ASP.Net Core Windows Auth - Cache Claims in Cookies - asp.net-core

I'm porting a web application from ASP.Net to ASP.Net Core and need to support both Windows Integrated Authentication and Cookie Authentication with users stored in the apps database (the app is self-hosted by customers and different customers use different authentication methods and sometime migrate from one to the other).
In order to share as much code as possible between the authentication methods I'm using a ClaimsTranformer to add claims to the Windows Auth Users that match those that Cookie Auth (using ASP.Net Core Identity) gives me. However, I would like these claims to be stored in a cookie (in a secure way, like Identity does for the cookie auth) so that I don't have to be hitting the database on every request. Is there a way to do this?
In ASP.Net, I used to look up the user details for the Windows user on the first request and then SignIn with ASP.Net Identity cookie auth; The app would then just use cookie auth the same as if the user had been authenticated with user/password. Unfortunately in Core, it seems that as soon as I call services.AddIdentity in Startup.ConfigureServices, it disables Windows Integrated Authentication.
I'm using ASP.Net Core 2.1 on .Net Framework 4.7 (although we have plans to migrate to .Net Core in a future version, when we can remove some dependencies).

Related

Set Single Sign on cookie

I'm currently working on an ASP.NET Core 5 MVC web project, I used default created Single User Account generated template for user management. I have applied the migration and it's working fine as expected. I need to set SSO cookie so other web applications can use that and work without sign in. In .NET 5 AccountController is not visible. What is the best way to set SSO cookie?
It is "Share authentication cookies with ASP.NET Core Identity". You can see guide at reference document at https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-5.0#share-authentication-cookies-with-aspnet-core-identity
You persistence it to web-browser by
services.AddDataProtection().PersistKeysToFileSystem("{PATH TO COMMON KEY RING FOLDER}").SetApplicationName("SharedCookieApp");
services.ConfigureApplicationCookie(options => {options.Cookie.Name = ".AspNet.SharedCookie";});
Depend on your second web-application what received your cookie sharing, you can see case with ASP.NET Core Identity or with-out ASP.NET Core Identity.
https://learn.microsoft.com/en-us/aspnet/core/security/cookie-sharing?view=aspnetcore-5.0#share-authentication-cookies-without-aspnet-core-identity

SignalR failing to authenticate via cookies

I have a couple of projects:
Chat - SignalR backend (ChatHub)
Web - MVC project that hosts clientside scripts, including those that make calls to the Chat project
I'm in the process of migrating from .NET Framework to .NET Core and am moving to SignalR for Core as part of this work. Cookie authentication is working correctly on the old version, but upon migrating to SignalR for Core, I appear to be having problems.
Cookie authentication is enabled in both projects. The Web project works fine and the Auth cookie is correctly recognised and used for authentication. The Chat project, however, is not correctly authenticated against the cookie, despite the cookie being included at least in the negotiate request:
When I make a call to the ChatHub, Context.User.Identity.Name is empty. The same call returns a populated name when run on the Web project. If I decorate the ChatHub with [Authorize], the call fails with a 401.
Here's a minimalistic repro project showing the issue.
I assume the problem is related to the Authentication I have configured, or perhaps the cross-domain nature of the call?
This documentation is pretty unhelpful, and only says the following:
In a browser-based app, cookie authentication allows your existing user credentials to automatically flow to SignalR connections. When using the browser client, no additional configuration is needed. If the user is logged in to your app, the SignalR connection automatically inherits this authentication.
This appears under some very basic configuration, which basically only calls app.UseAuthentication(). Alas, that configuration does not work for me.
How do I set Cookies authentication in SignalR for Core so it works across two projects?
The issue is that by default, the Data Protection system that ASP.NET Core uses to encrypt the auth ticket isolates apps from one another.
You need to configure data protection on each project you wish to share protected payloads to use the same key ring and app identifier:
services.AddDataProtection()
.SetApplicationName("<appName>")
// as well as the following calls if your projects are to be deployed on different machines
.PersistKeysToAzureBlobStorage(new Uri("<blobUriWithSasToken>"))
.ProtectKeysWithAzureKeyVault(new Uri("<keyIdentifier>"), new DefaultAzureCredential());

Integrate Membership Provider with AspNet Core Identity

I have two ASP.NET web applications.
A legacy web forms application built using .Net Framework 4.6.1 with a Membership Provider
An AspNet Core application that uses Core Identity 2.1
The two web applications comprise the overall web application.
The plan is to have both applications hosted in IIS and allow the Core web application to manage authentication/authorization for both web apps.
I have already implemented cookie sharing between the two applications using an OWIN startup class in the web forms app and corresponding middle-ware in the Core app.
The flow is as follows:
The requests coming into the webforms application will be intercepted by a Http moudule which will redirect to the AspNet Core login form if the user is not authenticated.
Once the user enters their credentials in the Core Login form, they are redirected back to the Web forms application Home page or whatever other page as if they had logged into the app directly.
The issue I am currently having is that I haven't been able to find a programmatic way of authenticating the user as though they had submitted the Login form in the web forms app.
Is there a way to programmatically authenticate a user by using the Membership Provider via Core Identity?

Using Asp.Net Core Identity in Web Api application that uses JWT authentication

What is the proper way to configure and use Asp.Net Core Identity in Web Api application?
I've looked at the documentation, but looks like it demonstrates cookie based authentication in View-based MVC Web apps, not Web Apis. I know in Asp.Net Core the MVC Web Apps and the Web Api applications follow the same middleware pipeline, but what if I don't want cookie based authentication?
Does it make sense to use Identity at all if I want to use JWT bearer token for authentication? I've walked through a few tutorials which use JWT bearer token for authentication and also uses Identity. I've explored the sample codes, and looks like they are using Identity solely to take advantage of the built-in UserManager and RoleManager classes for the ease they provide with data access.
Do you use Asp.Net Core Identity in your Web Api application when you are using bearer token for authentication? If yes, what purposes does it serve in your application?

Asp.net core Identity and Token Based Authetication

I have following scenario. I write asp.net core web api which will be used by mobile and web (asp.net core mvc web app) apps.
I authenticate user using asp.net core identity framework class SignInManager (add account controller and related classes manually) and then generate oauth token which will be used by client applications. By doing so I have 2 identities associated with the user. one is created by after I login using SignInManager.PasswordSignInAsync and second is created by generating oauth JWT token.
Is this correct approach or not?
Thanks
https://blogs.msdn.microsoft.com/webdev/2016/10/27/bearer-token-authentication-in-asp-net-core/
that might shed some light on what direction to go. there is also another blog post about using IdentityServer4 (3rd party) works well.
https://blogs.msdn.microsoft.com/webdev/2017/01/23/asp-net-core-authentication-with-identityserver4/