Here is my Scenario:
I need to capture at least 3 security questions & Answers as a part of user registration for an Website (Built in MVC 5 using Individual User Accounts as means of Authentication). Which I can do by extending ApplicationUser object.
So far so good.
I would like to ask these questions in the password recovery process.
I didn't find any support for security questions in ASP.NET Identity framework.
My Question:
Do I need to implement security questions out side of built in UserStore library or is there existing support similar to Secret questions in ASP.NET Membership functionality in .NET 2.0?
Note: Let me know if you need more information.
To do this in ASP.Net Identity, you treat the answers as custom passwords.
Use userManager.PasswordHasher.HashPassword(Answer1); to generate a hash for each answer to store in custom class properties/fields in the database. (Where userManager is the instance of the Identity UserManager)
On recovery, use
var verification = userManager.PasswordHasher.VerifyHashedPassword(dbHash, Answer1);
to verify the challenge.
You can then check if verification.Success is true for each answer.
ref: MSDN
Related
As the question states I would like to check what type of user is logged in by using data annotation
[Authorize(Roles="Admin")]
I have seen multiple questions and tutorial but none of them explain it clearly or use older mvc.
Is there a simple way to achieve that without using the stock authentication system provided with individual account authorization?
I simply do have a table for users with usernames passwords etc.
You have to deal with two things Authentication and Authorization.
Authentication
You can authenticate users using Owin forms Authentication or the old fashioned Forms Authentication if you prefer.
Authorization
For authorization you can create a custom Role Provider if you want to use Roles (as your did in your sample code) or you can use Claims Authorization.
This article is from 2013 but I successfully followed it to implement a custom role provider in my MVC5 application.
I'm building a MVC website (with EPiServer) that I initially set up with a custom membership and role provider that call a REST service for user validation and permissions.
However, it seems we could benefit by changing to Microsoft's Asp.net Identity v2 for claims based auth. But I'm having trouble figuring out how to arrange Asp.net Identity 2 to use the same REST service for user validation and generating the claims. Most examples on the web are specific to using OWIN and Entity Framework which don't seem relevant for what I need.
Could someone point me in the right direction to figure out how to utilise Asp.net Identity v2 but with integrating our REST service for the user validation and permissions/claims? I feel that I should only need https://www.nuget.org/packages/Microsoft.AspNet.Identity.Core and to make a custom UserStore that talks to the REST service, but I'm not confident due to lack of clear examples or documents (or maybe it's just me) to implement it.
Hope this is a clear question - let me know if there's anything other info that could help improve the discussion.
I'm starting a new ASP.NET project (WebAPI and WebUI) using the Identity 2. What I am struggling to understand is when and if to use claims at all.
My app will require users to login and previously with the old Membership system, I would have added them to a role when they register. Should I continue doing this or is there a better way to handle all of this nowadays?
Wouldnt using Roles and Claims just overcomplicate things?
Thanks
Always use claims. All .NET identities are claims-based by default. BTW, a role is also a claim - a claim of type ClaimTypes.Role.
Is it possible to override the logic IsInRole in asp.net? I use my own tables of roles in the database and I would like to know how to use own logic.
Something like inheriting from PrincipialBase. Do you know some ways?
I would only use RoleProvider if you are using other aspects of ASP.NET authentication and authorization management. However, if you have your own database for storing role information and already have a UI for managing user roles, you can get away with just creating a GenericPrincipal with your roles and replacing HttpContext.Current.User with it during PostAuthenticateRequest (for ASP.NET).
MVC is slightly different, depending on how you are managing authorization. Here is a related question.
application role management in asp.net mvc (How)?
It is better to load all the roles for a user once per request then to check roles against the database multiple times during the request.
Then you need to implement a custom RoleProvider. Here is a guide to implement a RoleProvider.
Microsoft released the source code for the default providers (membership, role, etc...).
That is also a great reference when implementing your own provider. The one time I implemented a custom role provider, it served me very well.
I have an existing production application that uses vanilla ASP.Net Membership for authentication.
However, I'd like to provide other means of authentication as well as the current ASP.net membership system, such as Facebook.
The Windows Azure Access Control Service makes this extremely easy and straight forward. Provided, that is, you're starting a new web application from scratch.
So, in this case, how do I
Integrate the Access Control Service authentication into my app without affecting the current login system and its users?
Migrate users over or Link logins? ( not sure if this is even possible)
Thanks all
Roberto
You need to create a custom identity provider based on your membership database. See this article on custom WS-Federation Identity Providers that can be integrated to access control: http://msdn.microsoft.com/en-us/library/windowsazure/gg185933.aspx
Also see this article on one that was written on top of the membership database: http://blogs.msdn.com/b/vbertocci/archive/2009/04/23/enhance-your-asp-net-membership-based-website-by-adding-identity-provider-capabilities.aspx
Approach of creating an identity provider (IP) based on your ASP.NET membership database which Paul Tyng suggested is valid.
However, it means that if you just create an IP you'll allow log in to all people who are authorised with other IPs (e.g. Google or Facebook). I'm guessing it's not what you want - you'd still want people to first register (either plainly with username-password or with their external identity). If that's the case then your task is the following:
Add a data store for users' external identities which is related to your existing Users table.
Modify the ACS login handling within your application to check that the identity returned from ACS actually exists in your members database.
Perform member log in (instead of federated log in) if you found the returned identity in your db.
Add external identity tie in during the registration process so your Identities table can be actually populated.
(optional) Re-use the bulk of the #4 mechanism to provide an ability to attach external identity to existing user accounts (i.e. I already have a normal membership with you and now want to add an ability to log in with Google as well, for example).
There is no one single tutorial/walk-through to achieve this (or I have not found one) so I had to pull bits from a variety of sources to make it work. Please let me know in the comment if I understood your requirement correctly and I'll add a guide on how to set this up. Cheers!
Might be a bit late, but check out the following blog posts by fellow Windows Azure MVP - Dominik Bayer:
Mixing Forms and Token Authentication in a single ASP.NET Application
Mixing Forms and Token Authentication in a single ASP.NET Application (the Details)
Replacing ASP.NET Forms Authentication with WIF Session Authentication (for the better)
Invaluable readings which will help you in any way!