but you should be able to do it by implementing your own Membership provider.
Depending on the scenario you can reuse some or all of the login and register views that come with MVC.
Edit: In the second scenario here are some pointers that might help:
http://singlesignon.codeplex.com/ - Seems to be what you need, but I didn't check out the code.
Custom membership that uses web service for authentication - No code, but it confirms that it should work.

Resources