I am working on ASP.NET CORE MVC Application and I need to authenticate user on Active Directory/Window Authentication, but also using Form Authentication.
In Form Authentication, I need to provide mechanism for Super Admin User Credential which has specific user name and password. This is for purpose super admin account can everything on app but also not bound to any specific user.
How I can achieve this?
Related
I have a form to be completed by the user in the ASP.NET Core MVC project. All that needs to be done by the user is completing the form and the admin looking at the users' table with admin access decides whether to contact the user.
I know how to implement Identity or cookie/token authentication, but I was wondering how to implement authorization in this case with just one page and without authentication.
I am using Keycloak 11.0.0 to secure my Asp.Net Core 3.1 Application.
I am looking for a way to allow users to access certain resources without the need of an own account.
Which resources can be accessed without an account should be configured in Keycloak. Currently we are using a simple role based system.
My idea was to add an Login with Anonymous User Button next to the Login Form in Keycloak. This anonymous user is a normal Keycloak user to which i can assign roles.
How can this be done in Keycloak? I think I might need to write an extension, but I do not know which interface i need to implement for this functionality.
Or is there even a better way to accomplish my goal?
I want to create a self-hosted ASP.NET Core application that authenticates a single user for access and allows the user to change their password. Once authenticated, the user can access the application content. This mechanism is quite similar to how you would login to your home router... when you open a browser to the router IP, you are taken to the login screen. Once authenticated, you can change router settings and change the administrative password.
There is no need for:
New user registration
Two factor authentication
Forgotten password recovery
Personal data management
Email verification
Etc...
I have a proof-of-concept working using ASP.NET Core Identity, but the default UIs provide way too much functionality. I understand you can disable/customize the default UIs via scaffolding which works, but creates a ton of project clutter.
Is there an alternative I should consider? Or am I stuck with all the scaffolding boilerplate code?
I am writing an internal app where all the users are part of AD. I have the following steps to implement this. Is this correct?
Create Action filter to get all HTTP request to website and check in they are in the specific AD role needed (var isUserInRole = User.IsInRole("M2-ITU-PWApplicationDevelopers"))
If user is not in any of the application roles send user to error page
If user is in application role then Add users to SQL DB and link to Role table in DB so now I have the user/role data ready to use in DB along with other data
When user revisits check the database first before LDAP?
How do I set a cookie or something so that every request does not need through process once authenticated ?
Trying to understand the basics.. Maybe I am going about this all wrong ?
Use Windows Authentication. Your application need to be behind IIS to do it in ASP.NET Core 2.2 and lower, but starting ASP.NET Core 3.0 you can do it with Kestrel alone.
If you do that, you can skip steps 3 and 4. When a person is authenticated via Windows Authentication, the application gets a login token that contains all the security groups that the account is a member of. So User.IsInRole is pretty quick. There is no need to store that information in your own database.
You also don't need to worry about cookies.
The added benefit of Windows Authentication is that it can support seamless login: if your site is in the Trusted Sites in Internet Options, then IE and Chrome will automatically send the credentials of the user currently logged into Windows. The user doesn't have to type in their credentials.
Firefox uses its own network.negotiate-auth.delegation-uris setting for the same purpose.
I am developing an asp.net application in 3.5 where authentication is done using cookies. On the default page I am authenticating the user and setting some value in cookie.
Whenever I need to authenticate the user I just verify it from the cookie. If the user is not authorized then I redirect him to the default page for authentication.
Is this the correct way to do?
If you want to authenticate users using Usernames & Passwords with roles and the like, I suggest using .NET's Forms Authentication: http://www.asp.net/Learn/Security/.
This is a great question on practice. I have done authentication using session variables before without any major issues. I do recommend using Forms Authentication and using the Membership class.
MSDN Forms Authentication