I have recently upgraded my MVC3 application to MVC4 successfully. In my old MVC3 application, I had a custom membership provider written to read/write user details, into custom tables within a Sql Server database. The upgraded MVC4 application works perfectly well with the custom membership provider.
I now want to allow my users to login through Active Directory and/or social media (including facebook and google). My question is: What would be the best way to accomplish this? Should I scrap my old custom membership provider and write a new one that implements SimpleMembershipProvider instead? Or is there another more efficient, better way to accomplish this?
I still need to keep my custom tables, since it holds required user/role information and is also referenced by other tables in my application for user-specific data.
Thank You
I think you will find it difficult to mold SimpleMembership to fit your existing membership database and it is being deprecated for ASP.NET Identity. If you are going through the upgrade process now keep going to MVC 5 and use ASP.NET Identity. It is much more extensible in it's architecture and support OAuth with plugins for the major social media sites.
Related
I have been working on authentication methods for my blazor app for some time now. I am currently developing as a standalone protected WebApi + Blazor Server, but will ultimately migrate to standalone protected WebApi + Hosted Blazor WASM so I need to be mindful of both server and client side authentication. The WebAPI will also serve an external OData feed and API for end users that also needs to be protected using the central authentication mechanism.
I would like to be able to sign on with Microsoft (ie. Microsoft.Identity.Web / MSAL), but want to configure some fairly complex roles and behaviours at the database level
(ie. ASP.NET Core Identity). To hopefully help someone else understand the different documentation sets, following are links to MS docs for the 2 options.
Introduction to Identity on ASP.NET Core
Microsoft Identity Platform Documentation
Don’t know about anyone else, but I have found it very difficult to navigate through the different documentation sets and tutorials to firstly understand how they work and secondly determine if it is best for me.
My question is, does anyone have any documentation on how they have integrated Microsoft.Identity.Web with the individual user accounts available in ASP.NET Core Identity for Blazor Server and/or WASM apps?, .
The following link shows how to do it all within ASP.NET Core Identity.
Integrate ASP.NET Core Identity with Microsoft account | BinaryIntellect Knowledge Base
If I was building an MVC web app, that’s what I would do. However, I really like the token handling capabilities of Microsoft.Identity.Web / MSAL (ie. ITokenAquisition etc.) for Blazor. It seems to be a real kludge to have to use the Razor pages for ASP.NET Core Identity and handling tokens securely becomes an issue – especially for Blazor WASM.
Chris Sainty has done some good work in porting some of the ASP.Net Razor pages to Blazor Components in the following link. However he does a lot of (very clever) manual processing of the token and I’m not sure I like the idea of storing the token in unprotected Local Storage of the blazor app. I haven’t gone into it in full detail yet, but I don’t think this method will be directly transferrable to Blazor WASM.
Authentication with client-side Blazor using WebAPI and ASP.NET Core Identity (chrissainty.com)
This SO post indicates that it is not possible to integrate Individual user accounts with Microsoft.Identity.Web.
c# - Microsoft Identity Plataform with asp.net Core Identity - Stack Overflow
I got a working solution going where I had both ASP.NET Core Identity and Microsoft.Identity.Web working side by side. However, I found this to be very difficult to implement and debug. Once you start mixing the various builder.Services.AddAuthetication(
) options (eg. .AddMicrosoftIdentityWebApp, . AddMicrosoftIdentityWebApi, .AddIdentityCore, .AddIdentity, .AddDefaultIdentity, .AddJWTBearer etc. etc.) I have found that you enter a world of pain and unpredictable behaviour. I basically had to go back to the source for each of them to work out what they were actually doing under the covers and work out how to blend them. I ended up going back to the raw OAuth / OpenId specifications and implementing everything manually – which is very unsatisfactory and I was unhappy with the risk I was taking in potentially introducing a security flaw – even though I got it to “work”.
EDIT: This SO post is similar to what I implemented. Microsoft Identity Local User Accounts and MSAL
I can’t believe how hard it has been to just get to this level of understanding, and still not have a solid working concept that does what I want it to do that is supported by documented acceptable techniques and not just my kludge at implementing everything manually.
Right now it appears to me that if I want to use as much out of the box / documented functionality as possible, I suspect that I should use ASP.NET Core Identity and work out how to integrate the ASP.net razor pages into my Web Api, Blazor Server and and Blazor WASM apps. However, this appears to be a backward step since Microsoft.Identity.Web / MSAL seems to be so much better suited to Blazor and seems to be the direction that MS is going.
If anyone can point me to some current examples of how this can be done, I would be very thankful.
I think I have found at least a partial answer to my question. The key problem I faced was how to capture the callback event from Microsoft.Identity.Web so that I can persist / retrieve info to/from the database during the authentication event. I was hung up on the ASP.NET Core Identity method of doing that.
I found the following SO post that provides information on how to respond to the OnTokenValidated event using Microsoft.Identity.Web. Microsoft.Identity.Web: OnTokenValidated event not triggered
Having access to this event means that I will be able to implement what I need to do at the database level and move on.
I'm building a system with 3 projects and I'm struggling with how to implement user management. I have 3 projects, an asp.net core MVC, an asp.net core Web API and an identityserver4. I want to use asp.net core identity for user management because the framework provides a lot, but I don't know where to place it. The system itself is not a big system yet, but I want it to be scalable in the future. I've read that the only thing identityserver is suppose to do is the authentication and authorization and not deal with the user management part(create users, change permission, etc.)
In the system itself, I need to have an admin that has access to the users (through the frontend MVC) and can create new or delete users, etc.
so the question is, Should i implement all the user management functions that asp.net core identity provides in the identityserver4 project or should I build it in the web API and have the two projects access the same database. I don't want the 4th project only for user management, though I know that is the ideal solution.
Currently, the mvc app only connects with the web API with the bearer token that identityserver provided.
Or, should I go in a new direction and use jwt token and asp.net core identity and only have two projects?
I'm very confused about this part, and I want to know what is the best practice.
Only Identity Server project (and any projects that are related to it) should have access to the user database. All user info a client or a API resource needs, it needs to get it from the IS its self. Now, setting up Identity Server properly depends on your needs. If you want a simple one for a few apps to use, go with a single project that can sign in users and register them, and setup your clients and API resources in the config.cs files. This is not a great way to do it though. Generally, you should have a IS project for user sign in and registration, and one more project that manages those users, as well as clients and API resources. You can see a great example of it here, it also uses ASP.NET Identity, and has a STS project(Identity Server), Admin project(User, Client, API manager) and an API project(for all related db access). Hope this helps.
I currently have a MVC 4 app with SimpleMembership, which works well. I feelt though that I might as well update now to MVC 5, while I am still developing rather than later.
I am wondering if it would be more practical to stay with SimpleMembership or move to ASP Identity. I have read that it is possible to get SimpleMembership to work. Link
I would have no problem moving to ASP Identity if I hadn't read that it forced the developer to implement most of the features older versions had themselves. Such as Login Attempts and Confirming Email. Here is one place this is stated
There may have been changes to ASP Identity since these posts, but I have a hard time finding documentation on it.
Any advice or personal experiences would be highly appreciated.
The open-source SimpleSecurity Project provides good examples on implementing features such as email confirmation using ASP.NET Identity. This project also provides an example of using SimpleMembership in MVC 5 and helps you through some of the hurdles I hit when trying to upgrade to MVC 5. The implementation of ASP.NET Identity in the SimpleSecurity project decouples it from the web application and provides an API similar to the WebSecurity class you are familiar with from using SimpleMembership. SimpleSecurity gives you both options with MVC 5, but since you are making the effort to upgrade to MVC 5 and you are still in development I would also make the effort to upgrade to ASP.NET Identity as this is the future of identity and access control in ASP.NET.
I'm building a website from scratch using ASP.NET MVC 4.
The application is hosted on Windows Azure.
It's a rather basic website application.
Next, I would like to authenticate my users.
The authentication requirements are, again, rather basic and straight forward.
I did some reading, and it seems that the best two options for me to achieve users authentication are:
1. ASP.NET SimpleMembership
2. Windows Azure Active Directory Access Control
Now, my questions are, which one should I choose? which one is more secured?
It is dependent on what you want. WAAD -ACS gives you option to integrate various identity providers like google,yahoo etc or federate with Active directory services.
But if do not want such options and simply use your existing asp.net membership you can do that as well.
Here's a funny one - I suspect because I am using VS 2010 with MVC4.
Created an MVC4 App using the internet template. I get AccountController.cs and the basic pages allow me to register and add users. So far so good. However, the ASP.NET configuration tool (from Project menu) seems to be using a different database.
Web.config has this:
but my MVC project also has a ASPNETDB.MDF inside app_data. ASP.NET configuration tool seems to be using ASPNETDB.MDF, but run time seems to be using the one referenced by DefaultConnection.
Also, after doing some research on here and elsewhere, other people's Web.Config seem to have lots of entries for providers etc. which I don't have. Am I missing some update / NuGet package?
All I want to do is use MVC4 with users and roles, and was planning to use the configuration tool to setup the predefined roles and some basic users.
Thanks in advance,
Ray