1

We are currently starting to use MVC and are now looking at authentication. .net Authentication isn't necessarily our strongest point, so looking for some advise or pointers.

Our current set up:-

  • Basic Windows authentication
    • system uses the authenticated user to query a 3rd party system to get their current roles
    • these roles are then stored in session variables and used when ever authorisation is required
    • Any additional user details are called upon as and when needed from various tables

What we'd like to achieve :-

  • Basic Windows authentication (perhaps create a forms authentication cookie on the back of it)
    • System users the authenticated user to query 3rd party system to get their current role/s,
    • These roles are stored within the cookie, and can be accessed via User.Roles etc
    • Any additional user details (i.e. user favourite colour) will be called on authentication and store against the user profile. The additional user details will be stored in a single table as key value pairs.

Is this the correct way to go about this? we're struggling to find any samples etc to match the scenario we are after.

unfortunately, we need to use this 3rd party system to access the roles, this is achieved via a web service call.

Are there any new advances with MVC 4 which could greater handle authentication with additional user details? any help, or advise would be greatly appreciated. :)

Improve this question
1
  • in addition, to the above, we would like to use the attributes [Authorize(Roles = "Managers")] etc within our controllers Commented Dec 30, 2013 at 15:19

2 Answers 2

Reset to default
2

Sounds like a perfect candidate for federated authentication. You could even use WIF (Windows Identity Foundation) which is now part of the Base Class Library.

In general, federated authentication consist of following parts: delegating the authentication to an external identity provider, consuming identity provider's response, persisting the identity locally (in a cookie perhaps).

WIF has solutions for all these concerns, it is built around the WS-Federation protocol. The really, really great benefit of this is that you can switch between different identity providers easily. This is something that you could consider useless, until you see it in action and immediately you start to create complicated business scenarios in your head.

Using WIF requires some knowledge and specific questions can be answered easily. However, until you get at least some basic knowledge, this sounds like a mumbo-jumbo. You should definitely start by reading a free ebook, Claims-Based Identity and Access Control from here

http://msdn.microsoft.com/en-us/library/ff423674.aspx

Just download it and start reading. I promise you'll immediately find answers to many of your questions and page by page you'll feel this constant "wow, so that's how it should be done!".

Just to provide a specific answer to one of your questions: user data can be persisted in the authentication cookie. If you stick with WIF's model of Claims, expressing arbitrary data is natural: a claim is a pair (claim type, claim value). This requires however to switch to SessionAuthenticationModule as forms authentication module could possibly produce cookies that are too large:

http://www.wiktorzychla.com/2012/09/forms-authentication-revisited.html

(the session authentication module has a special "session" mode where the large part of the identity is stored locally at the server in the session container so that the cookie is really small)

And yes, the federated identity model works with MVC authorization tags. Claims of type role are interpreted as user roles. The remote identity provider can then even set user roles and you can guard your MVC controllers in the usual way.

Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

Thank you for the in-depth answer, I've downloaded the book, so i'll give that read. I'll also take a look federation authentication ( not heard of it before) but I'm keen for the challenge!
When you read the book and will try to build your own identity provider or identity consumer, and you should have questions, come back and ask. Although the book seems to focus on Azure, you can have your custom providers and consumers without Azure. Also, WS-Federation protocol is interoperable which means that soon you will federate applications written in java, php and other techonogies, thus forming your large ecosystem of federated applications.
thats brilliant, thanks, I've made a start on it now, and I'm sure ill be back with further questions, thank you for your assistance.
back again, after a little more googling, I'm coming up with ASP.NET Identity, which seems to be a new membership system. how is this different to the federated authentication? which would be the recommend option?
I haven't really spend much time trying to bake a custom identity provider for ASP.NET Identity. The framework itself focuses on maintaining local sessions and regarding external identity providers - the docs only mention OAuth2 providers (Google/Facebook/Live/Twitter). The problem with OAuth2 is that although the part of the protocol is standarized (the part where you obtain the authenticaiton token), exchanging the token for user information (username, email, roles) is not. This means that each provider requires specific code to be consumed.
|
0

If you are lucky your 3rd party component might bring a Claims provider with it so you could use Claims based authentication and let the Claims provider supply the additional user data in form of Claims that you can use in your application. For a tutorial see this link.
If you cannot access a Claims provider, the known security building blocks still work for MVC. So for your additional roles, you could create a RoleProvider that requests the roles and configure it in your application. You can then secure your controllers or actions with the Authorize-attribute.
In order to optimize the request for roles so that you do not have to request it from the 3rd party system over and over again, there are some alternatives:

  • As you propose in your question, you can store them in the cookie. But be aware that cookies are stored on the client computer and could be tampered with. So if you have a Forms authentication cookie that you can use, you could store it in the UserData of this cookie. This cookie is already encrypted so that users cannot change it easily. As you want to use Windows authentication at least in the first step, you do not have a Forms authentication cookie that you could use. In the context of security, it is always advisable to set up upon a widely used and well tested framework, so I'd not recommend to create a cookie of your own and store the roles there (though it wouldn't be a too daunting task in this specific case to encrypt/sign the cookie data).
  • You could also store the roles in a Session variable. Downside is that the session times out after a while and you'd have to be prepared for this case. On the other hand, session memory is located on the server so that it is not that easy for users to tamper with (and if they could, you'd have lots of other problems).
  • Another component you could use is the Cache on the server; though you'd have to be careful not to mix data for various users as it is shared among users, it is also located on the server and provides a more fine grained control on when the data are invalidated. So you could configure a time frame after that any user would be authorized with a new role set in case it was changed.

Your RoleProvider would need to implement the caching technology (Cookie, Session or Cache).
As for your last point regarding the user profiles, I can imagine that the User Profiles of ASP.NET 2.0 still work. I don't have any experience with it, so I can't give you a recommendation on whether to use it or not. On the other hand, these data don't seem to be too security critical so you can also store them in a cookie or session memory once the user has been authenticated.

Improve this answer

2 Comments

Thanks Markus, makes sense, and glad to see that we are "kind of" on the right path.. don't know too much about the "claims" based authentication, however, just had a quick google. Would this be the recommended solution if possible? i forgot to mention in the question, that it would be a nice to have to be able to authenticate against a smart card also? do you have any links advice that would assist with that? thank you again
@user2009091: Claims is at least the more modern approach (a lot of Azure builds upon it). But I'd not implement a provider on my own if the 3rd party solution does not bring one. Building a RoleProvider is much faster. Sorry, but I don't know too much about smartcard authentication.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.