I have recently been playing around with ASP.NET MVC5 and the new OWIN authentication middleware.
I want my users to login with their Steam account and password. After a user logs in successfully, I just need the Steam Account Id for further processing. Steam can act as an OpenId Provider as stated in the documentation.
In MVC4 one would implement a custom OpenIdClient. It seems to me that in MVC5 the OpenIdClient class has been removed and authentication is configured using the IAppBuilder class which offers methods to login with Facebook, Google and other predefined providers.
Unfortunately, I haven't been able to find any documentation about plugging a custom provider to the new authentication system. Can you give me any instructions or references?
This is an answer to the bounty that was placed by #Buzinas.
This solution is going to use the NuGet package Owin Security Providers which is available here.
Go to the Package Manager Console (Tools -> Library Package Manager -> Package Manager Console) and install the above package:
Install-Package Owin.Security.Providers
In your App_Start\Startup.Auth.cs add the proper using statement. For Steam, you want
using Owin.Security.Providers.Steam;
Side note, there are several options available, so this package isn't just for Steam.
In the ConfigureAuth method, add app.UseSteamAuthentication("<<API KEY>>");
<<API_KEY>> should be replaced with the API key you received from Valve
Docs are still a bit sparse. One option is to copy-paste a similar existing provider and adapt as needed.
Recommended way to implement custom authentication provider for owin authentication
https://katanaproject.codeplex.com/SourceControl/latest
Related
I am just wondering if anyone has some experience with this. I am trying out OpenIddict 4.0.0 to put together a real-life solution with the new Identity UI and razor pages approach. However when I register an external auth provider using the suggested unified OpenIddict.Client.WebIntegration package, I cannot see the providers on the default login page external section.
I also tried to use the openiddict-core sandbox aspnet.core server app but that as well does not show the configured GitHub external login option.
I could explicitly create links for the providers, however I do not see that as a convenient solution. The default code segment that calls SignInManager.GetExternalAuthenticationSchemesAsync() does not seem to collect the external providers registered using
options.UseWebProviders().UseGitHub() ...
What am I missing here? Thanks
It's a deliberate design choice, explained in this post comparing the aspnet-contrib providers with the OpenIddict providers:
The aspnet-contrib providers use an authentication scheme per
provider, which means you can do [Authorize(AuthenticationSchemes = "Facebook")] to trigger an authentication dance. In contrast, the
OpenIddict client uses a single authentication scheme and requires
setting the issuer as an AuthenticationProperties item if multiple
providers are registered.
For the same reason, the providers registered via the OpenIddict
client are not listed by Identity's
SignInManager.GetExternalAuthenticationSchemesAsync() and so don't
appear in the "external providers" list returned by the default
Identity UI. In practice, many users will prefer customizing this part
to be more user-friendly, for instance by using localized provider
names or logos, which is not something you can natively do with
SignInManager.GetExternalAuthenticationSchemesAsync() anyway.
I'm working on a blazor web assembly, core hosted project.
The users must have a local account to use the website. For that I use default blazor authentication provider with IdentityServer.
I have a calendar page, where users can add and watch some events.
I would like to offer them the possibility to log in their google or microsoft account in order to see their personnal events in the same place.
But the google or microsoft authentication can't replace the local authentication. It must be a secondary option.
I can't find out how to manage this. All exemples I see use the RemoteAuthenticatorView.
You need to add external provider authentication to your server project by following steps described in Facebook, Google, and external provider authentication in ASP.NET Core
What is the recommended approach for user management with IdentityServer4 and Active Directory?
I have started with the IdentityServer4 ASP.NET Core interactive quick start and all is working well. However, the sample code uses the TestUserStore, TestUserProfileService etc., and it seems prudent to replace usage of these.
The 'real-world' alternative seems to be using ASP.NET Core Identity, however this persists user details to the IdentityServer database. Given that IdentityServer isn't the source of truth for this data, this is an odd fit.
Apart from the "test" nature of the quick start classes, these are serving our needs well. Our IdentityServer instance is for internal staff in a small organisation, so the in-memory nature of these stores isn't a problem.
This seems to be a fairly common use-case, so I must be missing something. Can one just delegate all user profile calls to Active Directory? Is there any out of the box code for this?
Identity Server is an implementation of OAuth 2.0 and OpenIDConnect(Built upon OAuth2.0). The key point of OAuth 2.0 is to pretect resource such as WebApi based on Access Token. So what does OAuth 2.0 provided is Authorization.
Identity Server can provide Authenticate service provided by ASP.NET Core Identity, as specified in This Document
In your case, you'd like to delegate the authenticate part to AD, and authorization part to Identity Server. You can refer to This document to enable windows authenticate in your asp.net core application
I resolved this by implementing and registering an IProfileService for Active Directory. It still seems oddly hand-rolled, but seems to do the trick.
I have an existing Web API project that currently has no authentication built in.
I want to add bearer-token based authentication, but I want to use a custom membership provider that I have used for other projects, although this has been with basic authentication.
There are some examples online that almost do what I need, but these have other technologies built-in that I don't want to use (e.g. Angular) or are not based on using a custom membership provider.
I could obviously do this using basic authentication, but I really don't want to.
How do I implement this?
I'm writing an application, and I've only had experience using a custom login module with Glassfish fo handling user login. If deploying in the Cloudbees cloud, I'm assuming that providing a custom login module is not a possibility, correct? And even if it is, I don't think I really want to use that method. What mechanisms do you use to secure you application, having user accounts, etc? If you use an OAuth provider, did you write one yourself? If so, can you point me to an example so I can do the same?
Thanks.
John - I have used openid in several places - that seems to work well. I expect a similar solution exists for oauth using servlet filters or similar.
The cloudbees "grandcentral" service is an openid and oauth (I think) provider - for cloudbees accounts.
In theory you should be able to do the same - even if you have to run an embedded glassfish as a zip of jar files with a main launch class.