I would like to know what's the best way to deal with authentication in Asp.NET MVC 3 from multiple sources like :
custom Form authentication social
networking (Facebook, twitter, etc.)
other ?
I found this link : Looking for a .NET library to do authentication that support multiple sources but would like to be sure if there is some more means to make authentication since that question was asked.
I don't want to be tightly coupled to one specific provider so maybe I should write some wrapper around it, but if you have some guidance, it could be nice to hear from your experience.
Thanks
The popular social networking sites (such as Facebook and Twitter) implement the OpenID functionality; and you can your own authentication to use OpenID. You could implement your own OpenID Membership Provider.
On a side note, it means you could authenticate users on StackOverflow too!
Let me know if I can help.
Matt
You might want to look into using Windows Identity Foundation
Related
Haven't done security in ASP.NET before. Need to secure an MVC site - simple username/password access for admin access to the site's logs and admin areas, not for general users.
Looked into Identity/OWIN, and it is, as of this writing, half-baked. There are multiple ways to do things, the docs are few or non-existent, and blogs dicuss deprecated or alpha versions. The samples don't correspond to anything in the docs or blogs. In short, it's a mess.
Security is hard, so I want to use something that was written by an expert, works and is tried-and-tested. Must be from Microsoft, not some third-party stuff.
So what security API came before Identity/OWIN, which works well and hasn't been compromised? They've released many, so I don't know which to use?
Forms Authentication with custom Membership and Role Providers were used for years and still can be used. The SimpleMembership is something that tries to simplify the original provider model but sacrifices too much, in my opinion plus it us still not that simple.
There are thousands of tutorials on Forms Authentication and you should be able to start immediately. The Membership/Role Provider model is also extremely well documented.
In terms of correspondence
Membership/Role Providers correspond to the Identity api
Forms Authentication corresponds to the owin security api
The predecessor to Identity/OWIN was SimpleMembership.
However, according to my question "What is MVC4 security all about?", SimpleMembership is an oxymoron.
I'm implementing my frist web application on asp.net mvc 4 and I need to differentiate my users according to roles ( show certain menus to some roles and hide them from others) basically what i want is to manage my users and roles. I understand that security is quite an important part of my application so I don't want to risk it by implementing something not secure while there are other options for doing this.
My question is, is there something already built on MVC 4? is it apropiate for my a small site? ( I don't expect more than 50 concurrent users) is it better to implement my own user administrator? if so, where can I start? so far what I've found is the membership provider but it seems quite big for what i need, there will be no user registration instead the new users will be added by system admins.
Thanks for taking the time for reading this, any feedback will be appreciated!
I would have recommended the default membership provider as it makes use of security industry best practices (i.e. salted hash). However, if that seems overkill, there is a simpler membership provider called SimpleMembership Provider
You can use New ASP.NET Universal Providers (updated version of legacy Membership Provider).
It can be used in small application as well as large application (if you application continues to grow).
Password is encrypted with salt, so it cannot be compromise easily.
Follow the Scott Hanselman's link and see the demo. You will see how easy to set up.
I have a website and I wanted to become an open ID publisher. How to do that?
Depending on your exact requirements, you might want to try OpenID delegation instead. You can then use your website as a layer of abstraction over a third party provider.
As you're building for asp.net - take a look at DotNetOpenAuth. It's a free, open-source library that can make your asp.net webrite an OpenID provider (your website can be used to identify you) or a relying party (users can log in on your website using OpenID).
In fact, StackOverflow uses it as well, and so do I. It has a number of examples, and it's pretty reliable and secure.. Definitely recommended! :)
If you just want to run your own identity server, then a good place to start looking is here. I run phpMyID on my site that acts as an openID server for me, it was easy to set up, seems to work, and no-one has stolen my identity ..yet.
I have a silverlight application and i want is that my application should ask for the user name and password and the client should be able to start chat with their facebook friends.Could this be done? and if so then is there sample code available
This is the question of what kind of API Facebook provides. There aren't any inherent issues here if Facebook exposes this sort of functionality to third parties. I'm not an expert in this, but reading the facebook documentation should help you out.
http://developers.facebook.com
Also maybe check out these links:
http://wiki.developers.facebook.com/index.php/LiveMessage.send
http://wiki.developers.facebook.com/index.php/Fb:chat-invite
It looks like some folks developed a framework to more easily interop facebook with .net based technologies:
http://facebooktoolkit.codeplex.com/
Here they are discussing the LiveMessage stuff:
http://facebooktoolkit.codeplex.com/Thread/View.aspx?ThreadId=62384
People did facebook chat clones on the web, and in standalone apps (http://www.faceoffim.com/), so at least in principle it's certainly doable.
What do large websites built in .NET use for their login components?
I will be implementing the login and membership features of a large .NET web application. As I see it, there are 4 options:
Leverage the default Microsoft Membership Provider
Build a custom Membership Provider
Use a different 3rd Party Component
Build an entirely custom login/authentication framework
I am trying to optimize for reliability, so I would like to know if sites like MySpace or PlentyOfFish have already established a best practice in this area. The real motivation for this question is I want to validate that the MS Membership Provider strategy will scale well.
I know StackOverflow uses OpenID, but I don't think that would be a good solution for what I am working on as a lot of my prospective users will be non-technical. Feel free to pitch why OpenID should be considered if you believe strongly in it.
Always rely as much as possible on platform-provided tools for security tasks such as authentication.
In this case, that likely means inheriting from one of the stock MembershipProviders. That will let you re-use all the existing code for the provider, plus any tweaks you need to make it work with your existing system. It's possible you can find a 3rd party component that works well for you that already does this.