Changing ASP.NET Identity service to use WS-Federation - asp.net-core

I am working on a new ASP.NET Core Blazor application that I am basing on the BlazorHero clean architecture template.
The major modification that I need to make is the switch from its ASP.NET Core Identity based system to relying on WS-Federation SSO authentication.
My initial goal is to get the app to stop using the login screen. (Which is caused by the
App.razor in the Blazor Client sending unauthorized users to login) What do I need to modify for the app to go to the home page rather than the login screen?
My second goal is to get the user service to return the current user information from our Ws-Federation server. I can write the code that will populate the current user from Ws-Federation. How/where do I tell the Identity service what I want it to return for the current user?
My assumption is that I will need to re-write (at minimum) the IdentityService.cs, the UserService.cs and the RoleService.cs files.

Related

ASP.NET Core Identity, SSO with WSFederation

I need to make my new ASP.NET Core Blazor WASM application authenticate with our on-prem ADFS/WSFederation servers. Specifically, it needs to automatically log-in users that are already logged into our AD domain, without making them go to a login page. Basic single sign on behavior. (This is how ASP.NET worked by default with ADFS/WSFederation)
I can get SSO to work without using Identity, and I get get Identity to use a log-in screen that will allow you to choose a WSFederation server as an external log-in provider, but that still begins at a log-in screen.
Can ASP.NET Core Identity work in an SSO configuration (no login screens appear for domain users), or is Identity built on the assumption that Log-in screens will be used? If it can be done, how is that set up? If I can't use Identity, can I still use other middleware like Authorization?

How to edit login page in WebAssembly project with Individual User Accounts?

I have selected Individual User Accounts while creating Blazor application. I have no idea where I can modify the Login page that was created, the file with source dode is not available anywhere.
How to modify Login page in that scenario?
When choosing your configuration the created template gets delivered with IdentityServer and ASP.NET Core Identity. IdentityServer makes the Endpoint OpenID/OAuth compatible. This is needed for the Blazor WebAssembly app to streamline the process of getting a token, validating it etc. ASP.NET Core Identity is used to save and retrieve the users from the database, loging them in by setting a Cookie and checking the correctness of provided passwords, hashing them etc. This link answers how you can modify the default Razor Pages delivered when an app with ASP.NET Core Identity is created.
Where are the Login and Register pages in an AspNet Core scaffolded app?

ASP.NET Core Authentication for Server side Blazor app

I am currently learning ASP.NET Core. As a first step I want to port an older project from ASP.NET WebForms to ASP.NET Core Blazor. Unfortunately, I have some difficulties with setting up a authentification.
As far as I've read, there are many ways to do an authentification.
Cookie Based
Identity Based
etc.
But I am not sure which one I should use. Also what is the key point of an Identity based authentication?
I want to compare username and password with an existing Firebird database. If the enetered crendetials matches an entry in the database, the user should be logged in. The authentification should be required for the entire app, except the login page. The authentication should last for around 8 hours.
Which authetication method should I use? And how can I use my own checking method to verify an user? I don't want to use the build in database from the app that comes with this AppDbContext stuff.
Thanks!
-Marvin

Refresh Signin & Reload claims

I am storing the user selected culture into the user claims and i have a custom RequestCultureProvider that reads this value and set the request culture accordingly.
The application will have a profile page where the user can change his preferences (culture included). After save the data to the database I need to silently re-signin the user in order to update his claims.
Additional info:
I'm using IdentityServer4 with AspNet Core 2.0 and Asp.Net Identity
I'm loading the culture to the claims in the OnTokenValidated event (client apps). It can also be done in the GetProfileDataAsync (IProfileService) or UserClaimsPrincipalFactory (ASP.NET Core Identity)
The system is composed by 3 web apps (Idsv4 + app1 + app2). The profile pages are implemented in the app applications.
With a single web app configured with Asp.NET Identity you can use the method RefreshSignInAsync from the SignInManager to regenerates the user's application cookie, however I need to trigger this process from the client apps (app1 & app2), so no access to SignInManager.
I tried to use HttpContext.Authentication.ChallengeAsync("oidc") HttpContext.Authentication.SignInAsync and apparently the authenticate endpoint is invoked however I cannot handle the response and it generates a infinite loop in the MVC action where I'm invoking this code.
So, how can I achieve the silently re-signing with Idsrv4?

Understanding asp.net core identity template login

In Visual Studio 2017, create a new ASP.NET Core Web Application (.NET Core) project, changing authentication to Individual User Accounts (so using ASP.NET Core Identity).
In the created project, there is an AccountController. In the [HttpGet] Login method, there is the following:
// Clear the existing external cookie to ensure a clean login process
await HttpContext.Authentication.SignOutAsync(_externalCookieScheme);
I'm just trying to understand the authentication process a bit better. So my questions are:
What does this code do?
Why is it included in this method?
If I do not include this in my own login method, under what circumstances will I encounter a problem, and what will the problem be?
In identity you can use external login like Microsoft, Google or Facebook and this method insures that you are not logged in with these services before authenticating user.
just if you use external login, include this line in your Login action otherwise you don't need it.