0

We are building a framework for multiple MVC apps that are supposed to handle authentication for these apps. Our requirement is like this:

  1. We have an authentication web service (this is old soap based service). Framework should use this service to authenticate the Users and with Configurable service URL.
  2. In future, my organization is planning to implement a Single Sign On (we have multiple sources of users - AD, Database etc) and this framework should be configurable to use SSO.

How can implement this in MVC 5? Should I use AuthetnicationFilters? What kind of a role asp.net Identity will play in these kind of situations for authetnication?

Improve this question
6
  • Why can't you use the default authentication framework built into IIS? Commented Nov 24, 2014 at 21:39
  • I am not sure if I correctly understand your comment, but I have different source for user details like we have three different Active Directories with no Federation and couple of databases. If I can configure all these with the built in framework, I am happy to do that. Please help. Commented Nov 24, 2014 at 21:44
  • We did this in our current project. Create a class and inherit it from aspnet RoleProvider class. Then override the isinrole method and utilise your soap service call to find roles and permissions. You can also create method in your extended class to authenticate a user. Then you can use this extended provider in your MVC projects. Commented Nov 24, 2014 at 22:11
  • @AzharKhorasany But how I couple the Authentication method to my application? I am guessing I need to use Authentication filter or a kind of external handlers. Not sure what is the best way. Am I wrong? Commented Nov 25, 2014 at 18:25
  • 1
    Just use Authorize attribute and update the configuration file to use your extended role provider class. Commented Nov 25, 2014 at 19:06

1 Answer 1

Reset to default
1

Authentication/Authorization is extremely complex and many user written schemes can be easily hacked. Would sggest using a framework that is tried and trusted (eg IdentityServer or OAuth). Even Google got it wrong with authentication scheme in Google+ and have decided to pull it completely

Since solutions may need to migrate to cloud it would be best to ensure the functionality below works with Microsoft Identity tables without modification. They can be changed later though the Identity system is not built to easily cope with table changes in tables other than AspNetUsers and you would need to be painstakingly accurate in constructing a working context for the Entity Frameworks to behave correctly.

Authenticate (Gets the user’s information if any exists (e.g. decoding the user’s cookie, if one exists)

Challenge (Requests authentication by the user (e.g. showing a login page)

SignIn (Persists the user’s information somewhere (e.g. writes a cookies)

SignOut (Removes the user’s persisted information (e.g. deletes the cookies)

Forbid (Denies access to a resource for unauthenticated users or authenticated but unauthorized users (e.g. displaying a “not authorized” page)for unauthenticated users or authenticated but unauthorized users (e.g. displaying a “not authorized” page))

One place to start isVisual Studio 2017 with a new project and authentication set to Individual User Accounts. Use NuGet to install Microsoft.AspNetCore.Identity.UI and then Scaffold the razor pages that implement the above functionality (right-lick project and select Add => New Scaffolded Item => Identity). Remember classes methods are protected by adding [Authorize] in controllers. Compare this project with one without Identity using just cookies. The important thing is to make your implementation as pluggable as possible perhaps using the Microsoft Identity (since you will be accessing tables produced specifically for Identity)so will work with ASP.NET, ASP.NET Core.

As a minimum you need 2 unprotected endpoints to give acess to an Authenticate() method in both the Sign On component and the Applications that are going to be signed in and out. When signed in the protected components could be accessed by shared cookie, or token passed in Authorize header or url. The Application can extract information from a cookie/token and check whether the user is in the AspNetUsers table and allow access or redirect to a Login page or Access denied page. The Authenticate() method in the sign on needs to create a cookie or token (or both). The Authenticate() method in the application needs to read and verify this information. The following schemes are supported by Microsoft Identity so take your pick.

Cookies

Facebook

Google

Internal

JwtBearer

MicrosoftAccount

OAuth

OpenIdConnect

Twitter

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.