I try to create authentication and authorization for my single page web-api project.
For this purpose I red this cool article from Taiseer Joudeh.
But the problem is that in my project I have database with tables and I want to adopt OWIN to work with my existing tables.
Maybe someone knows useful article or post on which I can rely for this subject?
You need to be looking at creating a custom Identity storage provider. Read the following as a starting point: https://www.asp.net/identity/overview/extensibility/overview-of-custom-storage-providers-for-aspnet-identity.
Related
There is no LinkedIn-specific library from Microsoft like Microsoft.AspNet.Authentication.Facebook. The third party libraries I tried are designed for ASP.NET4.5.
I also waiting for middleware for LinkedIn authentication from aspnet team, but look like they have no plans to create it - read LinkedIn Authentication and Will we have a Authentication.LinkedIn.
#Tratcher wrote:
No, but there's a comunity implementation available here: aspnet-contrib/AspNet.Security.OAuth.Providers
You can try this one above and please let me know if it's working well, please.
Also You can create middleware yourself based on generic OAuth middleware...
Check aspnet/Security repo on GitHub, and read LinkedIn Authenticating with OAuth 2.0 article.
As Lukasz pointed out, you can use the LinkedIn provider in the https://github.com/aspnet-contrib/AspNet.Security.OAuth.Providers project. I wrote that provider and it is just a thin layer on top of the built-in generic OAuth2 provider.
It you want to use the generic OAuth2 provider directly, you can also look at this blog post which takes you step-by-step through the entire process:
https://auth0.com/blog/2016/06/13/authenticating-a-user-with-linkedin-in-aspnet-core/
I have existing User tables in my project, and existing code that I want to maintain for persisting users to my database. This is a new ASP.NET site, but it just needs to play nice with existing tables and objects.
In most of my previous developing efforts, I would simply use FormsAuthentication to handle the HTTP Authentication, use its static methods to set the cookies and redirect the browser, and customer prepare the roles on the Principle. While this has worked well for me in the past, I am worried that FormsAuthentication is headed for the same fate as Dodos, Newspapers, and Record Stores, and I am also trying to challenge myself to not avoid new technologies simply because they are new (-er.)
Also, my project is utilizing ADO.NET and not the Entity Framework, and I am hoping to not have to use EF just for the users.
Can anyone point to a tutorial or walkthrough that would help in my getting up to speed on the Identity process and customizing it to fit my needs?
Thanks
I am hoping to not have to use EF just for the users.
Identity uses Entity Framework Code First. You cannot get away with EF if you want to use Identity's auto-generated tables.
Adam Freeman (author of Pro ASP.NET MVC 4 & 5) offers free 3 Chapters just for Identity.
Please take a look at a project I have created for this topic on github https://github.com/giorgos07/AspNet.Identity.AdoNetProvider Hope you like it.
I really like the concepts behind Hot Towel, and have viewed the course on Pluralsight a few times now to really get a good idea of what's going on.
One aspect of Hot Towel really eludes me - how can it be used for an application that demands different user roles? The topics of authentication and personalization aren't dealt with in the course, and don't seem to have any easy way to accomplish this with modifying the framework itself.
I had the same question when I first watched the Pluralsight courses and started working on my application which needs to perform Authentication and Authorization.
It seems the problem is not specific to Hot Towel Template but in general a problem when using Web API. A quick look at the ASP.NET overview for Web API provided much information (http://www.asp.net/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api). If you plug in your custom RoleProvider and ProfileProvider, that should allow you to re-use the Authorize() attribute.
Note that when working with REST & Web API, the API has to be stateless and hence no Session is present. I found articles providing workarounds for getting the Session[] variable active but decided against using it. You can use an object cache to achieve the same results.
If the Authorize() attribute doesn't cut it for you, you can write your own Authorization Filter. This SO question can provide more information (though it focuses on preventing Cross Site Request Forgery, the basic structure and how to use the filter is same when doing custom AuthZ).
Since Javascript code can be altered by the attacker on the browser end, relying on any protections provided in the application's JS is not sufficient and providing the protection on the Web API layer is mandatory. The authentication and authorization boils down to protecting the Web API and there are tons of information available for protecting external facing web services that can be adapted for your scenario.
I am developing a web application using Spring MVC. Since I am kind of done with the the basic functionality, I was going to add user management. By this I mean that I have to extend the logic of the application to support several users. However being new to Spring MVC I am lost... How and where to add session management? How to change my controllers? Could anyone please suggest a good resourse? Tutorials which I find on the Internet mainly deal with page access by using Spring Security. I need more than that. Thanks in advance!
This tutorial http://www.mkyong.com/spring-security/spring-security-form-login-using-database/ gives a good step by step direction on how to use spring security with a database based on user roles. I am not sure exactly what more you want that needs to be directly addressed in your question. The good thing with spring security is that you don't need to change your controllers. It uses a simple xml configuration and is independent of the platform you use.
What solutions have people come up with to develop their web applications offline when they made the decision to use OpenId for site membership?
Couple of ideas:
Create two login pages one for OpenId and one for ASP.NET Membership
Create local OpenId provider with test accounts
Any thoughts?
You could use an inversion of control container to contain your OpenID implementation and for a quick implementation you could use Moq to provide preconfigured responses.
Just mock it!
I hardwire my login.aspx page to always do:
FormsAuthentication.RedirectFromLoginPage("http://blog.nerdbank.net/")
or something like that based on some variable. That way, I don't actually log in using OpenId but it looks to the rest of the web site like I did.
Just be sure to either revert the change, or make it based on some condition that is only true in development. :)