I am new to ASP.NET MVC 5 and OWIN.
I have upgraded my project to MVC 5 to implement the authentication and authorization of my project. Problem is that my project does not store the user data. When user logins in I ask a different system via a WCF service to tell me if the user is authenticated. So I do not have a database nor tables that the user is stored in.
But I want to add the ability to login via social providers using OWIN. For this I will add a local database table to store the social provider Id/Token
Looking around other have asked similar question but only when they want to change database type store... Whilst I actually don't store the data... Is it still possible to customize this with ASP.NET Identity and how would I do this?
I would recommend creating a custom IUserStore that connects to the wcf service.
http://www.asp.net/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity
If you don't want to implement your own IUserStore, you can still use the built in default EF based UserStore and just only use the external login apis. The database schema will have a bunch of columns that will always be null like PasswordHash etc, but the operations you care about would still work fine:
CreateAsync(TUser) - Create a user
AddLoginAsync(userId, UserLoginInfo) - Associate an external login
FindAsync(UserLoginInfo) - Return the user with the associated external login
I looked into the solutions suggested. I found that the method names of the interfaces to implement did not really fit and there where way too many methods as well.
I ended up only using the OWIN Context in AccountController to extract the LoginInfo with all the details I wanted. This way I did not have to implement any custom versions of IUserLoginStore etc...
I wanted the simplest solution to implement and therefore I ended up with:
1. Added StartupAuth class from template mvc project and configured different providers there
1. In AccountController: Extracted the claims from LoginInfo,
2. Stored OpenId in a table for lookup and then continued on as before.
You have to provide a UserStore and pass it to the UserManager, if you are already using entityframework in the default mvc5 project, you can write your CustomUserStore which inherits from Microsoft.AspNet.Identity.EntityFramework.UserStore and override the methods defined in Microsoft.AspNet.Identity.EntityFramework.IUserLoginStore:
public interface IUserLoginStore<TUser, in TKey> : IUserStore<TUser, TKey>, IDisposable where TUser : class, Microsoft.AspNet.Identity.IUser<TKey>
{
Task AddLoginAsync(TUser user, UserLoginInfo login);
Task<TUser> FindAsync(UserLoginInfo login);
Task<Collections.Generic.IList<UserLoginInfo>> GetLoginsAsync(TUser user);
Task RemoveLoginAsync(TUser user, UserLoginInfo login);
}
if you don't use entityframework, you have to provide your own way of accessing your database,by writing a UserStore which implements IUserStore, IUserLoginStore, IUserClaimStore, IUserRoleStore,IUserPasswordStore,IUserSecurityStampStore (depends on your need but at least IUserStore and IUserLoginStore as IUserStore is mandatory and IUserLoginStore is what you want to add)
all these interfaces are in Microsoft.AspNet.Identity namespace.
here how to implement a Custom MySQL ASP.NET Identity Storage Provider and
here how to use Dapper ORM instead of EntityFramwework.
Related
Trying to enable the ServiceStack Studio User Management utility to more easily manage the various users that access our APIs. It appears that to populate the roles dropdown, the User Management utility queries the following property:
[API_URL]/metadata/app.json -
{
...
"allRoles":["Admin","Employee","Manager"]
...
}
But I don't see how ServiceStack determines the list of allRoles for a given IAuthRepository.
The only way I've been able to add a role to the allRoles collection is by adding a decoration to one of my database operations:
[ValidateHasRole("ZZZ")]
Are there other ways to inform an IAuthRepository of what roles to expect?
For the purposes of determining the pre-populated list of Roles in ServiceStack Studio, ServiceStack shows all Roles defined within your Application, e.g. via the [ValidateHasRole] Declarative Type Validator or the [RequiredRole*] Authentication attributes.
What Cross-Domain Single Sign-On implementation best solves my problem?
I have two domains (xy.com & yz.com) which already have their own database of users and are already implementing their user authentications separately. Recently there has been the need to implement CDSSO so that users dont have to log in each time they try to access resources from both domains.
Ideally the CDSSO implementation I hope to use should allow custom implementation of authentication, as I hope to call API's provided by both domains during authentication to confirm a user exists in at least one of the domains user database.
I've been looking at Sun's OpenSSO which seems to provide a means to extend its AMLoginModule class yet this seems to be a long thing and more annoyingly they seem to stick to GlassFish.
I've also considered developing a custom CDSSO to solve our needs. Is this advisable?
Is this achievable using Suns OpenSSO considering the disparate user database as I there will be no need to make use of the User db that OpenSSO requires?
Are there any simpler means of achieving what I intend to achieve?
In addition both applications which exist on the two domains were developed using PHP. How does this have an effect considering Suns OpenSSO is based on Java EE?
Are there any clearly specified steps on implementing OpenSSO and or any other SSO implementations from start to finish?
I suggest you to use simpleSAMLphp in order to deploy an Identity Provider and 2 Service Provider (for each app).
SimpleSAMLphp allows you to select multiple authentication source and is not hard to build your own authsource that consults the 2 databases.
My experience in SAML says that the fact of not consolidating the Identity of the user in 1 unique authsource is a bad idea due several reasons:
* identity conflicts: what happen if you have the same user registered with different mail (if that is the field yoy use to identify the user) and you try to access? You could be logged in different account each time.
* what happen if you add a 3rd service, do you gonna add a 3rd database
* what happen if user change its data in one app, the other gonna be no synched?
* what happen if user uses different passwords?
I recommend you to execute a migration process before adding the SAML support and build a unique database for all your identities and unify the registration/edit profile/password recovery process of both sites in one.
SimpleSAMLphp has good documentation, but I can provide to you any documentation related to the process that I suggested.
The system
I have and MVC5 web application using windows authentication.
There is an old database where I already have users, groups and roles.
Aim
Use the standard [Authorize(Roles = "myExistingRole")] without creating a custom attribute, reusing the existing roles and users in the DB.
Current state
I use EF6, .net 4.5.1.
I'm able to use the [Authorize] attribute. (OK)
I'm able to login and User.Identity is properly populated. (OK)
I properly extended IUser, IUserStore, IRole, IRoleStore and so on. (OK)
I can successfully use the UserManager to get all the data I need. (OK)
I can user the UserManager to verify if a user is in role. (OK)
User.IsInRole("myExistingRole") return false, but should return true. (BAD)
The problem
The [Authorize(Roles = "myExistingRole")] never authorize me.
User.IsInRole("myExistingRole") always reply false.
My point
I don't know what I should do to instruct the system to use my implementation.
The only option I know I have is to create a custom attribute and register it as filter, but I'd prefer to use the standard one and maybe extend it in the future using Claims.
Can you help me understanding what I'm doing wrong?
What are the basic functionality which it provides?
Specifically for the person who has never used asp.net built in stuff.
The MSDN tutorial is confusing me a lot. Claims, OWIN,etc are going above my head.
What I can make out of all this is - The Identity framework helps me to manage my application plus social logins. It handles my cookie,etc.
What if I have just one role in my application - just the plain user?
Should I go for the Identity then or I should implement my own custom thing?
Any help is appreciated.
If you are starting from scratch, build a sample MVC project with individual membership option, which will create the following components for you:
Login module that creates and manages authentication cookies
Simple database to store basic user data (credentials, name)
EF code to interact with the database
This will most likely meet your use case for a user without roles and attributes.
OWIN really has nothing to do with authentication, it is a new spec for building web apps. The login module happens to be implemented according to this spec and it sounds cool, so Microsoft likes to throw this term around a lot.
If you are not planning to have authorization logic in the app, then you don't need to worry about Claims. Claims is another term for user attributes (login, name, roles, permissions). The Claims collection will be populated by the framework, but you most likely won't use it. If you need just the user id/name, the old ASP.NET interfaces are still there to get this data.
As far as implementing your own, I've seen people here ditching the database and EF code, especially if they already have an existing user store. You just need to implement a credential verification logic against your store. You don't want to build your own cookie management, though. Use the login module provided by Microsoft or well established third party systems (SiteMinder, Tivoli, etc.)
Looks at this open source project for a good alternative to ASP.NET Identity.
This is a very well put together tutorial that explains many of these concepts, you can get a free trial to the site to see it.
I am developing a web application consisting of different domains. I have tried to implement hierarchical RBAC for authorization. Each domain has some predefined operations in their bo implementations. The following is my bo package hierarchy.
com.mycompany.bo
...domain1
...domain2
.
...domainN
...rbac
I predefine the following role hierachy at first deployment, i don't want to maintain the rbac operations after the first deployment, i mean the domain rbac operations should be self maintainable by the domain admins.
Root
Domain1Admin Domain2Admin .. DomainNAdmin
The root role can authorize on all operations under bo implementations and also each domain admin can authorize on its all own operations and some rbac operations like create user, edit user, create role etc also.
Finally, I have developed the ui part of the project abiding by the facelet facilities, like include tag so that i can distinguish the ui fragments of a page. As a result, I can render a ui fragment with respect to whether the the user authorized to view the fragment or not. Any suggestion for the authorization design of the system will greatly be helpful.
Now, I came to authentication part of the project. In this system a user does not only authenticate over internally but also should authenticate over an external system via a web service or ldap, since the user may have been already created in there.
Spring framework provides some facilities authentication via ldap(statically configurable in xml). In my case, I want to add remove edit new LDAP definitions in runtime and can change a user authentication method(may be selecting the new LDAP from a combobox). How can I dynamically add new LDAP definitions in Spring, shall I continue with spring security or implement this feature own my own?