For ASP.NET MVC extranet applications, what are the pros and cons of using SQL Authentication instead of the ASP.NET Membership API to handle security?
Gern, you are describing aspects of the same framework.
The asp.net provider stack is an abstract service layer that 'provides' common services to your applications.
The built in Sql providers are simply implementations that use Sql server as a backing store. The MVC framework and scaffolding provide all of the necessary adapters for using the default Sql providers.
If the built-in asp.net sql providers provide the functionality you require then the pro is that all the work is done.
Not sure what a con would be.
In regards to the possibility that you want to compare using Sql providers vs AD providers:
The AD/Token based providers Active Directory for authentication and access control and the implication is that a user must have a valid account setup in the AD in order to access protected resources.
The Sql providers allow you to define arbitrary users that do not require AD accounts.
The infamous grey zone appears when you have a large AD user base that you must support but must also allow for non-AD accounts to be established. At that point you will start to explore the exquisite joy that building composite provider stacks will bring to your life while it steals your sleep. But that is a topic for another book.
HTH
Related
I'm using identity server 4 as an authentication server, and have successfully demonstrated authenticating clients for access to my MVC web application and my Web API application, both running on IIS under .NET 4.7.
The problem I'm having is finding the correct approach for ensuring clients are only able to access the endpoints they should after the authentication process. EG, I have two clients, one with a write scope, and one without. How do I ensure the one without is only able to access endpoints that will read my data and not amend it?
The best method I've found so far is to use an authorization attribute like this:
https://github.com/IdentityModel/Thinktecture.IdentityModel/blob/master/source/WebApi/ScopeAuthorizeAttribute.cs
However, this is marked as obsolete and I'm unaware of the version based on OWIN middleware is mentions. Considering my MVC and Web Api applications are unable to be updated to .NET core applications, what would be the best approach?
Since the scope claims are available within the ASP.Net pipeline you can implement your own access control filter quite easily. It may be that that particular library is obsolete but the practice of enforcing scope in an MVC/WebAPI filter is certainly entirely valid.
We are looking to utilize Multi Factor Authentication in a custom MVC App which connects to Kentico. I want to ensure i'm getting the right direction, is this the starting point: https://docs.kentico.com/k11/managing-users/user-registration-and-authentication/configuring-multi-factor-authentication#Configuringmulti-factorauthentication-Customizingmulti-factorauthentication
can we leverage the Kentico API to utilize the MFA functionality or do we have to write our own?
Given, the fact that Kentico MVC memebership is built on a good part on ASP.NET Identity it seems easier, to actually implement this with NET Identity.
Kentico MVC package is available on github for review. Package implements a user store in which Kentico (application) users are loaded per request and this store manages their authentication.
Store implements IUserTwoFactorStore which means store can be used with above idenity for multi factor authentication. It also has a retrieval method:
GetTwoFactorEnabledAsync
while SetTwoFactorEnabledAsync throws NotImplemented exception. Meaning you can have users stored and managed within Kentico backend and you can enable MF authentication for them via administration interface, while you can use .NET methods to have MF authentication on MVC site.
It seems easier than to actually reference Kentico DLLs for MF authentication in MVC project.
I have an app that uses my own membership system. It uses ASP.NET MVC 3 which I'm updating to ASP.NET MVC 5. It's not possible to change the membership to use a new one like ASP.NET Identity. But, for the authentication side, do you think it is a good idea to replace my auth-ticket system with OWIN.Security? Are there any traps that I should know about?
The Katana security middleware is independent from ASP.NET Identity. You can use them both or just one.
There are some cases where it makes very good sense to use just the Owin/Katana middleware, but not involve aspnet identity.
I just rolled up a prototype webforms application using OpenID Connect against an Azure Domain. My domain is Federated with an on-prem ADFS. By the time I got OpenID Connect and the GraphAPI working, I realized that I didn't really need much from aspnet identity.
I use the GraphAPI to grab extra info about the user and their group memberships, and I am adding that info as claims on the user principal... my site's code can operate against just the information in the claims.
Of course, if you want to do any custom profile or role stuff in your application, it probably makes sense to link it to aspnet identity too.. create an aspnet identity user when a new user authenticates, map that user's AD groups to roles, etc. Then you can manage application specific data for the user directly in the application via aspnet identity, while relying on Azure AD for the core authentication, basic profile, and group/role assignments.
I started my project using ASP.NET SIMPLE MEMBERSHIP. Now I have the necessity to create a WPF application which can add users to SIMPLEM MEMBERSHIP tables.
In the ASP.NET, I've identified that this is the function to create new accounts:
WebSecurity.CreateUserAndAccount(model.UserName, model.Password);
What would you suggest to implement this feature in a desktop application. I was thinking creating a WCF Web Service, but I don't know how difficult could be creating it.
You could use WCF but probably the simplest solution is to include the Asp.net Simple Membership Tables as part of an Entity Framework Model and use the model from within your WPF app. Check out this post for more details.
That would, of course, require direct access to your SQL Server and either a SQL Server account with access to the tables referenced from the EF model would have to be used or the app users would have to have access to the SQL Server through integrated security (if using mixed mode authentication with your SQL Server).
Why bother?
I would simply have yours users go to a link and register for an account online through an asp.net page. Once registered, offer the WPF/windows client as a download. This stuff is already pretty much all built-in.
That link might help: http://weblogs.asp.net/jgalloway/archive/2012/08/29/simplemembership-membership-providers-universal-providers-and-the-new-asp-net-4-5-web-forms-and-asp-net-mvc-4-templates.aspx
I've been doing some research on DI (Unity and Ninject) for a multi-tenant ASP.Net MVC 4 application. Most articles I've read seem to refer to DI as a good tool to help provide customizations to the tenants in a multu-tenant web application. Other than that what else is it useful for within the Multitenant world.
Can it help with data isolation in share db schema scenario? I'm trying to find a clean way to isolate data between customers. (I'm using tenantId in all tables where needed)
(ASP.Net MVC4, Entity Framework 5, SQL Server 2012)
IMHO, as far as the data isolation is concerned in a multi-tenant application using a shared schema, I don't foresee any use of a DI Container as it just helps resolve object dependencies. It is up to you to have the security control mechanisms and tenant isolation practices in your application that filters the data based on the operating tenant or the contextual tenant.
You have to carry forward the tenant identifier from the presentation tier throughout the other layers till the data base access. It is in the access logic where you will be filtering the data based on the tenant, this can be done using the tenant identifier in the tables.
Also, in a single code base approach there will be no requirement for injecting dependencies to identify tenant. The tenant identification and validation the operating user and his tenant context will be done by your application during authentication and authorization phase itself.
Hope this addresses your query