I'm working on writing a simple login page + SignalR chat room for my website with vNext beta8. Unfortunately, I'm having a very difficult time understanding how claims and authentication work.
All I am trying to do is authenticate a user and set Context.User to their identity, so it can be accessed in SignalR. With the way I have it now, though, Context.User is null everywhere, so SignalR isn't even the meat of this question.
Here's the relevant bits of code for this issue:
Startup.cs
public void ConfigureServices(IServiceCollection services)
{
services.AddMvc();
services.AddSession();
services.AddCaching();
services.AddSignalR();
}
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
{
app.UseStaticFiles();
app.UseSession();
app.UseMvc(routes =>
{
routes.MapRoute(
name: "default",
template: "{controller}/{action}/{id?}",
defaults: new { controller = "Home", action = "Index" });
});
app.UseSignalR();
}
Login Web API controller method with default values provided, skipping password/authentication checks, and setting the session, which works. LoginUserInfo is just a small class to receive a username/password for logging in.
[HttpPost]
public string Login(LoginUserInfo info)
{
kUser user = new kUser();
user.Name = "Test user";
//This is where I am completely missing the point of something
Context.User = new ClaimsPrincipal(user);
}
kUser - this class is incomplete, I'm assuming that AuthenticationType and IsAuthenticated don't come into affect here, since the exception is never thrown.
[Serializable]
public class kUser : IIdentity
{
public ObjectId Id { get; set; }
public string Name { get; set; }
public string AuthenticationType
{
get { return "MongoDB"; }
}
public bool IsAuthenticated
{
get
{
//If ID exists in database
throw new NotImplementedException();
}
}
}
Research leads me to many different ways to accomplish setting Context.User and having it available across the entire application. Some guides point to FormsAuthentication, which doesn't seem to exist in ASP.NET 5, some talk about setting user IDs to each thread, and some detail how to write an entire service provider for authentication.
All I want is an extremely basic login procedure - no Remember Me style cookies, nothing fancy. Just type in username/password, and the server remembers you for your session. Where am I going wrong, and what am I missing?
You need to do something like this
var claims = new[] { new Claim("name", authUser.Username), new Claim(ClaimTypes.Role, "Admin") };
var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);
Context.Authentication.SignIn(CookieAuthenticationDefaults.AuthenticationScheme, new ClaimsPrincipal(identity));
More details - https://github.com/anuraj/CookieAuthMVCSample
I didn't verified the code with latest runtime.
Related
I working on an ASP MVC login form.
I have pretty simple codes. A Startup class and an action trying to set the cookie. Below is my code :
Startup
which is located in App_Start (there is also a reference to it in <appSetting> with key="owin:AppStartup")
public class Startup
{
public void Configuration(IAppBuilder app)
{
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = "ApplicationCookie",
LoginPath = new PathString("/auth/login"),
});
}
}
The action method that is suppose to authenticate the user is :
[HttpPost]
public ActionResult Login(user model)
{
if(ModelState.IsValid)
{
var identity = new ClaimsIdentity(new[]
{
new Claim(ClaimTypes.Email, "admin#admin.com"),
new Claim(ClaimTypes.Name, "tom"),
new Claim(ClaimTypes.Role, "admin")
});
var ctx = Request.GetOwinContext();
var authManager = ctx.Authentication;
authManager.SignIn(identity);
return RedirectToAction("Index", "Home");
}
return View(model);
}
But this does not get the identity authenticated as #User.Authenticated is false in my _Layout.cshtml when return RedirectToAction("Index", "Home"); and also the debbuger shows that IsAuthenticated property is false (in the controller Login action and in the _Layout.cshtml.
I have checked that IIS is enabled for Anonymous authentication using my windows administrative tools and also I have checked that Startup is set when the application starts...
I seems that authManager.SignIn(identity) is not doing its job.
How can we solve this ?
debugger screenshot
ps : I do not even see the browser popup asking if I want to save the password (I popped only once during my tests even though the user was still not authenticated)
SignIn persists the user for future requests (via cookies), it does not alter the current request. You can directly set HttpContext.User for the current request if you want.
I also recall that you need to set the ClaimsIdentity AuthenticationType to CookieAuthenticationDefaults.AuthenticationType (or whatever auth type you're using to identify your middleware). Otherwise the cookie auth middleware won't activate.
I have an ASP.NET Core app that uses Identity. It works, but when I am trying to add custom roles to the database I run into problems.
In Startup ConfigureServices I have added Identity and the role manager as a scoped service like this:
services.AddIdentity<Entities.DB.User, IdentityRole<int>>()
.AddEntityFrameworkStores<MyDBContext, int>();
services.AddScoped<RoleManager<IdentityRole>>();
and in Startup Configure I inject RoleManager and pass it to my custom class RolesData:
public void Configure(
IApplicationBuilder app,
IHostingEnvironment env,
ILoggerFactory loggerFactory,
RoleManager<IdentityRole> roleManager
)
{
app.UseIdentity();
RolesData.SeedRoles(roleManager).Wait();
app.UseMvc();
This is the RolesData class:
public static class RolesData
{
private static readonly string[] roles = new[] {
"role1",
"role2",
"role3"
};
public static async Task SeedRoles(RoleManager<IdentityRole> roleManager)
{
foreach (var role in roles)
{
if (!await roleManager.RoleExistsAsync(role))
{
var create = await roleManager.CreateAsync(new IdentityRole(role));
if (!create.Succeeded)
{
throw new Exception("Failed to create role");
}
}
}
}
}
The app builds without errors, but when trying to access it I get the following error:
Unable to resolve service for type 'Microsoft.AspNetCore.Identity.IRoleStore`1[Microsoft.AspNetCore.Identity.EntityFrameworkCore.IdentityRole]' while attempting to activate 'Microsoft.AspNetCore.Identity.RoleManager
What am I doing wrong? My gut says there's something wrong with how I add the RoleManager as a service.
PS: I have used "No authentication" when creating the project to learn Identity from scratch.
I was having this issue
No service for type 'Microsoft.AspNetCore.Identity.RoleManager`
And this page was the first result on Google. It did not answer my question, so I thought I would put my solution here, for anyone else that may be having this problem.
ASP.NET Core 2.2
The missing line for me was .AddRoles() in the Startup.cs file.
services.AddDefaultIdentity<IdentityUser>()
.AddRoles<IdentityRole>()
.AddDefaultUI(UIFramework.Bootstrap4)
.AddEntityFrameworkStores<ApplicationDbContext>();
Hope this helps someone
Source: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-2.2 (at the bottom)
What am I doing wrong? My gut says there's something wrong with how I add the RoleManager as a service.
The registration part is actually fine, tho' you should remove services.AddScoped<RoleManager<IdentityRole>>(), as the role manager is already added for you by services.AddIdentity().
Your issue is most likely caused by a generic type mismatch: while you call services.AddIdentity() with IdentityRole<int>, you try to resolve RoleManager with IdentityRole, which is an equivalent of IdentityRole<string> (string being the default key type in ASP.NET Core Identity).
Update your Configure method to take a RoleManager<IdentityRole<int>> parameter and it should work.
This my solution seed User and Role ASP.NET Core 2.2
Startup.cs
services.AddDefaultIdentity<ApplicationUser>()
.AddRoles<IdentityRole<Guid>>()
.AddDefaultUI(UIFramework.Bootstrap4)
.AddEntityFrameworkStores<ApplicationDbContext>();
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
...
...
SeedData.Initialize(app.ApplicationServices);
)
SeedData.cs
public static void Initialize(IServiceProvider serviceProvider)
{
using (var scope = serviceProvider.CreateScope())
{
var provider = scope.ServiceProvider;
var context = provider.GetRequiredService<ApplicationDbContext>();
var userManager = provider.GetRequiredService<UserManager<ApplicationUser>>();
var roleManager = provider.GetRequiredService<RoleManager<IdentityRole<Guid>>>();
// automigration
context.Database.Migrate();
InstallUsers(userManager, roleManager);
}
}
private static void InstallUsers(UserManager<ApplicationUser> userManager, RoleManager<IdentityRole<Guid>> roleManager)
{
const string USERNAME = "admin#mysite.com";
const string PASSWORD = "123456ABCD";
const string ROLENAME = "Admin";
var roleExist = roleManager.RoleExistsAsync(ROLENAME).Result;
if (!roleExist)
{
//create the roles and seed them to the database
roleManager.CreateAsync(new IdentityRole<Guid>(ROLENAME)).GetAwaiter().GetResult();
}
var user = userManager.FindByNameAsync(USERNAME).Result;
if (user == null)
{
var serviceUser = new ApplicationUser
{
UserName = USERNAME,
Email = USERNAME
};
var createPowerUser = userManager.CreateAsync(serviceUser, PASSWORD).Result;
if (createPowerUser.Succeeded)
{
var confirmationToken = userManager.GenerateEmailConfirmationTokenAsync(serviceUser).Result;
var result = userManager.ConfirmEmailAsync(serviceUser, confirmationToken).Result;
//here we tie the new user to the role
userManager.AddToRoleAsync(serviceUser, ROLENAME).GetAwaiter().GetResult();
}
}
}
My goal is:
To use custom headers with my own token to authenticate a user or machine against my signalr service.
We've been using this methodology succesfully under ASP.net WEB API to perform our own custom claims based authentication and authorization.
Our Web Api was as follows:
protected void Application_Start()
{
GlobalConfiguration.Configuration.MessageHandlers.Add(new AuthorizationHeaderHandler());
}
Then we would have a AuthorizationHandler that would overwrite the Thread.CurrentPrincipal = principal; and we would be done.
Within SignalR I have tried to implement:
1. Mark our hub using Authorize
2. Implemented custom authorize atributes
3. Tried A Custom Module. But besides returning true if the correct headers we're send I still do not get the Context.User to change to the claims based principal that we generate.
But never can we get the Context.User to show the actual user that's being used to connect to the hub.
Any suggestions are Welcome.
Main reason why we want to achieve this is because we have a couple of different user/machine types that connect to our system.
Anybody any suggestions.
Finally found the solution.
I added my own owin security middleware allowing me to handle customer header based authentication.
This could be easily expanded allowing you to combine multiple authenitication scheme's within on service.
First Create Custom Authentication Middleware:
public class AuthenticationMiddleware : OwinMiddleware
{
public AuthenticationMiddleware(OwinMiddleware next) :
base(next) { }
public override async Task Invoke(IOwinContext context)
{
var request = context.Request;
var value = request.Headers["Phocabby-MachineKey"];
var username = value;
var usernameClaim = new Claim(ClaimTypes.Name, username);
var identity = new ClaimsIdentity(new[] { usernameClaim }, "ApiKey");
var principal = new ClaimsPrincipal(identity);
principal.Identities.First().AddClaim(new Claim("CanGetApiKey", "False"));
principal.Identities.First().AddClaim(new Claim("Cabinet", "True"));
request.User = principal;
await Next.Invoke(context);
}
}
Then register it in the startup class
public void Configuration(IAppBuilder app)
{
app.Use(typeof(AuthenticationMiddleware));
app.MapSignalR();
}
I created two projects from templates.
The first contains Membership and MVC4. And the second uses MVC5 and Asp.Net Identity.
Then I added signalR to both projects using same code.
In Membership project I can access HttpContext.User both in controllers and SignalR connection class(OnConnected method). But in Identity project I have proper value of HttpContext.User only in controllers. In OnConnected method HttpContext.User returns null.
Code of signalR is same in both projects:
1) SynchronizationConnection.cs
public class SynchronizationConnection : PersistentConnection
{
public SynchronizationConnection()
{
}
protected override Task OnReceived(IRequest request, string connectionId, string data)
{
Debugger.Break();
return base.OnReceived(request, connectionId, data);
}
protected override Task OnConnected(IRequest request, string connectionId)
{
Debugger.Break(); //HttpContext.Current.User == null
return base.OnConnected(request, connectionId);
}
protected override Task OnDisconnected(IRequest request, string connectionId)
{
Debugger.Break();
return base.OnDisconnected(request, connectionId);
}
}
2) Startup.cs
public partial class Startup
{
public void Configuration(IAppBuilder app)
{
app.MapSignalR();
ConfigureAuth(app);
}
}
3) Startup.Auth.cs
public partial class Startup
{
public void ConfigureAuth(IAppBuilder app)
{
app.MapSignalR<Services.Realtime.SynchronizationConnection>("/test");
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login")
});
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
}
}
4) Client javascript
var connection = $.connection('/test');
connection.logging = true;
console.log('Receiving connection');
connection.received(function (data) {
console.log('received');
});
connection.disconnected(function () {
console.log('disconnected');
});
connection.error(function (data) {
console.log('error');
});
connection.start().done(function () {
console.log('Connection started');
});
I've seen questions about null User.Identity.Name because of missing [Authorize] attribute. In my case I cannot access even User.Identity. Also I have [Authorize] attribute on my action, that contains client javascript.
Inside of the OnConnected method, you can use:
request.User
That will carry the IPrincipal that was in the HttpContext.Current.User at the time of connection, and it is the one you should mind.
If you need to alter that IPrincipal (like removing the default one generated by Forms authentication and set your own), I recommend you to use an IHttpModule. All the transports in SignalR at least start as an HTTP (even WebSockets), so all transports are going to hit the module at least during connection.
Cheers.
I had the same problem: request.User was null in the PersistentConnection's OnConnected() method. Changing the order in which I initialized SignalR and my authentication provider fixed it. I changed it so that my SignalR endpoints were mapped after my authentication was configured:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
ExpireTimeSpan = new TimeSpan(999, 0, 0, 0),
SlidingExpiration = true
});
GlobalConfiguration.Configuration.UseSqlServerStorage("MyDatabase", new SqlServerStorageOptions() { PrepareSchemaIfNecessary = false });
app.MapSignalR<MyConnection>("/MyConnection");
I've started a new MVC 5 site, using the new Asp.Net Identity with Owin. In my "account" controller which has the attribute [Authorize], I have fairly standard actions;
// GET: /User/Login
[AllowAnonymous]
public ActionResult Login(string returnUrl)
{
ViewBag.ReturnUrl = returnUrl;
return View();
}
// POST: /User/Login
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
public async Task<ActionResult> Login(LoginViewModel model, string returnUrl)
{
try
{
if (ModelState.IsValid)
{
var userApi = new UserService();
var apiUser = await userApi.LogIn(UserManager, model.CardNumber, model.Pin, model.RememberMe);
if (apiUser != null)
{
await SignInAsync(apiUser, model.RememberMe);
if (string.IsNullOrEmpty(returnUrl))
{
return RedirectToAction("UserLoggedIn", "User");
}
}
else
{
ModelState.AddModelError("", "Invalid username or password.");
}
}
}
catch (Exception ex)
{
Trace.TraceError("Cannot login {0}", ex.ToString());
Response.AppendToLog(ex.ToString());
ModelState.AddModelError("", ex.ToString());
}
// If we got this far, something failed, redisplay form
return View(model);
}
My question is in regards to the returnUrl behavior, the code above works in the sense that, if a user is not logged in and calls a action in a controller that has the attribute [Authorize], it gets sent to the login actions above and then returned to the controller/action that was requested. Which is great, BUT how?? And is it safe?
In this article about "Preventing open redirect attacks"(for earlier versions of Asp.Net MVC) the recommendation is to do a check on the returnUrl that it's a local url before doing the redirect, is that something I should still do or is it now handled by the framework?
Cheers,
Ola
You need to check if the url is local indeed using this method (it is not handled by the framework automatically): http://msdn.microsoft.com/en-us/library/system.web.mvc.urlhelper.islocalurl%28v=vs.118%29.aspx
if (!string.IsNullOrEmpty(returnUrl) && Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
As Sandeep Phadke told, the returnUrl Parameter is filled, because of configuration in startup.Auth.cs.
The CookieAuthenticationOptions has a property ReturnUrlParameter which is by Default set to "returnUrl". That is the reason, why it looks like magic. You can Change it to whatever you want:
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
ReturnUrlParameter = "returnTo"
});
Then you can Change the AccountController Login-Action to:
[AllowAnonymous]
public ActionResult Login(string returnTo)
{
ViewBag.ReturnUrl = returnTo;
return View();
}
if (Url.IsLocalUrl(returnUrl))
{
return Redirect(returnUrl);
}
else
{
return RedirectToAction("Index", "Controller");
}
To answer your first question on how the redirect Url is setup, it configured in Startup.Auth.cs which is called from Startup.cs and is marked with an attribute which is probably looked for by the OWIN framework on app startup and both files partial extend a Startup class.
In Startup.Auth.cs there's a class to configure authentication options and usually has the following code
public partial class Startup
{
// For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
public void ConfigureAuth(IAppBuilder app)
{
// Enable the application to use a cookie to store information for the signed in user
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
CookieSecure = CookieSecureOption.Always
});
// Use a cookie to temporarily store information about a user logging in with a third party login provider
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
// ....
// I deleted code which is commented out if you selected "Individual accounts"
// if you created the site project using the VS 2013 wizard
// ...
}
}
I added the CookieSecure option to ensure cookies were signed and that is recommended as a good security practice, other than that its boiler plate code.
More documentation on CookieAuthenticationOptions if you want it.