Instead of using windows/forms authentication can I just use authorize attributes on the control actions that I want to restrict?
It seems to me that authorization is strictly better then authentication and is a replacement in most situations. I understand that authentication is at the web.config level and thus lets you switch pages in and out without a recompile, but if we didn't need that functionality then authorization is the way to go?
To protect a system you need both authentication and authorization.
http://www.duke.edu/~rob/kerberos/authvauth.html
Authentication is how you determine who a user is a.k.a. Logging In.
Authorize is a Annotation for ASP .NET that says to use this part of the site you need to be authenticated.
Related
I am developing an SPA and would like to have SSO.
As I understood so far, OAuth2 with OIDC is the best solution for SPA SSO.
Better than, for example, SAML.
What I didn't understand so far is how to use authorization token in SPA's JS code to handle authorization on various resources of SPA. For example, I would like the users with a role 'buyer' to have access to the shopping history tab, where other users won't have access to.
Should I parse access token obtained from Authorization server in JS code and check whether a user has an appropriate role to see the tab, or should this decision be made on server (API) side, in which case SPA's code would just read the answer from API and based on that customize UI?
In case of the first approach, is there any standard way of doing the checking (in form of some JS library)?
When it comes to authentication, what is the better approach (more secure, etc):
to let SPA (at that point already loaded in the browser) do the authentication flow and based on result let the user use it's protected functionalities. This is pseudo authentication actually since the code is in the user's browser and means the user is authenticating himself to the code in his hands i.e. to himself. Does this authentication make sense at all?
require the user to authenticate himself in order to be able to even load the SPA in his browser. This is probably not SPA architecture then since backend which serves the SPA should be able to create a backchannel with the Authentication server.
According to user description, your application must vary depending on user type. If this is the case I would suggest you to use a backend for authentication and decide application content to be served from the backend. Otherwise, as you have figured out, running authentication on browser and altering user view is not secure.
IMO this not necessarily break SPA architecture. What you are doing is altering what you server based on tokens presented to you. Also, maintaining a session will be required with this approach. And SPA's calls for backend will require to contain this session to obtain contents.
As soon as the User is logged in, you would request for authentication and based on his UserId, and the role he belongs to you should receive all the permissions that User is entitled to.
You convert these permissions into claims and can send them back to UI and use it appropriately to show the features accordingly.
You also enforce same on the server side api to prevent any unauthorized access besides from your UI.
I am building a web app in MVC 5 - but don't yet have a way to authenticate or authorize users.
I am using dapper.net for the repository layer.
I do not want to use ASP.NET Identity because it is too complex and tightly coupled to Entity Framework.
I want to use Cookies so users can remain logged in between visits - for months.
Basic Authentication doesn't support cookies and although I will be using SSL seems insecure.
Forms Authentication appears to be being deprecated.
I would like to use Authentication Filters / Attributes.
I just want a simple solution that lets me control how things work.
Is this possible? How can I go about this?
You can use Custom Authentication Filter in MVC
I'm implement aspnet identity with my MVC5 project. I have configured my project to use cookie authentication, form authentication and external authentication (facebook and google). Everything work fine.
Now i have a requirement to log whenever user log in system and i need to do some further logic. For the form authentication and external authentication i have a controller action that i can add my logic. However for the case user just come back system via cookie, how do i handle it?
I'm sure there's a better way to handle this, but a basic method would be to track all activity by the user, and then use timestamps to determine when a user was last active on your site.
Discussed here: Track user activity/actions for an asp.net mvc website?
OnExecuting filters here: https://msdn.microsoft.com/en-us/library/gg416513%28VS.98%29.aspx
I've implemented a token based authentication on a website. Now I need to add some legacy code, probably in some other area of the site, which is not token aware at the client side.
How can I limit the effect of UseOAuthBearerTokens method to a specific area of the site?
Thanks
Well it seems that the answer is that we can have webapi controllers to use token-based auth, while Mvc controlles still use cookie-based Auth, as instructed Here
I'll give it a try.
you may create an AuthenticateHandler and set the logic there.
i have an asp.net mvc application that has authentication set to none in the web.config but would like to secure one view with windows authentication. is there any easy/good way to do this without changing the authentication configuration?
Think you'll need to use the Authorize Attribute.
Any reason you can't set Authentication mode to Windows for the project?
Can you write your own authorize attribute which when applied to your method checks a few things, routes you to a challenge page or performs some other action that will satisfy your credentials?
Unsure what you'll use to authorise the user. Maybe check IP, Active Directory user name etc.
If you do it like this then you can re-use the attribute on other pages which would be nice.