I did find similar questions but none of the provided answers helped me.
I did follow a tutorial to add Identity to my ASP.net Core 2.2 project (https://retifrav.github.io/blog/2018/03/20/csharp-dotnet-core-identity-mysql/)
Even though SignInManager.PasswordSignInAsync() succeeds, both User.Identity.IsAuthenticated and SignInManager.IsSignedIn(User) are false in the _Layout view.
_Layout.cshtml:
#using Microsoft.AspNetCore.Identity
#inject SignInManager<MySiteUser> SignInManager
#inject UserManager<MysiteUser> UserManager
......................
<div>
#if (SignInManager.IsSignedIn(User))
{
<div>Hello #UserManager.GetUserName(User)!</div>
}
#if (User.Identity.IsAuthenticated)
{
<div>User is authenticated </div>
}
</div>
In Startup.CS, in ConfigureServices I have:
services.AddIdentity<MySiteUSer, MySiteRole>().AddEntityFrameworkStores<IdentityContext>().AddDefaultTokenProviders();
services.Configure<IdentityOptions>(options =>
{
options.Password.RequireDigit = true;
options.Password.RequiredLength = 8;
options.Password.RequireNonAlphanumeric = true;
options.Password.RequireUppercase = true;
options.Password.RequireLowercase = true;
options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30);
options.Lockout.MaxFailedAccessAttempts = 10;
options.User.RequireUniqueEmail = true;
});
services.ConfigureApplicationCookie(options => options.LoginPath = "/Account/Login");
services.AddMvc();
In Startup.CS, in Configure() I have:
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IServiceProvider services)
{
app.UseHttpsRedirection();
app.UseStaticFiles();
app.UseAuthentication(); ;
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller=Home}/{action=Index}/{id?}");
});
}
In AccountController I have:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null)
{
returnUrl = returnUrl ?? Url.Content("~/");
if (ModelState.IsValid)
{
var result = await _signInManager.PasswordSignInAsync(model.Username, model.Password, model.RememberMe, lockoutOnFailure: false);
if (result.Succeeded)
{
_logger.LogInformation("User logged in.");
var user = await _signInManager.UserManager.FindByNameAsync(model.Username);
var userPrincipal = await _signInManager.CreateUserPrincipalAsync(user);
var identity = userPrincipal.Identity;
if(identity.IsAuthenticated)
return RedirectToAction("Index", "Home");
}
else
{
ModelState.AddModelError(string.Empty, "Invalid login attempt.");
return View(model);
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
MySiteUser and MySiteRole just override default Identity classes
public class MySiteUser : IdentityUser<int>
{
}
public class MySiteRole : IdentityRole<int>
{
}
Edit:
Because all replies are about the Controller, before this one I used the following code in AccountController
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null)
{
returnUrl = returnUrl ?? Url.Content("~/");
if (ModelState.IsValid)
{
var result = await _signInManager.PasswordSignInAsync(model.Username, model.Password, model.RememberMe, lockoutOnFailure: false);
if (result.Succeeded)
{
return RedirectToAction("Index", "Home");
}
else
{
ModelState.AddModelError(string.Empty, "Invalid login attempt.");
return View(model);
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
The result was the same.
I've just find a solution, although I don't understand why it works. I've checked Chrome Developer Tools to see if the authentication cookie is set, and it wasn't.
After I deleted all cookies for the site, the app set the cookie and all works well.
I also tested the simpler AccountController and that works fine, too:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<IActionResult> Login(LoginViewModel model, string returnUrl = null)
{
returnUrl = returnUrl ?? Url.Content("~/");
if (ModelState.IsValid)
{
var result = await _signInManager
.PasswordSignInAsync(model.Username, model.Password,
Model.RememberMe, lockoutOnFailure: false);
if (result.Succeeded)
{
return RedirectToAction("Index", "Home");
}
else
{
ModelState.AddModelError(string.Empty, "Invalid login attempt.");
return View(model);
}
}
// If we got this far, something failed, redisplay form
return View(model);
}
You don't need to check if(identity.IsAuthenticated) before redirecting user to home page. If the code reaches the (result.Succeeded) block, it means user is authenticated. if(identity.IsAuthenticated) will be true only at the end of the request, meaning you have returned an HttpResponse (or something) that will create a cookie on client side.
So the solution is to remove the condition inside the Login action.
/*if(identity.IsAuthenticated) <===== remove this */
return RedirectToAction("Index", "Home");
EDITS: Don't forget that when you use RedirectToAction, it's still a same request so the cookie will not be created yet. Instead, create and use a temporary success view as I usually do.
/*if(identity.IsAuthenticated) <===== remove this */
return RedirectToAction("Index", "Home"); <===== remove this */
/*put url in viewbag or use returnUrl variable*/
#ViewBag.ReturnUrl = Url.Action("index","home"/*,null,Request.Url.Scheme*/);
return View("LoginSuccess");
and here is what to put in your LoginSuccess.cshtml view
<h2>Authenticated. Wait 2 seconds or click continue</h2>
<p><a href="#ViewBag.ReturnUrl">
Continue</a></p>
<script>
setTimeout(function () {
window.location = "#ViewBag.ReturnUrl";
}, 2000)
</script>
PS: You may need to use partial view to avoid conflict with your layout page headers... return PartialView("LoginSuccess");
I believe I have stumbled on this answer to this. First try this in IE, it may work there. Apparently Chrome is quite fussy regarding the cookie that is used for the Authentication unless you are talking to it in HTTPS. If you are in development and using HTTP and using Chrome the IsSignedIn(User) may fail. This is unbelievably annoying and quite a productivity sink. HTH
Related
I have been trying to use the authorization method to limit access to specific actions and pages to users that are not logged in. In this case, I am trying to prevent users who are not logged in from purchasing books on my website. Here is how I used the authorize method.
// GET: Books/Purchase/5
[Authorize]
public async Task<IActionResult> Purchase(Guid id)
{
if (id == null)
{
return NotFound();
}
var book = await _context.Book.FindAsync(id);
if (book == null)
{
return NotFound();
}
OrderViewModel model = new OrderViewModel();
model.BookOrder = book;
model.Quantity = 1;
return View(model);
}
When I try to purchase a book the browser takes me back to the login page even though I am already logged in as an admin. What could be the reason for this? Here is my login action:
[HttpPost]
[AllowAnonymous]
public async Task<IActionResult> Login(LoginViewModel model, string returnUrl)
{
if (ModelState.IsValid)
{
var result = await signInManager.PasswordSignInAsync(model.Email, model.Password, model.RememberMe, false);
if (result.Succeeded)
{
if (!string.IsNullOrEmpty(returnUrl))
{
return LocalRedirect(returnUrl);
}
return RedirectToAction("index", "home");
}
}
ModelState.AddModelError("", "Invalid Login Attempt");
return View(model);
}
Any help/guidance with this?
One reason is that the order of app.UseAuthentication(); and app.UseAuthorization(); is reversed.
You need to make sure app.UseAuthorization(); is after app.UseAuthentication();.
More details you can refer to Asp.Net Core identity.
Even after a successful sign-in it does not redirect to action but stays on the login page.
I have put breakpoints but have not been able to know what exactly is wrong with my code.
Even if the condition is true the code is not executed.
Here is my code:
[HttpPost]
public async Task<ActionResult> Login(LoginViewModel model)
{
if (ModelState.IsValid)
{
var user = await _context.Users.SingleOrDefaultAsync(u => u.UserName == model.UserName);
if (user != null)
{
var result = await _signInManager.PasswordSignInAsync(user, model.Password, true, false);
if (result.Succeeded)
{
var role = await _userManager.GetRolesAsync(user);
if (role.Contains("Client"))
{
return RedirectToAction("Index", "MyDashboard");
}
if (role.Contains("Admin"))
{
return RedirectToAction("Index", "Admin");
}
}
}
else
{
ModelState.AddModelError("", "Invalid login attempt");
return View(model);
}
}
return View();
}
I got the solution myself. Actually, I was missing Authentication middleware in the startup class. After adding app.UseAuthentication() ,it works fine. Thanks.
I have three actions that open in stages... The actions are as follows?
https://localhost:44336/Login
https://localhost:44336/Register
https://localhost:44336/Active
First the login page opens, then the active page, then the registration page.
I used viewbag to prevent these URLs from being opened directly
public IActionResult Activate()
{
if (ViewBag.Mobile == null)
{
return RedirectToAction("Index", "Home");
}
return View();
}
This has a problem when I refresh the page out of action!
Is there a way to do this without a viewbag? If the user enters the address in the browser, the page will not open, but if it is refreshed, it will not leave the page?
I think your requirement can be solved by Autentication.I wrote a demo about cookie Authenticantion in asp.net core .you could also try other methods like jwt.
Codes in your startup class:
public void ConfigureServices(IServiceCollection services)
{
.......
services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, m =>
{
m.LoginPath = new Microsoft.AspNetCore.Http.PathString("/Users/Login");
m.AccessDeniedPath = new Microsoft.AspNetCore.Http.PathString("/Home/Privacy");
m.SlidingExpiration = true;
});
.......
}
........
public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
........
app.UseAuthentication();
app.UseAuthorization();
.......
}
Codes in your controller:
public async Task<IActionResult> Login(User user)
{
........
var claims = new List<Claim> { new Claim(ClaimTypes.Name,user.Name),new Claim("Mobile",user.Mobile)};
var userPricipal = new ClaimsPrincipal(new ClaimsIdentity(claims, "Customer"));
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, userPricipal, new AuthenticationProperties
{
ExpiresUtc = DateTime.UtcNow.AddMinutes(10),//you could set the time of cookie here
IsPersistent = false,
AllowRefresh = false
});
var mobile = _context.User.FirstOrDefault(m => m.Name == user.Name && m.Mobile == user.Mobile).Mobile;
if (user.Mobile != null)
{
return RedirectToAction(nameof(Index));
}
..........
return View();
}
Add the [Authorize] Attribute on the Action that needs Authentication:
[Authorize]
public async Task<IActionResult> Index()
{
return View();
}
you could read the offical document for more details:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-6.0
I am trying to configure the 2FA when users log in for the first time in .net core. So I added an if condition for checking if 2FA is not enabled then redirecting to creating MFA, however, a major flaw here is that the users can change the URL link on the browser to skip 2FA creation, how can I avoid this? Below are my Account Controller Codes:
Login Controller Methods
[HttpGet]
[AllowAnonymous]
public IActionResult Login(string? returnurl = null)
{
ViewData["ReturnUrl"] = returnurl;
return View();
}
[HttpPost]
[AllowAnonymous]
public async Task<IActionResult> Login(LoginViewModel model, string? returnurl = null)
{
ViewData["ReturnUrl"] = returnurl;
returnurl ??= Url.Content("~/");
if (ModelState.IsValid)
{
var user = await _userManager.FindByNameAsync(model.UserName);
var result = await _signInManager.PasswordSignInAsync(model.UserName, model.Password, model.RememberMe, lockoutOnFailure: true);
if (result.Succeeded)
{
if (user.TwoFactorEnabled==false)
{
return RedirectToAction(nameof(EnableAuthenticator), new { returnurl, model.RememberMe });
}
return LocalRedirect(returnurl);
}
if (result.RequiresTwoFactor)
{
return RedirectToAction(nameof(VerifyAuthenticatorCode), new { returnurl, model.RememberMe });
}
if (result.IsLockedOut)
{
return View("Lockout");
}
else
{
ModelState.AddModelError(string.Empty, "Invalid login attempt.");
return View(model);
}
}
return View(model);
}
Enable 2FA Controller Methods
[HttpGet]
public async Task<IActionResult> EnableAuthenticator()
{
string AuthenticatorUriFormat = "MY-OTP-SECRET-HERE";
var user = await _userManager.GetUserAsync(User);
await _userManager.ResetAuthenticatorKeyAsync(user);
var token = await _userManager.GetAuthenticatorKeyAsync(user);
string AuthenticatorUri = string.Format(AuthenticatorUriFormat, _urlEncoder.Encode("My-App-Name-Here"),
_urlEncoder.Encode(user.Email), token);
var model = new MFAViewModel() { Token = token, QRCodeUrl = AuthenticatorUri };
return View(model);
}
[HttpPost]
public async Task<IActionResult> EnableAuthenticator(MFAViewModel model)
{
if (ModelState.IsValid)
{
var user = await _userManager.GetUserAsync(User);
var succeeded = await _userManager.VerifyTwoFactorTokenAsync(user, _userManager.Options.Tokens.AuthenticatorTokenProvider, model.Code);
if (succeeded)
{
await _userManager.SetTwoFactorEnabledAsync(user, true);
}
else
{
ModelState.AddModelError("Verify", "Your two factor auth code could not be validated.");
return View(model);
}
}
return RedirectToAction(nameof(AuthenticatorConfirmation));
}
As mentioned in my comment, you could consider configuring the application use Claims-based authorization, after user login with 2FA successfully, you could add a claim store the 2FA login result and add it to the login user. After that, in your application, create a policy which requires the claim, and add the Authorize attribute on each controller.
Besides, you could also add the user's claims after 2FA , then create a custom middleware/Authorize attribute to validate each request and check whether the current user contains the claims or not. You can refer to the following links: Custom Authorization attributes and How To Override Attribute Class To Do Custom Authorization In .NET Core.
I'm making a site with external authorization through VK, I've looked through a lot of examples, but I ran into one problem, in all examples redirection to ExternalLoginCallback happens through Challange method with provider parameters and url, but redirection happens not to specified url, but to signin-vkontakte-token, which is specified in ConfigureServices. What can this be related to?(It doesn't matter if you give me an answer with the specified provider or another one, such as Facebook)
[AllowAnonymous]
public IActionResult ExternalLogin(string provider, string returnUrl)
{
var redirectUrl = Url.Action(nameof(ExternalLoginCallback), "Home", new { returnUrl });
var properties = _signInManager.ConfigureExternalAuthenticationProperties(provider, redirectUrl);
return Challenge(properties, provider);
}
[AllowAnonymous]
public async Task<IActionResult> ExternalLoginCallback(string returnUrl)
{
var info = await _signInManager.GetExternalLoginInfoAsync();
if (info == null)
{
return RedirectToAction("Index");
}
var result = await _signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey, false, false);
if (result.Succeeded)
{
return RedirectToAction("Index");
}
return RedirectToAction("Index");
}