So I wrote quite a few ASP.NET web applications and there I often used the forms authentication. Now I need to do the same but in a client application. What would be the best way to create something like this?
I was searching for it for some time now but I didn't find something that I could implement in my project. I just need to have a login screen and only when it is valid with the user logins I created I should be able to use the complete application.
Can someone please help me?
There are probably several approaches that you could take. If the application is internally distributed you could use a database connection to something like SQL Server where you would have accounts set up to validate against. If the distribution is external you may want to consider setting up a server and using socket connections in your application to make calls to your server(again storing account information in a back end database) to validate users.
I remember using ASP.NET Identity for that purpose. Was very easy and everything is pretty much ready.
ASP.NET Core Identity is a membership system that adds login
functionality to ASP.NET Core apps. Users can create an account with
the login information stored in Identity or they can use an external
login provider
learn.microsoft.com/en-us/aspnet/core/security/authentication/identity
Related
We need to make a central auth server for multiple applications that we build, while still having roles and claims which are specific to that particular application. Let me explain with an analogy using various services by Microsoft.
I sign up for a Microsoft account and hence my authentication info is stored in a central server. Now i login using the account and assume a fresh start i land up at account.microsoft.com, now i go to msdn click on sign in, it takes me to the login page on auth server then to the consent screen and back to msdn logged in, now i go to xbox and does the same thing. Now MDSN and XBOX are two completely different applications with each having it's own Api, web apps and mobile apps, but using the same auth server.
Till now i have been making independent applications using Identity Framework, and am reasonably comfortable with it, but this is comparatively much more complex than what i have done till now. I was looking through IdentityServer4 to have a central auth server and has completed all the tutorials present on the official doc site, so i have a basic idea of the concepts.
What i need is to have each application be able to specify it's own set of roles and claims without even having any kind of knowledge about other applications, and also the central server will be having external authentications enabled, hence ASP.NET Core Identity in central server.
Current Architecture
Central Identity Server (using IdentityServer4, ASP.NET Core Identity, Entity Framework)
One Central DB for Central Server
Multiple Applications Sets (API, MVC App, Xamarin Mobile Apps)
One or more DB for each application as per need
Things i am able to achieve till now
Customize an identity resource to get user claims stored in db but if i add one roles, it returns me the role repeatedly the number of times as the count of API resources and Clients
Alternate solutions that i came up in my mind
Store the claims and roles in application specific DB, but i guess that i will be facing these issues
too much effort wiring up the auth logic, as it will have to first get the identity from central server and then get claims from the application specific DB
not sure how i can do it using asp.net identity on client side
unused table on central auth server
duplication of auth logic across applications
These stack overflow questions gets the most closest but are not the exact solution
ASP.NET Core Identity and Identity Server 4 - [Roles, Claims and
IdentityResources]
IdentityServer, Claims and Roles
How to add additional claims to be included in the access_token using ASP.Net Identity with IdentityServer4
Any guidance that takes me in the right direction will help
EDIT #1 : It seems like someone has flagged this questions as off-topic, so just want to clarify that i am looking for a specific code/solution using identity server 4 and asp.net core identity and not some recommendation, though any guidance apart from the answer is welcome for better clarifications and understanding, but just the code would suffice, and i feel that it's as per the guidelines of the community.
EDIT #2
I tried doing authorization on client side as suggested by #travis.js but i am unable to understand how do i implement the claims on client side something like [Authorize(Roles="Admin")]
I think your alternative solution is the "right" one.
Addressing your concerns:
too much effort wiring up the auth logic, as it will have to first get
the identity from central server and then get claims from the
application specific DB
Sounds like exactly the right amount of effort to me. The Central Server does authentication and each app does its own authorization.
not sure how i can do it using asp.net identity on client side
You don't really need ASP.NET Identity on the client/app side. Identity is handled by your central server.
unused table on central auth server
Non-issue. But you could still use that table for its intended purpose just at a more macro level.
duplication of auth logic across applications
This does not sound like a duplication of logic. The Central Server does identity/authentication and each app is responsible for determining its own authorization logic.
Okay, So I want to basically use a single sign on...I read about it, but I cant seem to find good documentation or tutorials on how to implement it for MVC asp.net 4.5. I have an application which allows users to register... I want to be able to allow users from that application to be logged into the second application if they have access. Also, both of these applications would be in different databases... Any suggestions? Btw this is not using webforms...
Is it possible to apply the roles manager from that first application into the second? Or would I just need to create new roles in the second application?
What I have tried:
I have to implement a number of solutions that were on google but most seem to be using webforms... which i dont know how to use...
You need to configure an API which will act as an Authorization Server.
The "Auth" server will issue JSON Web Tokens for authenticated users and those users will present this JWT to the protected end points (Resource Servers) in order to access them.
Your MVC web applications will act as Resource Servers.
Read Implement JSON Web Tokens Authentication in ASP.NET Web API and and Identity 2.1
I want to make a simple web service for internal company use which will use standard authentication but without open registration. All users will be added manually from external application.
I connected my Asp.Net application to SQL database and in AspNetUsers table I can see users but as far as I understand I can't add users directly since password is hashed and, salted(?) I guess, so I need to somehow generate this hash. Plus there is something called SecurityStamp which I guess I need to generate somehow as well.
So is there a way to add users of Asp.Net MVC 5 app directly to database or somehow else from external tool?
Why don't you try Thinktecture's IdentityManager project? It's created for this purpose. Creater Brock Allen also shot some videos in order to use it on different authorization systems. Have a look at these videos.
Setting up ASP.NET Identity
Security and IdentityManager
I am writing a small addon mobile app to an existing applications database, the application stores login details through SQL Server logins:
I want to be able to use these existing logins (and permissions if possible) in my mobile web app but I can't find if there is an easy way to do this.
I was hoping there would be an existing provider that would allow me to do this via the web.config.
Is there any way to do this without having to code all the login/authentication manually?
eg:
<providers>
<add name="SQLProfileProvider" type="System.Web... />
</providers>
Alternatively does anyone know of any resources that could help me do it manually?
Please don't judge to harshly if I'm being an idiot, this is my first foray into asp.net!
Update:
Maybe it wasn't clear what I am trying to do so I will try and expand.
I have an existing desktop application (not under my control).
It uses SQL Server 2008 to store it's data and it authenticates users using SQL Server Logins.
I am writing a web app to connect to this database.
I want to allow users to log in to the web app with their existing login details from the desktop application.
eg. I have a database with the user 'abc123':
I want to be able to use this login within asp:
I know this is possible using my own membership provider within MVC but if this has already been written I would love to be able to use an existing membership provider.
Does anyone know if this membership provider exists?
The question is interesting in fact. I've never heard of an out-of-the-box membership provider that directly uses sql logins. So, my answer is 'no that doesn't exist'.
I can't imagine it would be terribly difficult to write however. Just implement the MembershipProvider (http://msdn.microsoft.com/en-us/library/System.Web.Security.MembershipProvider(v=vs.110).aspx) and run sql scripts for all of the 'CreateUser' stuff. It should work in a very straight forward manner.
I would just note that this is a very non-traditional use of the db logins. But I see how you would instantly get the benefits of any permissions applied to the users/roles setup in the database. This is not very scalable, but you would have very granular permissions in place.
Maybe a more scalable solution would be to have a users table mapped to generic logins that represent certain types (e.g. ReadOnlyLogin, WriteableLogin, etc.) That way you may have 100 users, with usernames and passwords in a table, and then have them assigned to a particular dblogin (mentioned above). When a user logs in, you would then use the given login whenever they accessed the db, enforcing any permissions set on the login. So, Bob, Frank, and Harry would use ReadOnlyLogin, and Sally, Jane and Samantha would use WriteableLogin. Just a thought.
I am currently working on a project that will have a website and apps for mobile devices. I am going to need a way to let users login to my site to view certain areas. I know I will need to build a WCF RESTful service but I am stuck on how to proceed with creating the users. I was originally going to use the built in .NET Membership but the more I read about it the worst it sounded if I had a lot of users. I then was thinking of building a new provider which would give me all the functionality of the built in .NET Membership but I would have more control over everything. The last idea was to build a whole membership system, but I was worried I would loose the functionality of the built in .NET Membership system. I am basically just looking for someone to point me in the right direction and explain why.
Right now I am thinking the best way to handle this is going to be to build a whole membership system. I am thinking I am going to have my data access all through a WCF in the backend that my website would call and the RESTful service would call. I am not aware of a way right now that I can authenticate a users username and password through a WCF.
Thanks for all your input.
We do this very thing in several of our projects, here is a summary of how we accomplish it. Keep in mind it's only one method, and we have also had success writing our own membership provider.
We have 3 main projects:
Data.project - class library
WebApp.project - MVC Application
API.project - WCF service
We use the built in .NET membership provider as it exists out of the box. This gives us the basic registration, password changes, role management, and the easy controller based role permission and access control in our MVC and API projects.
The default membership provider will use its own tables to store the user data.
We then create our own User and Profile tables and data structure with a foreign key back to the .NET membershipId of the user. This gives us the flexibility to do all of the application specific things we need to do with a user profile while still giving us access to the default provider.
Authentication is straight forward in the MVC project, you can now use the .NET Membership methods to authenticate by username and password:
if(Membership.ValidateUser(username,password)){
FormsAuthentication.SetAuthCookie(username,password);
}
For the WCF project you do not have the luxury of FormsAuthentication, but you can still use the default membership provider to validate the users credentials.
How you handle authentication after that is up to you and your project, but for basic needs we generally go with an authentication token that is returned by the WCF service after validation. This token is then included with each WCF request to prove they have been validated, usually in the request headers.
For WCF we base 64 encode the username and password when submitting the credentials to the server, then if successful we pass back the auth token:
string decoded = System.Text.Encoding.UTF8.GetString(System.Convert.FromBase64String(Authmodel));
//convert your string into your authentication model here then
if(Membership.ValidateUser(model.user,model.pass))
{
//return new authentication token
}
We also include additional logic during registration that build out our proprietary user and profile tables at that time, this is handled in the data project so that both the WCF and MVC may access it.
Additionally, the data project handles the linking between our user and profile tables and that of the .NET Membership provider tables so the information can be accessed by both applications.
I realize that is all quite vague, but maybe it can help you think of one option for handling authentication in a unified way. If you have questions about a specific portion let me know and I hope this information is useful for you.