The server I'm working with only supports .NET 2.0. I have an application which works with user accounts and I want to hash the passwords for obvious reasons. Unfortunately, System.Security.Cryptography seems only to be supported on .NET 4.0.
What are my options?
You should use System.Security.Cryptography, which has existed since .Net 1.0.
Specifically, you should use an iterated salted SHA512 hash.
I'm not sure why you think it's only been around since 4.0... here's the link to the .NET 2.0 MSDN System.Security.Cryptography Namespace page.
The difference is that there are classes in that namespace that did not exist in 2.0 (such as Aes)
Related
We are trying to implement single sign on, across multiple domains from MVC 4 application to .Net Core application.
MVC 4 to MVC 4 it's working fine with MachinKey, but not with .Net core.
How can we implement SSO to share the same authentication with all other application in MVC4 and .Net core application.
Identity Server can do this. Identity Server version 4 will be supported and free for as long as .NET Core 3.1 is supported. After that, you'll need Duende Identity Server, which is the next version, available on a commercial licence.
You can also do it with OpenID Connect (AKA OpenIddict) which is free for the foreseeable future, but that will probably need you to write a bit more code.
I have used both.
Both of them are agnostic to the type of client applications, so your clients can be MVC4, .NET Core, Xamarin, React, anything at all. Both of them have good templates that you can download and get started quite quickly with a simple scenario.
Unfortunately, in my experience, making meaningful extensions or changes to the templates (such as what you're proposing) was difficult and required in-depth knowledge of internet security concepts, studying the documentation and source code of whichever library that you choose.
I have tried really hard to learn but I still find it difficult, so I wish you good luck!
Here are the sample projects for IdentityServer4:
https://github.com/IdentityServer/IdentityServer4.Templates
And here is the documentation on how to get started:
http://docs.identityserver.io/en/latest/
Here are the sample projects for Open Id Connect:
https://github.com/openiddict/openiddict-samples
And here is the documentation:
https://openid.net/connect/
I'm planning to use identityserver4 with an LDAP scenario.
Is it a possible and reasonable attempt ? :)
I thought I should implement a LoginService like QuickStart.UI's InMemoryUserLoginService.
And When IS4 will be released officially? Any info about that?
Thanks and regards.
I know it's an old question, but I worked recently on the Ldap (Active Directory or OpenLdap) + IdentityServer4. I created a nuget package and on the github repository you can find an implementation sample.
Here's the Nuget: https://www.nuget.org/packages/IdentityServer.LdapExtension/
I hope it can helps
It's possible and reasonable, it's something you will have to implement on your own which follows the same principle as many other things related to IdentityServer.
We have successfully connected our IdSrv4 to Active Directory using the System.DirectoryServices and System.DirectoryServices.AccountManagement namespaces. Sadly this requires us to run IdSrv4 using full .NET framework since these namespaces haven't been implemented in .NET Core yet.
Reminder: Lookup the area "LDAP injections" before launching your solution, to be on the safe side.
IdentityServer4 1.0.0 was released to NuGet on December 22, 2016: https://www.nuget.org/packages/IdentityServer4/1.0.0
Windows Identity Foundation (WIF) is around for a while, may be 5 to 7 years or more!, now Microsoft made WIF part of .net framework (4.5) itself. As we know WIF is a middleware for building identity aware applications.
As the trend on the web technology is changing, we have now need to incorporate multiple other identity providers (Google, Facebook etc.), in our application.
Now the industry got other Middleware technologies like OWIN, ASP.NET Identity etc.,
My Question,
Is still the WIF relevant and do we need to consider using it for new projects?
Or
Do we need to implement OWIN as alternative middleware? (As I understand Microsoft is betting on OWIN / KATANA moving forward).
Please share your thoughts.
For new projects I highly recommend considering Katana and ASP.NET 5 OWIN middleware.
WIF remains supported as part of the .NET framework, however we stopped adding new features long ago - all the innovation has been poured in Katana and OWIN middleware in general. Also, we like to think that the OWIN middleware is significantly easier to use :) Again, if your project has legacy aspects that impose the use of WIF, you can go ahead knowing we'll support you: but if you have any chance of choosing, the OWIN middleware is the best path moving forward.
Totally agree with #vibronet but to answer the question - yes - still relevant.
There's a ton of WIF out there - I support lots of customers who still use it.
OWIN is easier to use but the nice thing about WIF is that everything is in the web.config so the details are more explicit and easier to change. However, that comes at the cost of a fairly steep learning curve.
Refer: OWIN : Differences with WIF and WIF : Wrappers around protocols.
As per the links:
"You can think of OWIN as MVC and WIF as Forms. Forms are still supported but all the new whizzy features and all the code samples relate to MVC.
It's important to note the neither OWIN nor WIF are protocols - they are the wrappers around the protocols. The protocols underneath both are identical."
Also consider we have moved some of the functionality of WIF into an open source project we refer to as Wilson. You can check it out here: https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet
Since I'm new to WIF.
I want to create a custom STS on WIF, but these document only for .net 3.5:
http://msdn.microsoft.com/en-us/library/ee748498.aspx
and I can't find these template in vs 2012.
So what should I do? Can anybody provide some information to me ?
Thanks !
Writing a custom STS service is still available under WIF in .NET 4.5 or WIF 4.5 for short.
"To create an STS you must derive from the SecurityTokenService class. In your custom class you must, at a minimum, override the GetScope and GetOutputClaimsIdentity methods...", Microsoft 1
You start by deriving a new type from System.IdentityModel.SecurityTokenService.
Note that we now use the SecurityTokenService which is apart of .NET 4.5's System.IdentityModel and not the pre .NET 4.5 Microsoft.IdentityModel.
Please refer to the link below to see an example of a passive STS.
Microsoft's Federation Metadata example is a reasonably complete example of custom STS.
MSDN:
This sample will show you how to dynamically consume WS-Federation metadata at run time in an ASP.NET Web Application. You will also see how to create a basic STS that produces WS-Federation metadata and issues tokens.
In addition this sample shows the basics of how claims have been integrated into the .NET framework. You will learn how a web application is enabled to use WIF. You will see how they are useful from within existing properties and functions, and how you can take the next step to using them directly using the ClaimsPrincipal class in System.Security.Claims. You also will also learn how to work with the local STS that is part of the Identity and Access tool for Visual Studio 2012. Tell me more
[1] System.IdentityModel.SecurityTokenService
The templates have been replaced with the Identity and Access Tool.
Refer Windows Identity Foundation in the .NET Framework 4.5 Beta: Tools, Samples, Claims Everywhere
There is no custom STS facility option anymore in the sense of a wizard as per FedUtil. As other posts allude to, you can still roll your own.
Refer: What's New in Windows Identity Foundation 4.5.
Have a look at Identity Server which is a very good custom STS and alter as required.
If you're completely new then writing a custom STS might not be such a good idea :-) I would suggest having a look at the implementation given in ThinkTecture STS (https://github.com/thinktecture/Thinktecture.IdentityServer.v2) This is a sample STS that handles different tokens types (SAML, SWT and JWT) as well as different procotols (WSFederation, OAuth, ...) There is too much in here for many simple cases but at least the code works.
Looking over the web, I am finding no answer to this question. I see it being asked and a lot of people being referred to .Net 3.5; however, I am not seeing anything resembling an answer with in the restricted environment of WCF 3.0 (VS2005).
Is it possible for me to do an AJAX/JSON call to a WCF 3.0 Web Service or is the only option to use ASMX if you aren't able to use .Net 3.5?
Microsoft's ASP.NET 2.0 AJAX Extensions 1.0 contains classes to serialize and deserialize JSON for .NET 2.0 and newer.
The class that does it is System.Web.Script.Serialization.JavaScriptSerializer.
Note that even though the documentation linked above is for the 3.5 version, the 3.5 version is identical to the 2.0 version, because it was deprecated and replaced in 3.5 by the classes in System.Runtime.Serialization.Json.
I'm not really sure how to use this with WCF, though... the only time I used it was as an ashx handler.
There are no out of the box bindings in .NET 3.0 that will allow you to send JSON responses. You will need to implement it yourself. There's an article showing how to do REST with POX. It could be easily adapted to JSON but as you will see there's not negligible amount of work.