I believe that .NET Identity 3 cannot run on an existing (v4.5) ASP.NET solution, but requires .NET Core. I cannot update to .NET Core. Is there a workaround for this? If not then how are people supposed to migrate from ASP.NET Membership to ASP.Net Identity?
First of all, I need to note that ASP.NET Core (which works with Identity 3) does not require .NET Core. It can be used either over .NET Core or .NET Framework 4.6.1 (or higher).
I guess you use the default approach in both cases (Membership and Identity) when all information about users, roles, passwords, etc, is stored in some database.
So, the best way to migrate from Membership to Identity is the following:
create a new ASP.NET Core project using the default template and with "Authentication" turned on
then write a small console program which will move all user-related information from your old membership tables to the new ones (created automatically by ASP.NET Identity)
then move all other your controllers and views one by one.
The only problem here - is that Identity will not recognize the passwords' hashes created with Membership. To resolve it you will need to define your own implementation of IPasswordHasher interface and register it in DI container as it's described in this article.
Related
I have an existing .NET Framework Web API currently in production which is in the process of being upgraded to .NET 6.
The application uses the built-in .NET Framework OWIN solution for generating tokens and handles the authorisation for the client_credential flow.
We have a couple of custom MySql tables that hold the ClientId, ClientSecret info and another for granted token requests, e.g. storing the OWIN ticket, scope details etc.
One limitation we have is that we are using EF Core 3.1.x which we cannot upgrade.
I want to build a solution so that:
existing active OWIN tokens in the database can still be used for
authorisation into the new .NET Core API using OpenIddict, once it goes live. (so
that the end users are not impacted)
I also want to be able to generate new tokens using OpenIddict and
store those tokens in the same existing MySql tables.
I don't know if this is possible and if so how to tackle it.
Has anyone here achieved a similar migration?
I have two applications, one in asp.net and the other in asp.net core. I want to share a common database, as well as the same login. Ie, a user can register via asp.net application, and then their identity will be shared with asp.net core application.
Is this possible? I notice that each have their own identity models, and I am looking for a way of sharing this, ie. some documentation to resolve this.
Looking for:
- Is this possible?
- Documentation and more information on implementation (how to)
I am resolving by use of Identity Server, which both applications will hook into. Will just take a bit of re-jigging.
We have ASP.NET ( Silverlight) LOB Web application which was developed using .Net 4. Now we have to get rid of the current authentication mechanism and implement new one. I think we have two options here:
1> Forms Authentication using Membership provider ( This is available in .Net 4)
2> ASP.NET Identity ( This is not available in .Net 4. So we have to update the target framework to 4.5 or latter)
I have gone through the article here that describes the difference between these two and based on my understanding the 2 major differences are:
1> You can configured identity framework to use social credentials.
2> Identity framework code can be unit tested.
We have LOB application. So likelihood of allowing users to use their social credential to login into our application is very very less. So i am looking for suggestion whether it is really worthwhile to spend time and implement identity framework for authentication. (Note that for identity framework I will have to convert target framework of all projects to 4.5). The only advantage I see here is unit testing.
Updating to later framework is not a problem. Going back the way usually causes problem, but you won't have to do any code changes if you go from 4 to 4.5. Or rather 4.5.1 which is latest in 4.5.x.
If architecture advantage is not an advantage to you, then security must be. Identity uses PBKDF2 with HMAC-SHA256 password hashing. This is not available in MembershipProvider which comes with SHA1 as default hashing which is not considered secure at all in 2016
Otherwise I enjoy working with Identity framework - it is a lot easier to do things with rather than monstrous MembershipProvider. Some things took me few hours to implement in Identity that took weeks with MembershiProvider. So speed of development is another consideration.
Also MembershipProvider is not getting any new versions, why do you want to use old framework when a new shiny supported framework is available?
I am writing a new web site and am looking at Asp.Net Identity 2.0. Out of the box, it uses Entity Framework for all of its data access. For the rest of the site, we were creating middleware web services for data access. Our original plan for security sake was that the web servers would talk to middleware and middleware would talk to the database via Entity Framework. We had planned on blocking via firewall database access from the web server.
I see that I can create a custom provider for Identity 2.0 and it in turn could use middleware for it's data access.
Here are my questions:
Is it more secure to not allow the web servers to have direct database access?
If it is more secure, why would Microsoft not build it that way out of the box
If you were starting from scratch like we are, would you recommend using entity framework or writing a custom provider that goes through our middleware layer?
Thanks.
1.) It can be secure. I don't see it as a security issue but coupling issue. What if you want to upgrade or change from Entity Framework in the future? What if you want to change from Identity 2.0? What if you want to upgrade one but you can't because the other doesn't support it yet.
2.) Microsoft wanted to promote it products first and foremost. For simplicity sake if your ok with Entity Framework and Identity 2.0 and don't mind how coupled they are it could be perfectly fine solution.
3.) How much time/effort can you afford to spend on the custom provider? It might not be worth the effort to create your own provider.
Asp.NET Identity out-of-the-box is actually Asp.Net Identity on Entity Framework. It generates a database, connection string, the model files, the controllers and a context class for you, which you can redirect to your own database for it to generate the Identity tables within. Everything is very secure, and they've taken care of a lot of the authentication/password hashing for you. I wouldn't say it is worth it to create your own provider, but you can also create your own provider within Identity if you want. Identity 2.0 is great. Very easy to add custom table properties, etc.
I'm somewhat confused by membership providers for .NET. I have built a MVC 3 web application, but obviously login pages don't work out-of-the-box because I need to wire up a membership provider. I would have expected this process to be easy, but when I search for help I find numerous articles on writing custom providers. Can't I just set up a table or two, wire up a few details in web.config and have things work based on some default MVC membership provider?
I have no desire to re-invent the wheel!
TIA.
The MSDN membership installation documentation is still applicable through to .NET 4, although note that the default Membership provider changes in 4.5 - totally different table structures.
TL;DR
Create the aspnet membership database OR add the tables to your existing database (aspnet_regsql.exe, which is in the .net 2 framework folder)
Add the necessary membership and role provider configuration sections to your web.config.
Use the site admin tool to add users (or at least an initial Admin User)