Thinktecture IdentityServer self-service user creation - thinktecture-ident-server

We currently have several web systems that are using the old Membership provider in silos. I am looking at implementing a new server for identity management and discovered IdentityServer. Is it possible for a user to self-create an identity out of the box? Otherwise, are there add-ons or code samples that would assist in doing something like this?

Identity Server can work with any user store, however only ASP.NET Identity and MembershipReboot is supported out-of-the-box.
If you want to implement your own user store to work with Identity Server, you can implement Identity Server's IUserService interface to abstract it out.
Identity Server itself is not an identity manager but instead an OpenID Connect provider that handles Authentication and Authorization using the OpenID Connect 1.0 and OAuth 2.0 protocols. See my blog post for a brief overview or the big picture section of the official documentation.
I started off in the same situation as you and ended up implementing Identity Server and migrating our user data from ASP.NET Membership to ASP.NET Identity. I would recommend the same for you.

Related

Two factor authentication (MFA) in ASP.NET Core application with Identity Server 4

I have already created login flow with Identity Server 4 in my .NET Core application, but it is customized. I mean, flow is not following the classes like UserManager / SignInManager as Identity Server default implementation for user management, even tables for user are also customized in the database.
Please note, my project does not have Microsoft.AspNetCore.Identity.IdentityUser as default identity.
Now I want to implement two factor authentication via Google Authenticator app in my application.
I have tried https://deblokt.com/2019/10/09/07-identityserver4-mfa-totp/ document, but did not have much success as login flow is not following legacy flow of Identity Server 4.
My questions are:
Can I still add Google Authenticator to achieve multi-factor authentication?
If yes, then how? Any suggestion or tutorial which I can refer to?
Please correct me if I misunderstood the concept
Thanks in advance.

How to add AzureAd authentication to .net core web app using identity framework

I have an asp .net core 3.1 web application that uses the MS Identity (for users) and Entity (codefirst) framework to authenticate users stored in database.
All user rights/groups etc. are stored locally and used to allow/deny access to different areas of the application.
So what I think I need is a way to allow users in my web-app to choose to authenticate using AzureAD account, and when the authentication is done, the wep-app will sign-in the local-user somehow linked to the Azure user
Is this how to do this, or can you guide me to how to do this the correct way
To achieve the above requirements, You can use Azure AD authentication & external login in your asp.net application by implementing the code in your appsettings and controller as mentioned here .
As you wanted to implement the application ,
Consider other options before storing users of your Web applications in a local database. Instead of managing users in a local database, it's best practice to store and manage user information outside of the application, such as with Azure Active Directory or Azure Active Directory B2C. Consider Identity Server if the authentication service must run on-premises. Identity Server is a member of the.NET Foundation and is OpenID certified.
To implement from scratch you can refer this blog.
Please refer the below links for the similar discussion & Documentation to get started with :-
MICROSOFT DOCUMENTATION|Secure a hosted ASP.NET Core Blazor WebAssembly app with Identity Server
SO THREAD|Implement both Individual User Accounts and Azure AD Authentication & .NET Core Identity Server 4 Authentication VS Identity Authentication
BLOG| Integrating with External identity Providers

Example of External Identity Provider with openiddict

Hi I'm new to web security, so please be gentle :)
I've been reading a huge amount about OAuth2/OIDC, JWT, openiddict, ASP.NET Core Identity, etc, but I keep going around in circles trying to understand how multiple-external id providers is supposed to work.
I'm looking to create an SPA application (React) with ASP.NET Core web api (I am primarlily a C# developer.)
Any examples on how to do the google/social login with openiddict issuing the auth&id tokens to my client would be great. (I know I'm supposed to use auth code+PKCE for SPA security - no client secret involved, etc.)
I'd like to offer signup/sign-in via user/pwd or any of the major social external provider (Gooble, Facebook, Twitter.)
Does opennidd even support this? i.e. multipe identity providers? If so, I can't see how to get it to return the required token, once the google oidc process has returned the tokens to me.
Many thanks.

Use multiple authentication mechanisms in Azure

I am new to windows azure development.
I am developing an application for hosting online tests.
This application needs to have multiple authentication options like Windows live ID, Facebook etc.
It also needs to have default form based authentication fed by the database in back end (simple User name and Password match).
Based on the authentication mechanism different permissions will be available to the user.
Can anyone please suggest how i should proceed on this?
Thanks
Do you really need forms authentication, or do you just need an application specific store where people can use a credential specific to your app?
I'd suggest researching Windows Azure Active Directory and Windows Azure Access Control Services together. You may create either an AD tenant for your application store and use it as an Identity Provider for ACS or you could host your own Secure Token Service and Identity Provider which uses your backend database as the user store also registered with ACS. This means that all of your authentication goes through the same process and allows for you to have your own user store, plus the social Identity Provider capability.
The key here is that you want try to avoid having forms authentication AND Social, but rather a mechanism where multiple Identity Providers can be used, including one of your own.
As Gaurav stated there are a ton of resources out there for this:
Understand the difference between WAAD and ACS.
Provisioning an Azure AD Tenant as a Identity Provider in ACS
Windows Azure Identity
There are also many blogs and MSDN documents talking about how to set these up.
If you start with the default "ASP.net MVC4 Web Application" template in Visual Studio you get a web application mini-sample with an AccountController that supports local and 'social' accounts out of the box. See documentation here. It is based on DotNetOpenAuth (a fantastic lib with terrible documentation) and a Microsoft implementation of an special MembershipProvider which lives in WebMatrix.WebData.
Regarding the Azure Access Control Service 2.0: I have no idea what the status of this service is but it looks to me as if MS itself tries to discourage developers form using this service since it was to deeply hidden somewhere under Windows Azure Active Directory in the documentation.

Using ACS as a service with custom identity provider

We are working in an iOS application and we use back-end in azure. We have 2 types of login, one is Facebook login (using Fb as identity provider) and the other will be login directly to our system.
We decided to use ACS but we had a bunch of technical problems. My question is is it possible to create custom identity provider, which will be a service (for example WCF or WEB API) to generate a token that we pass the ACS to get the claim token. Does ACS support that kind of service interface? If so what what is the practice of generating tokens in our custom identity provider?
Thanks in advance,
Deuce
ACS can support any identity provider that speaks a protocol it understands. Depending on the backend behind your identity provider, you can use something like ADFS or write your own identity provider using WIF. ACS doesn't support mixing and matching web-based identity providers with WCF-based ones, which means that you'll need to expose a website that ACS can redirect a browser to using the WS-Federation protocol. The only external contract you have is that ACS will redirect users to you and you need to log them in (what that means for your IdP is up to you) and issue a token back to ACS.
There are literally whole books on how to write your own STS using WIF, to get started there are a number of resources that can help, including the WIF SDK (which provides a template for the STS), this whitepaper (see the section "Using Windows Identity Foundation to Build a Security Token Service"), or this blog post.