Extend AD users in ASP.NET Core - asp.net-core

I developed a SPA app(React and .NET Core) that runs only on our corporate intranet(It's hosted locally). Currently, we are authenticating the users against AD using LDAP.
These are my objectives:
Users do not need to register as every employee should be able to access the app.
We prefer to use SSO authentication method
I need to be able to get a list of the users that are in a specific role
I need to create some tables that stores additional information about users. For example, their roles, paths they're allowed to browse, etc. I am not sure how to do this without duplicating the users in ASP.NET Core Identity. I know If I use Identity, I can extend the users and customize them. But I do not want to register users/manage their passwords through Identity. Is there an alternative? Can I eliminate passwords if I used Identity?
I am not familiar with AD or Azure AD as a different team handles our IT needs. But I did a test in Visual Studio, I created a new web project with Authentication Type set to Microsoft Identity Platform. It was amazing that Visual Studio did all the work on my behalf to create an tenant on Azure. When I ran the app it used SSO and I was logged in. Can I use Microsoft Identity Platform with a customized user table? I just need to have a unique identifier for each user to link it with my other tables. I also do not want to manage the users if that's possible.

Related

How to add AzureAd authentication to .net core web app using identity framework

I have an asp .net core 3.1 web application that uses the MS Identity (for users) and Entity (codefirst) framework to authenticate users stored in database.
All user rights/groups etc. are stored locally and used to allow/deny access to different areas of the application.
So what I think I need is a way to allow users in my web-app to choose to authenticate using AzureAD account, and when the authentication is done, the wep-app will sign-in the local-user somehow linked to the Azure user
Is this how to do this, or can you guide me to how to do this the correct way
To achieve the above requirements, You can use Azure AD authentication & external login in your asp.net application by implementing the code in your appsettings and controller as mentioned here .
As you wanted to implement the application ,
Consider other options before storing users of your Web applications in a local database. Instead of managing users in a local database, it's best practice to store and manage user information outside of the application, such as with Azure Active Directory or Azure Active Directory B2C. Consider Identity Server if the authentication service must run on-premises. Identity Server is a member of the.NET Foundation and is OpenID certified.
To implement from scratch you can refer this blog.
Please refer the below links for the similar discussion & Documentation to get started with :-
MICROSOFT DOCUMENTATION|Secure a hosted ASP.NET Core Blazor WebAssembly app with Identity Server
SO THREAD|Implement both Individual User Accounts and Azure AD Authentication & .NET Core Identity Server 4 Authentication VS Identity Authentication
BLOG| Integrating with External identity Providers

Authorizing by updating Claim with data from database (Blazor WebAssembly ASP.NET Core hosted)

I have a question regarding authentication in my web-app using Blazor WebAssembly ASP.NET Core hosted. The database used is Azure SQL.
I want to avoid storing passwords in the database and the users are therefore restricted to having a Microsoft-account (relevant to the project).
As of now, the user logs in with Azure AD as the third-party authentication provider. When redirected back to the web-app, a user is created with a claim which only consists of the Email from Azure. The user is directed to a registration page where the Email-input is set to the current user-claim email. When the user clicks the register button, the information provided is now stored in the database.
The problem is that I now have a user in the db, but the claim is still just the Email. I want to be able to use the AuthorizeView role tag on the different pages, and therefore wondered if its possible to update the claim with a role that the user specified in the registration-page? This data is at this point only stored in the database.
If this is a bad practice, is there any other similar way I could make this work?
To use the AuthorizeView role, roles claims should be return by your Identity provider (Azure AD in your case). Your application should ask those claims by asking the corresponding scope.
According to the doc : Permissions and consent in the Microsoft identity platform endpoint, the profile scope should return roles claims.
The doc Secure an ASP.NET Core Blazor WebAssembly standalone app with Azure Active Directory explains how to request scopes from Azure AD

azure mobile services and asp.net website - need to support user roles

I am working on an application which has an azure asp.net mvc website and an azure mobile service. Both will be using the same azure sql database.
I understand that I can use custom or Microsoft, Facebook based authentication using my mobile service. The website and the mobile app that I will be building though will have different features in the website and on the mobile app based on the role of the user.
How should I go about implementing user roles? If this was just an asp.net application, I would have just used ASP.NET Identity but not sure how to do this with Mobile Services.
I found a similar question asked a year ago with no resolution - Using ASP.NET 4.0 membership provider with Azure Mobile Services
If there is an existing implementation or guidance out there, please point me in that direction. Thanks.
As of today, there isn't a super easy way to handle this no matter how you slice it. You can take a look at this post (there is another dealing with the JavaScript backend that is linked from this) http://www.acupofcode.com/2014/04/general-roles-based-access-control-in-the-net-backend/ that talks about role based access control using Azure Active Directory. AAD may not be the option you want to go with. In which case, you'd need to implement the roles and checks in your Mobile Service yourself. If you only have two levels such as "normal user" and "admin" you COULD dictate everything based off of the user.level property and if they are "authenticated" they only have basic user access but if they're "admin" they have admin functionality. You'd still need to do the role based logic in your backend but I think you'll need to handle that no matter what.
Alternatively, what I think you could look at doing, is using the ASP.NET Identity system. Then from your Mobile Service, you can use the same type of custom auth I've documented here (http://chrisrisner.com/Custom-Authentication-with-Azure-Mobile-Services-and-LensRocket) but instead of checking against and storing a username/password in your Mobile Service like that sample is doing, when the user goes to register / login, you could check against the user backend created by the ASP.NET identity system. I don't have a sample off hand of that working but it sounds doable in my head.

Use multiple authentication mechanisms in Azure

I am new to windows azure development.
I am developing an application for hosting online tests.
This application needs to have multiple authentication options like Windows live ID, Facebook etc.
It also needs to have default form based authentication fed by the database in back end (simple User name and Password match).
Based on the authentication mechanism different permissions will be available to the user.
Can anyone please suggest how i should proceed on this?
Thanks
Do you really need forms authentication, or do you just need an application specific store where people can use a credential specific to your app?
I'd suggest researching Windows Azure Active Directory and Windows Azure Access Control Services together. You may create either an AD tenant for your application store and use it as an Identity Provider for ACS or you could host your own Secure Token Service and Identity Provider which uses your backend database as the user store also registered with ACS. This means that all of your authentication goes through the same process and allows for you to have your own user store, plus the social Identity Provider capability.
The key here is that you want try to avoid having forms authentication AND Social, but rather a mechanism where multiple Identity Providers can be used, including one of your own.
As Gaurav stated there are a ton of resources out there for this:
Understand the difference between WAAD and ACS.
Provisioning an Azure AD Tenant as a Identity Provider in ACS
Windows Azure Identity
There are also many blogs and MSDN documents talking about how to set these up.
If you start with the default "ASP.net MVC4 Web Application" template in Visual Studio you get a web application mini-sample with an AccountController that supports local and 'social' accounts out of the box. See documentation here. It is based on DotNetOpenAuth (a fantastic lib with terrible documentation) and a Microsoft implementation of an special MembershipProvider which lives in WebMatrix.WebData.
Regarding the Azure Access Control Service 2.0: I have no idea what the status of this service is but it looks to me as if MS itself tries to discourage developers form using this service since it was to deeply hidden somewhere under Windows Azure Active Directory in the documentation.

Can I use SQL CE to provide Membership functionality in WPF desktop application?

I am writing a desktop WPF application that uses SQL CE as its data store and syncs to a remote SQL Server database via a web service. The desktop application provides the same functionality as an ASP.NET web application I wrote but, provides the functionality for the user when no connectivity is available.
The SQL Server database also provides membership functionality for the Web version of the application.
My question is this...how can I provide the user login functionality for the WPF application when it is in "disconnected" mode? I want the user to have the same login functionality that they would have if they were logging in through the web application. I know how to sync the necesarry aspnet_Membership tables (users, roles, etc) but, how do I create the membership provider for WPF? I haven't been able to find examples.
(The WPF app won't need to create or delete users but, edit functionality would be nice...It is essential that application allows the user login and have their password checked against the one synced from the main database so, I am not sure how that encryption/decryption would work).
Thanks for whatever advice you can give
Membership was built as an ASP.NET feature. The risk I see with a local Membership approach is now those tables with passwords are on the local machine and open to being hacked. The user has to logon at the local machine so the Windows principal is validated. You might be better off mapping the Windows logon to roles and groups to provide Membership type features without MembershipService. You can iterate through the users, roles, and groups in .NET but it is slow. It is not very hard to decipher the Membership SQL tables directly and build a query to get that information and it is much faster. You can even map your MembershipProvider to the domain at IIS but then you cannot use TSQL to get the users, roles, and groups.