I'm currently investigating an elegant solution to this problem, but I wanted to get this question out here in order to get any advice/suggestions/answers to this problem.
I am working with an authentication system (forms authentication) that the client uses for authentication.
Current Steps:
Redirect to URL for forms authentication.
Enter Username/Password
Get back form data. Specifically: Context.Request.Form["Token"]
I am able to perform all of these steps. I am trying to think of the right path to get the middleware to take care of this problem. I'm currently wondering if I could simply use the Microsoft.AspNet.Authentication.Cookies to solve this problem. With this approach, I would implement my own ICookieManager to look at the Form data.
Advice/Suggestions/Answers?
Thank you in advance!
I came up with my own answer to this question, so I wanted to share.
As I said, I am working with a forms authentication system. Part of the forms data is a 'Token' value. My solution involved two parts:
I created a middleware component to intercept form data, look for a 'Token' value in the forms data, and write that to a cookie.
I used Microsoft's Cookie authentication middleware implementation, but I had to override one of the options, TicketDataFormat. Their implementation expects a serialized/encrypted ClaimsIdentity. My token was not that, so I had to implement my own thing to create a ClaimsIdentity based off the token.
I'll be happy to share more detail if anyone is interested, but that is the jist of my solution.
I don't have a specific advice for you.
However now it's available quite good official documentation:
ASP.NET 5 Security
There you can find more information, including Authentication in ASP.NET 5
I hope it will help you.
Related
I'm working on a legacy application using ASP.NET Web Forms, and I need to implement the "Remember Me" functionality when the user logs in (as in, does not require the user to log in unless their username/password has changed). What is the best approach to doing this? I've found posts like this one or this one but these are incredibly old and was wondering if there is an updated practice to doing this. TIA!
I believe the standard generally speaking is to create some kind of unique/random token and store it in the customer's cookies. On the back end, you save that token associated to the username, so when the customer is browsing you can check the token in their cookies and compare it to what you have on file in the database. I'm sure there are a variety of opinions on how exactly to implement all that, as you can see in that first link you mentioned, but using some kind of token in a cookie is what I've seen in many places.
I'm trying to implement "single sign-on" so that users of my ASP.NET site can jump to a WordPress site and automatically have their account created. There is a plug-in for WordPress called JWT Authenticator that will send unknown users to a URL you provide and then you can POST back a JWT with enough information for the plug-in to do it's thing and automatically login the user over there.
I can see how one might accomplish this just by generating a JWT using something like JOSE and then in javascript posting the token over, but I was hoping to capitalize on any existing code in the ASP.NET Identity/OAuth/JWT packages to manage the heavy lifting (especially the posting of the JWT).
Is that a standard "flow" for OAuth? I suppose in that case the ASP.NET site is sort of an Identity Server but the documentation for that sort of thing seems to suggest a structure way out of proportion for "make a JWT & post it back there".
Any ideas what subset of functions exist in the Identity & OAuth libraries for doing this?
Thanks!
James
We are facing a situation where any help will be much appreciated.
We use ASP.NET 2.0 Technology
We have some webpages that are role-protected. So you need to authenticate with different credentials available( certificates, forms, etc) before entering on the app.
The problem comes that we need a second authentication factor like the one used on Banks( for example a SMS code or similar).
As a first approach we would like to protect only some fragments of code, but if that´s not possible a possible solution would be to protect some complete webpages (to require this second authentication before executing).
Any suggestion of how this can be performed?
It´s possible to protect only fragments of code?
Thanks to all of you!
I've been looking around for information on this for a little while and keep seeing what appears to be how to set up a OAuth2 server in ASP.NET.
What I want is like the "app.UseMicrosoftAccountAuthentication" where I can use an external login service but that service is standard OAuth2 and not one of the built in providers. I'm not finding a lot of documentation on that subject and would like it if someone could point me in the right direction!
There isn't really such a thing as a standard oauth2 provider when you are looking for authentication. See http://www.cloudidentity.com/blog/2013/01/02/oauth-2-0-and-sign-in-4/ for a discussion about it.
Which providers were you looking to support?
Im just wondering how to go about using FormAuthentication in asp.net
In our project we are basing it on webservices, which returns an XML document on successful login with all the credentials we require. Whats the best way to store and access the information returned?
Thanks
EDIT: thanks for the response. I cant use the default provider because the provider is already given to us.
Basically, what I want to know is whats the most effecient way to store a Guid and an Integer on successful login so that it can be easily accessed by my asp.net application.
When you create your FormsAuthenticationTicket, you can set the UserData property to anything you like, including the data from the web service. That data will all be encrypted when placed into the Forms Authentication cookie, and will be decrypted on each subsequent request. The information will be available in the Ticket property of the FormsIdentity object that you can reach via HttpContext.Current.User.Identity.
How to go about it? Its a complex subject which no one can answer fully here.
I can tell you that the easiest way to implement it is to use the standard SQL Server-backed forms authentication provider. This is a step-by-step on how to set it up.
It can get a little confusing when there are database issues, however. These are usually caused by common issues and some googling often straightens it out quickly.
Keep in mind, also, that forms authentication usually entails sending cleartext passwords across the network. So protecting your login URL with SSL is a must in a production environment.
Session["GUID"] = value;
Session["INT"] = value;
Shoving the XML Dom object or xml in the Session object is not advisable for performance reasons when you only need 2 tiny values.