How do you now configure the membership, profile and role manager using the new MVC template with DotNetOpenAuth enabled? I don't see the configurations in the web.config so how do you now implement a custom profile provider?
With the new MVC4 template, it is very relevant. Instead of using a specified ProfileProvider:Profilebase, all authentication is handled by OAuth and Webmatrix.Security. Out of the box, it doesn't look like there is any support for extending Profilebase. Instead it looks like you will have to create your own table to hold any custom profile attributes. Take a look at this: http://www.asp.net/web-pages/tutorials/security/16-adding-security-and-membership.
See the solution for MVC 4 and built in oauth support/discussion:
See for plugging custom OAuth/OpenID providers.
MSDN has a detailed article explaining how to implement a profile provider. All that you would need to do differently is plug in DotNetOpenAuth.
Profile and role managers are independent of the mechanism used to authenticate the user and are therefore irrelevant to DotNetOpenAuth. Only the Membership provider would be impacted by your use of DotNetOpenAuth, and this question has been asked and answered.
Related
We are starting a new ASP.NET Core web site and the customer would like to handle the authorization using the database. So they want to configure custom roles and the actions to be configured in the database.
I have been trying to find an example or something to help me implement this, but could not find. Can this be achieved using the Authorize attribute from framework or a custom filter needs to be implemented?
EDIT:
I should probably mention that the application is an intranet so Windows Authentication is used for authentication
Short answer Yes.
Long answer...
This can all be achieved from the database you can configure up using existing methods with Identity, and from there create all the custom roles and even policies that you want to have and be able to assign, to each user individually or via roles.. Authorize attribute will work just fine with cookies. My only recommendation is that you try not handle security yourself but let the framework handle this for you.
What is the recommended approach to using Kentico user roles and authentication/authorization using Kentico 9, MVC stand alone application?
Is it possible to use the Kentico role attributes for controller methods?
What part of the API is used to authenticate and check authentication in this scenario?
It looks to me like this is not yet possible, and I am about to roll my own solution.
It`s not officially supported (yet). You can see list of supported and unsupported features (for new Kentico9 MVC) here.
Of course you can still use Kentico API (Membership library) to make your own auth logic which fits your needs.
Not sure if it will work (I don't know how much MVC supports the old providers), but you may try to use the same membership and role provider configuration in your web.config as for the admin application.
Kentico 10 will provide validated membership features through a brand new identity provider.
Try this:
[Authorize(Roles="somerole")]
public ActionResult Index()
{
return View(viewModel);
}
This work perfect in my tests... I'm using forms authentication.
I'am looking at the capabilities of WIF in terms of SSO. Actually we have a "legacy" users & rights management database under SQLServer and we like to build a brand new SSO system on top of this exsting database.
In many tutorials I found they talk about using existing STS like ADFSv2 for Active Directory authorization, but It did not fit my needs because my users/rights are not exposed through AD but in a custom a specific business oriented SQL Server database.
So, I thing I need a custom Security Token Service in order to be able to emit my own custom tokens, but I don't know how to do this.
I need some little help or an example about how to achieve this.
Thank you
You can find STS example in WIF SDK. It contain an example with custom token. Look here
More detail information about SSO I seen in a book 'Programming Windows Identity Foundation'
You can build your own Custom Security Token Service leveraging the underneath SQL Server database. You will have to define your scopes and Claims that needs to be shared after user does a Single Sign On. Here are some links to some articles below that has helped me build mine. I am pretty sure by following the below links you will be able to build a custom STS catering to your needs.
WIF : http://chris.59north.com/post/Building-a-simple-custom-STS-using-VS2012-ASPNET-MVC
http://www.primaryobjects.com/2013/08/08/using-single-sign-on-with-windows-identity-foundation-in-mvc-net/
Care to explain why #paullem's answer was deleted?
It is in fact the correct answer!
The question is about an STS that authenticates using a SQL DB. That is EXACTLY what IdentityServer does.
Since it's open source, you can customize it any way you want or else use it as a guide.
So to repeat the answer - "Take a look at Thinktecture.IdentityServer........".
Update
You want a custom STS that supports SAML protocol and authenticates against a SQL DB?
WIF won't do this for you.
You need to look at something like Shibboleth or simpleSAMLphp but they are not .NET based.
Or take IdentityServer and add a SAML stack to it.
Refer: SAML : SAML connectivity / toolkit.
Be warned: This is not a trivial exercise!
We've got an MVC website that is going to use DotNetOpenAuth for signing in users via OpenID and I've found this really helpful template and other more simple examples that will help me get started on that end. However, what I don't have fully figured out is how to provide my users with a way to create an account with us if they don't want to use OpenID.
I can see two options here, write some custom code that allows OpenID to piggy back on the standard membership provider. Or, have the end site only use OpenID via DotNetOpenAuth and build an Identity Provider for my users to sign up on. That way the site would only see OpenID users and wouldn't know a difference.
Are these my only options? I haven't been able to find anything on standing up my own Identity Provider, just the relying party templates. I think I can get by with just putting OpenID on top of the default membership provider, but that feels like I'm doing it wrong, since I should be able to just stand up an identity provider.
So, in my situation, what would be the best way to support membership via local account creation and OpenID via DotNetOpenAuth?
Setting up your own identity provider so that your site only speaks OAuth is certainly an option, but a non-trivial one. I wouldn't recommend setting up an identity provider unless you intend your customers to use it for logging into other sites.
Also keep in mind that most web sites don't use OAuth to authenticate (since it's not an authentication protocol anyway). OpenID is more popular.
The project template you linked to in your question demonstrates allowing users to log in via several OpenID Providers and includes support for linking user accounts.
As for supporting local user accounts as well, I suggest you take a look at the source code behind nerddinner.com. I would advise against using the ASP.NET Membership provider for the OpenID/OAuth accounts as the interface doesn't fit very well, but folks have made it work so you can too if you want.
I'd like to use LiveID on an ASP.NET MVC site. Should I still use the ASP.NET Membership provider? How about the default MVC Account controller? I have things working without either, but:
Using the Membership controller lets me see when a user last logged in.
Using the Account controller makes setting authentication cookies a bit easier.
Thoughts?
Answered here before, Peter Bromberg has a nice sample. You would still use the Membership provider albeit as a custom provider.