I have recently started implementing OAuth in an ASP.Net MVC 4 project.
I have written a custom membership provider. All methods are complete in this ExtendedMembershipProvider.
When trying to use the default MVC 4 Account Controller login callback all works fine. The problem I do have is the line that calls:
OAuthWebSecurity.Login(result.Provider, result.ProviderUserId, createPersistentCookie: false))
The above throws a NotImplementedException. This seems weird seeing I know that all my membership methods are complete.
The stack trace shows anything before this code as "external" so i am wondering where the issue lies?
I have a feeling that this is caused by not using a user profile provider. The OAuthWebSecurity methods all seem to attempt to talk to the Profile provider as this is where OAuth information is stored.
I've written my own repository methods to avoid using the OAuthWebSecurity classes, and instead just used the 'result' to pull the info back from DotNetOAuth manually.
Related
This is not like other questions you might find similar. My issue is way bigger.
Scenario:
I have 3 websites. All of them have a common database for authentication and stuff.
Problem is that i will need to expand to 2 more sites, which means more maintenance in login screens and so on. So i will dedicate time to make a "central website" to manage users, access, etc.
Also, Need to implement OpenId for Microsoft Works accounts (ie, Azure tenants).
DDBB User Model: (Simplified)
All users are in the same central database. Which does not contains
anything non-user related.
User is personal on all applications.
Users can have different Roles
Each "User-Role" is mapped to an application, a server and a
database.
Problem:
Created a site in AspNet Core, without any authentication done so I can do it myself since I found that mapping Aspnet Identity tables was no-go because of incopatibilities and overriding is way to complicated, specially when dealing with Managers.
So, Tried and got working a simple Authentication page using HttpContext.Authentication.SignInAsync and CookieAuthentication. Which works well and there is no need to use any of the Identity's implementation (which is not compatible with my backend).
But then I added UseOpenIdConnectAuthentication to have the OpenId auth, but I have no idea how to use it since its suposed to work out of the box when using Identity and when checked documentation they use this code in an controller action: signInManager.ConfigureExternalAuthenticationProperties and I do not have any SignInManager since Im not using Aspnet Identity.
Questions:
Is coping the source of ConfigureExternalAuthenticationProperties to make it work in my site an aceptable solution?
Should I continue to override all SignInManager methods and also probably implement other classes to make Aspnet Identity work with my model?
Tried Mapping the properties to my columns just to test it out and it gave me non debuggable errors, which i dont like to even think about the problems this can give me in the future. For example one error was that it coudnt parse byte[] to string.
How can I implement Microsoft Work Accounts authentication and Database authentication in the same AspNet Site?
Bonus topic
Recently I feel like programming is becoming Configuring instead of coding. Is it just me? Are we now Professional Configurers?
Thanks
I’m using ASP.NET Identity with Forms auth in an MVC6 application, and trying to implement Basic auth for the API endpoints.
I would have thought there’d be a pre-built middleware that does it, but haven’t been able to find it. I’ve had a look at the Filters test website https://github.com/aspnet/Mvc/tree/dev/test/WebSites/FiltersWebSite and I can’t seem to work out what it’s doing/which parts are important.
I’ve tried using the pre-5 approach of manually doing basic auth in an authorizationfilter, but SuppressFormsAuthenticationRedirect seems to be gone, and the CookieAuthenticationHandler keeps redirecting to the login page.
Basic auth is not there by design. Security team is against it. They will probably make a sample later.
you can read a discussion on the issue here : https://github.com/aspnet/Security/issues/209
Since you are targeting IIS, I suggest leveraging IIS for basic authentication. You can drop a web.config file into your wwwroot folder with a section to configure your basic authentication options.
If you want to remain host agnostic, you will need middleware. Here is someones implementation: https://github.com/Kukkimonsuta/Odachi/tree/master/src/Odachi.Security.BasicAuthentication
I am currently developing an ASP.Net MVC web application that requires username and password authentication. I started looking into using ASP.Net Identity for this however I have a very important requirement, the requirement is that the web application itself has no direct access to any databases, all DB Access is to be exposed to the application via an internal REST service. This is due to certain security polices we follow.
I realise that ASP.Net identity is capable of supporting external authentication methods but my question is split into 2 parts.
1) How would I configure ASP.Net Identity to use my custom REST service for authentication?
2) How would I go about developing a service that can be used by Identity for authentication ? (what would need to be returned from the service to ASP.Net Identity)
Any help on this would be most appreciated.
I just did what you are asking about. First, as FPar suggested, you need to implement an IUserStore and pass that to your UserManager. Your custom IUserStore will implement the interface, I used Resharper to generate stubs, but instead of using entity framework, you will use HttpClient to make calls to your REST service.
The REST service will have one action on a controller, I called my identityController, for each of the interface methods you actually need. I implemented the userstore, userloginstore and the rolestore, with code for about 10 calls I actually used. The identitycontroller then is what actually accesses the database.
I also retained the fully async pattern, using async REST calls and Database looks, both with and without entity framework. A shortened version of my data access code is in another question here, regarding IUserLoginStore::AddLoginAsync. In that class I actually used the original entityframework implementation of the user store for part of work, and eventually settled on plain (except for async) ado.net for the parts I couldn't make work that way. The tables are simple enough, using your ORM of choice would not take a lot of time.
Good luck!
You want to implement your own IUserStore and then pass a reference to the UserManager. Look into the Startup and the IdentityConfig files in the standarad ASP.NET MVC with individual user account authentication, to see, how to use them.
You can look here for an IUserStore implementation with entity framework. This is a template, you could start from and change it to your needs. However, you don't have to implement all interfaces, just implement the interfaces, you really need. The UserManager is able to handle that (it throws an exception, if you call a method, that requires an interface, that you don't implement.)
These are two excellent articles on this subject:
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
http://www.codeproject.com/Articles/762428/ASP-NET-MVC-and-Identity-Understanding-the-Basics
I got MVC 5 application Using asp.net identity for authentication works fine.
I want my MVC 5 application to use authentication from an already existing application with Traditional Asp.net authentication
I want Existing Traditional Asp.net authentication application to be used as single Sign-on and mvc application to use auth cookie
Sure you can.
You can create your own custom ApplicationUser (IdentityUser) and also create your own UserStore that implements the IUserStore interface.
Just check out the default ApplicationUserManager in the first line of the Create function you will see that ApplicationManager get constructed with a new UserStore. There you can plug in your custom User & UserStore.
Here is some good info.
http://www.asp.net/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity
I believe you should be able to use the old FormsAuthentication module in MVC5 application.
http://joeylicc.wordpress.com/2013/07/15/forms-authentication-in-asp-net-mvc/
Just make sure to redirect unauthorized requirest to your original login page.
I have an existing WebForms application and we're now creating a new MVC application. They both authenticate using our own custom provider, using the same database.
I can successfully log in in each application separately using the same credentials, but what I now want is to implement a single-sign on (ie: if the user is already logged in in app1, app2 would automatically detect the user's settings and identify him as being logged in).
I have done my homework and read the references here, here and here, amongst others.
So far I have done the following:
Set the same machineKey on both sites:
Set the same forms auth on both sites:
Despite all of this, I haven't managed to get SSO working. I have managed 'Single-sign off', whereby when the user signs off one site, he's signed off from the other.
Is there anything I'm missing?
I would like a configuration-only solution, that does not require me to do any coding.
I am answering my own question just for closure's sake.
The reason why my my SSO was not working is because the main, existing website has its own cookie and session manager, and does not play by the rules of Forms authentication. It calls
FormsAuthentication.SignOut();
Shortly after login has completed.
I tried the configurations mentioned above with 3 different websites, a mixture of MVC and WebForms, different pipelines (integrated vs classic), with our custom membership provider, and it all worked marvellously.
So the steps defined above should work as long as your application does not do funny things with forms authentication.