I am trying to learn ASP.net MVC -
I have successfully implemented the basic authentication and authorisation.
My application is multi tenant (One DB one Schema) and multi Users.
Each user can be added to any tenant by admin.
A user will be given a list of tenants he can use upon logging in.
Then the user clicks on one tenant and enter in to the tenant's application data and can update, create etc. (invoices for example).
I am using cookie authentication, should I be adding each tenant the user is authorized to use as a claim or check on server side for authorisation when user switch between tenants.
Using cookie claim will save DB queries if I have tenant list for user as claim. But Cookie has 4k limit what if a user can access thousands of tenants such as admin.
You can save user-tanent relation in a table , and put row id in cookie , so you can check that row when user logged in.
Related
I have a website on ASP.NET consisting of web app and web API. In my website sign in used to be done with username and password, and then after few encryption database checks the user and start the session.
Now, after adding Aure AD single sign-in, how to make sure specific user enters into webiste. Like I have read in Azure documentation that in Token from Azure AD we can get claim (sub + tid) which are unique and immutable. Should I add a column in my database to store the value of these two (sub+tid) in order to select the specific user?
Is there any better way to do it?
The tid claim will identify the Azure AD tenant used to authenticate the user. If you allow users to sign in from any tenant, this is a good one to store.
If you only allow one tenant, then it might not be necessary to store.
There are two claims that can be used to identify a user. You can choose which one you use.
sub will uniquely identify the user in the context of that application and is immutable.
It is the standard OpenID Connect identifier for a user.
If the user signs in to another application, the value will be different there.
This value cannot be known before the user signs in to your application, they are not available through any UI or API.
oid uniquely identifies the user and is the user's objectId.
This is also immutable.
If you want to make queries to e.g. Microsoft Graph API to get user info, you will need this value as it is what is used in APIs to identify the user.
The objectId can be known in advance before the user logs in to your application (someone in their tenant can look at user list and see the ids there) and that can be an advantage in certain situations.
I am using ASPNETZERO multi-tenancy solution and I want to achieve following solution in that.
My need is like One user share all details among all Tenants.
Let's say there is user1 registered in Tenant1 with email id, password and all fields.
Now what I want is this User1 can logged in any tenant using the same login details, I mean to say user1 can login in tenant2, tenant3 etc.. But without registering again and also with same login details.
Also user can edit details in any tenant and that need to updated in all tenants.
Here is what I have planned :
I am planning to put multiple entries of same user with different
tenant id in default Usertables. I mean to say, when user1 registere
in tenant1 then I will copy all details of that user to all tenants.
So I will create same user entry with tenant2 id, tenant3 id and so
on..
I got it working by editing user-service file.
Thanks
In case of allowing a user to login to multiple tenants, the following approach can be used
The user details should be generic and not under a tenant
After adding user, you will assign the user roles for every tenant
When the user logs-in, the data will be validated and then the user will be given a page to choose tenant for which he can work
(OR), the user can provide the tenant name during login so that you can directly validate the user and allow to use the application
Tenant level access will be based on the tenant and roles, if I have access to Tenant1, it means that i have a role for Tenant1 and if I pass Tenant2 to access, the system does not find any roles associated with my user for the Tenant2, denying access (401).
I am building a booking system and I am using firebase as the backend. The system has two parts:
the customer end which is an app.
the business end which is a website.
I am using the same firestore database for both and also using the same Firebase Authentication project.
So I need two sets of authentication sets one for the customer end and another for the business end.
I have added two apps in a firebase project for sharing the database. My issue is the users shouldn't be able to sign in at the business web app with their credentials and vise versa.
How can I create two sets of authentication details one for each app?
Authenticating a user with Firebase does not determine whether the user has access to anything app-specific. Authentication is merely a method where the user proves who they are.
You then use this information about the user to determine what they can do in your app(s), a process that is known as authorization. Authentication and authorization go hand in hand, but are still separate steps. And Firebase Authentication only takes care of the authentication part. Authorization is up to your app.
The typical approach to your scenario is to actually have only one set of credentials for each user. If the same user needs access to both the app, and the web site, they can sign in with the same credentials. Based on your knowledge of the user, you then grant or deny them access.
Most apps have a users collection with a user profile document for each user (using their UID as the key). Then after the user is authenticated your app could read the user's profile document and read for example two fields named isCustomer and isBusiness, to determine if the user has access to the app/site. You'd also use those fields in the security rules of your database to grant/deny access.
An alternative is to give each user profile in Firebase Authentication a custom claim to determine whether they are a customer and/or a business. In that case you'd need server-side code to set the custom isCustomer and/or isBusiness claims and use this in your code (and database) to grant or deny access.
Also see:
How to create firebase admin user for authentication in java
How to use the same Firebase Auth for Two different Flutter apps?
role based authorization and role based access control flutter
I'm developing an ASP.NET MVC application. I need to support multiple authentication mechanisms (this app is used by multiple customers, each with their own preferred authn provider). One auth provider will be Active Directory. The AD integration for authentication is straightforward and I have no problems with that.
For authorization, roles will be stored in a local database (NOTE: we cannot use Active Directory groups for doing authorization - roles need to be local application roles because we support multiple authn providers and AD admins won't want to create custom groups in AD just for our app). My expectation is that we will need to create "stub" user accounts in our local database in order to do the User-is-assigned-which-Roles mapping. These stub user accounts will also be used to indicate which users are authorized to access the application (not everyone in the AD database should have access).
The anticipated flow of control will be:
User accesses login page > enters credentials > posts credentials to app server.
The app validates the credentials against AD. At this point, we know if the user is authenticated.
The app checks the user's SID to see if a "stub" user account with that SID exists in the local database. If not, the app displays an "not authorized" error message to the user.
The app will look up roles for the user in the local database user-is-assigned-which-roles table.
User identity info including roles will be stored as claims and the app will use typical claims based authorization (i.e. ClaimsAuthorizationManager).
My question is what is the best way to create "stub" user accounts into my local database? My guess is that we should use some sort of AD export script to export AD accounts for those users that should be granted access to the ASP.NET app and then import those users into the local database (NOTE: I expect that the stub account will contain minimal info - perhaps just the user's SID from AD and maybe the username).
A batch export/import is probably OK as an initial deployment process. After the app is up-and-running and new users join the organization, I expect a more user-friendly mechanism will be desired for granting a new user access to our app (other than exporting/importing the new user's account from AD to our local database). My guess is that we'll need some sort of user browser screen so that an admin in our app can browse the AD directory, select a user, click a button and then have that user's "stub" account created automatically in our app.
Has anyone implemented an application with similar requirements? If so, how did you bootstrap the creation of "stub" accounts in your local database? Is there a better way to address these requirements?
Please feel free if this can Help You Custom Annotation Authorization
It's only a workaround, or just an idea, not a solution...
To use it you only need to use Annotation in the controller
e.g.
[ARQAuthorize]
public class BlaBlaController : Controller .....
I am currently implementing a similar solution. Here is how the application works. I'm using ASP.NET MVC 5, ASP.NET Identity 2.2.1.
I am using the Identity framework to manage users and roles within the application. The user goes to a login page, enters their credentials. The application checks against the application DB to see if the user exists. If not it throws an error that the user doesn't exist in the database. If the user exists, it authenticates against AD. If authentication fails they get an error message, if it doesn't fail I create a ClaimIdentity from the user out of the database (not the user in AD) and pass that to my SignIn method.
My user in the application DB has the same username as the AD username and I use that as my stub. I also include the domain of the user in the DB as well in the case that I might have multiple domains I need to support. With Identity, don't forget to also populate the SecurityStamp field with a guid.
The plan is to bulk import the users and permissions from a spreadsheet and I have some standard CRUD actions created to allow creation of individual users and assigning of roles after that.
I am using ASP.NET Forms Authentication (Roles, Users, Membership, etc).
In short, I'm looking for something that will give me a unique UserId for users -before- they are logged in or before they create an account.
I would like the user to be able to personalize the site to a certain extent -before- they go about the work if creating an account. I realize that work would be lost if they clear their cookies.
I store personalized settings in a table with their ASP.NET Auth UserId. I'm hoping that users get assigned a cookie-based UserId even before they log in and create an account, rather than every "guest" having the same "guest id".
If and when they do create an account or log in I'd have to migrate their saved settings to their "permanent" UserId, but that's ok with me.
I could re-invent something, creating a Guid and storing it in a cookie, but I'd like to avoid reinventing the wheel if there's already a mechanism in ASP.NET.
Thanks!
Dave
See Personalization and User Profiles in ASP.NET 2.0 - Handling Anonymous Users.
Note that each anonymous user gets a unique anonymous ID the first time they visit a site. This ID is stored persistently in a cookie. Thus, if a second user opens up a browser on the same computer as the first, the second user will be seen by the site as having the same anonymous ID that was issued to the first user.
The short answer is No. There is no user id assigned to anonymous users that you can store in the Profile table. You will have to create an "AnonymousSettings" table that you store customization information on a per user basis. You would generate your own cookie with a unique ID (a GUID would be a good choice) and the use that to lookup the anonymous user.
Once the user registers, you can transfer their settings from the anonymous table to the profile settings.
Asp.net Automatically generate SessionID per user.
You can use SessionID of active user.
Session.SessionID returns unique key for user. SessionID stored in Cookies.
Asp.Net doesn't remove Session Cookie. After User logged in. So
You can match SessionID and UserId.