SimpleMembership with FederatedAuthetication using ClaimsPrincipal - claims-based-identity

An Application using SimpleMembership (as the MVC template internet application of VS 2012) and another application that uses ClaimsPrincipal with FederatedAuthetication.
Some One has experience on the authentication an authorization process using SimpleMembership and use FederatedAuthetication since the step:
a) When Login use websecuroty.Login (from SimpleMembership)
or
b) use FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie
where is the place to join this both two SimpleMembership with System.Security.Claims
Thanks

You can use this approach to bridge both worlds
http://brockallen.com/2012/09/05/integrating-claims-and-oauthwebsecurity/

Also, FWIW, I put together a stand-alone sample of using OAuth2 and then collecting the returned profile information and using that for claims. It's separate from the prior example #woloski linked, but both are trying to do the same thing:
http://brockallen.com/2012/10/26/integrating-claims-and-oauth2/

Related

Authentication and Authorization in Blazor WebAssembly with Database First Approach

Summary of my problem
My project is more complex but here is my problem at very basic level. I have a Blazor WebAssembly project where I do just basic CRUD operations.
I also have a small database and lets say I have two tables Users and Roles. What I do is to create their classes in Database-First fashion, by using Scaffold-DbContext and I run this command on the Shared project because I also want to reach to these classes from both Server and Client projects.
When I try to used Individual User Accounts on Authentication tab when creating a Blazor WebAssembly project, it creates the data models in the server. Which means I cannot access to my tables from Client Project. They need to be in Shared. Also it is Code-First based. I don't want to use migrations.
What I tried
What I tried to do is to create an identical -almost- project with Individual User Accounts projects but my Users class inherits IdentityUser and my DbContext inherits ApiAuthorizationDbContext but problem starts here.
I cannot add ApiAuthorization package from NuGet because it says Shared project does not compatible with .NetStandard 2.1.
Also changing Shared project's standard didn't work.
Some Questions
Can't I just add my users table on the Shared and use Identity from that table? (Since it's just a single table of rather larger database)
Do I need two databases for this? One for Identity, one for rest of the application?
Do I need to use Identity for Authentication & Authorization? What else can I use? Or Can I use a custom one where I can use it as I described earlier (Having models in Shared project)
My Goal
I want to authorize users with [Authorize] property. Since I cannot accomplish the registration, I cannot proceed.
Use 2 DbContexts. The Identity tables (yours or ASP.NET) should not be part of the Shared or Client projects.
I want to authorize users with [Authorize] property
The real authorization happens on the server, nothing in the client is safe. Have you looked at the complete (JWT based) implementation in the template?
Can't I just add my users table on the Shared and use Identity from that table? (Since it's just a single table of rather larger database)
No, Identity needs the base class. And your client app doesn't need (and shouldn't see) most of its properties.
Do I need two databases for this? One for Identity, one for rest of the application?
That is the best way. Note that you can have 2 DbContexts for 1 physical Db.
Link to the User wit a simple UserId (no Nav property) when needed.

Blazor server side role or claim based authorization when using windows login

I am new to working with Blazor and Authorization. Background is desktop apps in Vb.Net, so I have been reading everything I can on it, but it still is very confusing when I only want a specific subset of the options out there.
I have a very simple intranet Razor Server based app that is getting the windows user name correctly with default authentication. (I use the name in calls to stored procedures for logging, so I know that is working correctly.)
What I need is to implement authorization (role based would be fine) based on information I have already in the database tied to the user name).
Where and how does one add roles to an existing authstatetask or other object instantiated by the default processes?
Everything I have seen deals with the EF version of Identity or wants to override the authorization task.
I have Simple DB calls being made in Dapper which will return an identifier from which I can set roles.
I just need pointers to the proper method and where in the app I should put it. I have just a single .razor page being loaded, Navbar is disabled.
You can either :
Implement Identity stores for Dapper following instruction in this blog : ASP.NET CORE IDENTITY WITHOUT ENTITY FRAMEWORK
Use Policy-based authorization and create authorization handlers meeting your requirements

Scopes and claims in IdentityServer4

I have implemented IdentityServer4 in ASP.NET core with one application as Identity server and second one as client. I have couple of queries
1. I want to add roles to the profile information returned.
2. What are scopes there for ?
can someone provide a fair idea ?
To add roles, check out the IdentityServer4.AspNetIdentity nuget package. See Using ASP.NET Core Identity.
Scopes are used to create a relationship between ApiResources and Clients. Rather than say, associated the name of a client api (e.g. AccountingApi) to an ApiResource, we associated the client api to a scope (e.g. internalApis) and then associated the same scope to the ApiResource.

Looking to implement user management into my .net core api

I'm looking at implementing user management into my .net core api that use cqrs+eventstore.
My thought:
Since i'll be using mongo for most of my domain models i thought why not use to store my users as well.
i.e. have a CreateUser command and query service that subscribe to UserCreated event and store user in mongo.
I was hoping to use ASP.NET Core Identity for my user management but everywhere i see identity, e.g. https://learn.microsoft.com/en-us/aspnet/core/security/authentication/identity, it goes with asp.net mvc app. Which makes me think if do i even need Identity. I'll be exposing my api to various clients, mobile, web, etc.
Reading along there is also an IdentityServer4 which i don't quite get how it fits in.
Anyone to point me in the right direction?
You don't need MVC in order to use Identity. I would recommend Identity Server (there is a good tutorial by its creator on Pluralsight).
You can very well have a Web API in .Net Core and use Identity Server to create tokens, etc. which is the recommended authentication mechanism when you want to expose to different clients (platforms).
Does it make sense?

Migrating from ASP.NET WebForms to ASP.NET MVC 4

I'm a student intern and I've been assigned a project where I have to redesign their customer support webpage. I am new to ASP so they asked me to migrate the code to MVC 4 so I'll learn it for future projects.
The webpage has form authentication using custom classes, extending MembershipProvider and RoleProvider and the data is displayed with asp:SqlDataSource queries, defined directly inside .aspx files.
As I've learned, the point of MVC is to separate the front-end (view), controller and back-end (models, db access). I've done some progress towards that, but I have problems at authentication. I've managed to enable login using explicit MembershipProvider and RoleProvider initialization (which should be done automatically as configured in Web.config). With calling the MembershipProvider.ValidateUser() and FormsAuthentication.RedirectFromLoginPage() I verify user details and store their username to preserve it upon navigation.
This works, but removes all the functionality of WebSecurity methods, also the specific authorization, e.g. [Authorize(Roles = "...")], doesn't work as expected, it doesn't authorize any role. The MVC sample project in Visual studio uses SimpleMembershipProvider for user authentication, but I haven't found any projects or tutorials on how to implement custom authentication same way as I did with extending MembershipProvider class and overriding its methods.
The problem is that there is already a T-SQL database with a lot of users, who are linked to other services, so obviously I can't alter it in any way nor can I create new database / tables. The projects I've looked at create databases from scratch, I haven't found any project using custom authentication / authorization using WebSecurity and existing database.
I'd like to ask you for any advices, examples or links to projects or tutorials where I could see how to implement WebSecurity instead of FormsAuthentication. As I've mentioned, I already have a fully functional MembershipProvider and RoleProvider and I belive that SimpleMembershipProvider and SimpleRoleProvider have similar methods, so it shouldn't be that hard on this part. Also, I don't want to mix Webforms and MVC, I want pure MVC application.
I'm using ASP.NET MVC 4 with C# and Razor engine, T-SQL and LINQ to SQL for database access.
It's been my experience, when migrating old pages from webforms to mvc, that you kind of have to 'forget' that it was ever a webform page to begin with.
to more directly answer your request for help resources, maybe this will be useful: http://kylehodgson.com/2013/01/08/asp-netmvc-web-security-basics-csrf/