Persist custom registration information with Profile API - asp.net

I've seen examples of producing a custom registration control which persists its information with some extra fields (or a table depending on the problem) in the corresponding Sql Server.
It's also said that there is a way to do the same thing with the Profile API (persist custom info in a registration control). Is there a walkthrough for this?
Thanks

Check out this link from MSDN Storing User Information with ASP.NET 2.0 Profiles
You'll also need to know how to Create the Application Services Database for SQL Server

Related

ASP.NET MVC 5 Identity 2.0 & OWIN Two Factor Authentication by using existing DB

I've just started with MVC after working on Web Forms for 4 years. I've watched few videos explaining the architecture/fundamentals and I'm now able to replicate few modules of my old project with MVC5 using EF6.
I've a SQL Server DB containing tables such as Albums/Artists/Titles/Reviews and he User Table. I was able to work with the first set of tables using EF6 just fine including inserts/deletes. The prev project I had implemented custom Web Forms authentication using BCrypt by storing the details in the User table and later doing the validations and setting the auth cookie.
User table has details such as UserId, PWHash, EMail, FirstName, LastName. The UserId is a FK in the Reviews table and few others.
The implementation I'm hoping for is as below:
1. Login screen accepts credentials and validates with existing User table.
2. If valid, move to the 2FA screen(eMail/SMS).
3. If valid, then allow access to application.
Most of the tutorials say how to extend the attributes such as FirstName/LastName but do not say how to use an existing DB. I'm planning to use bcrypt/scrypt to encrypt the sensitive details.
I've gone through MVC 5 & ASP.NET Identity - Implementation Confusion but id doesn't have all the answers to my queries
I just need the starting point on how to plug the existing DB instead of using the dbcontext provided by default
Personally I find the documentation quite frustrating as well when you move away from th conventional, so you may be in for a world of pain.
The easiest way would be to fully take control of the authentication process yourself, utilising FormsAuthentication
However, if you want to leverage a lot of the out the box code, that has been delivered with MVC5 but against a custom database, or schema you will probably have to implement your own UserStore and maybe UserManager among other things.
The problem is, there is a lot to implement, so you are going to have a fun time guaranteed.
Have a read through this article on Custom Storage Prodivers to get a head start.
Good luck
If your app is using EF Code First then you can use your existing schema and plug in your own user. Look at the following example which shows how you can reuse your existing user information and plug it into Identity http://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/CustomMembershipSample/Readme.txt
You do not have to inherit from the IdentityDbContext. You can directly use the DbContext. In this case you will have to override the onModelCreating to create the Users/ Roles tables and all the mappings between the tables.

Custom Membership provider with oAuth

It's my first contact with MVC so please be understanding for me. First of all:
1) If I will implement custom Membership provider with sql database, with my methods to activate user via e-mail, putting user into database etc. (and just one table - tableUsers), this solution about oAuth and Facebook login will works properly? Honestly, it's not clear for me at all.
2) What solution is better. My custom membership provider, or using default?
I want to sending my custom activation e-mail, then activate account. Later, I want to add new columns into userProfile table - "ID type" and "isActivated". I will storage additional info about user in separate table (telephone, webiste, about me, hobby etc) - I will get this data by IDuser from userProfile. What is more, I want to use loggin method via Facebook or Twitter. I found solution on asp.net website, how to do it with Oauth.
What solution I have to choose?
Regards
What solution is better. My custom membership provider, or using default?
As you want to store extra user information in the database, you will need to create your own custom Membership Provider as the default one lacks this flexibility. Also with the default membership Provider , you will not be able to verify your user with an activation email. You will have to customize it.
How to do it with Oauth.?
The default Membership Provider provided with MVC4 in VS 2012 has the ability to do login using Facebook and Twitter and you can add even more like LinkedIn. But, as you will need to create Custom Membership provider for storing additional information, you can use DotNetOpenAuth library for this. It is the same used by the default Membership Provider. You can add it through Nuget.

ASP MVC User Profiles

I've done MVC in the past, but I am new to ASP and ASP MVC. I really love the ease that ASP MVC provides me, so far, but I am having trouble figuring out how to get more control over the Users. By default, the MVC provides a minimal user registration form. I have looked around quite a bit, but I still have two questions:
How do I make the User data base a local database in my project? I think SQLEXPRESS is used to store the user values, in what seems like a magical process. How do I de-magic-ify this? I would like to have more control on the location of this database.
This leads to another question: How do I expand the User? I have been reading up on Profiles, but I am still confused about a few things. How do I prepare a Profile and link it with a User? What serves as the foreign key? And, in my controllers, how can I access various parts of the user like username, email, or even from the profile stuff like firstname, lastname (though I guess once when I have a Profile's database and a User's database locally, I can run sql commands to retrieve data)
I would really appreciate some pointers to the right resources, and/or best practices with ASP.NET
I would start by reading this official Microsoft article on extending the ASP.NET Membership API. It talks about creating extra tables for storing additional information about users.
The membership database
If you have an existing database which holds all your other website information, you can run the aspnet_regsql.exe tool to generate the necessary user tables. You will then need to modify your web.config and add the SqlMembershipProvider along with your connection string.
If you're creating a new project and don't have a database, start with a new MVC project which already has Membership enabled. Your database will be created inside the App_Data folder on first use, and you can take this and attach it to your SQL/SQLEXPRESS server. Then it's just a matter of changing the connection string to use a DB server rather than a local file.
Creating additional tables
This part is actually quite simple and consists of a few short steps:
Create a new table, i.e. UserProfiles
Add a uniqueidentifier column as your primary key, and add a foreign key to the aspnet_Users table
Add any other fields you want to store (Phone, Address, Gender etc.)
If you're using LINQ-to-SQL or the Entity Framework, you can simply drag the tables you need onto the designer, and you'll be ready to query the Membership tables.
Here's a little sample on usage
Add this snippet to your repository responsible for Profile/Account information.
public aspnet_User GetUser()
{
MembershipUser user = Membership.GetUser();
return db.aspnet_Users.SingleOrDefault(u => u.UserId == user.ProviderUserKey);
}
Then inside your models, you can get the user and access the other information stored in your UserProfiles table.
AccountRepo accountRepo = new AccountRepo();
aspnet_User user = accountRepo.GetUser();
string Address = user.UserProfile.Address; // bingo!
And that's pretty much it!
This is obviously a simple example, and you should be checking if the user is null and you could also create a class responsible for returning the necessary information about a user, implement caching, etc..
I would start from here:
Managing Users by Using Membership
Managing Authorization Using Roles
Also a great article series (18 articles!!!) is from Scott Mitchell at 4GuysFromRolla.
The ASP.NET membership model is desgned to have a pluggable architecture. You can write you own MembershipProvider implementation that best suit your needs.
Even if most of the samples you will find on the net regards ASP.NET web forms, there are only very small differences when used with MVC.
If you're still looking for insight into this, I just ran across the fact that in MVC 4 WebPages sites, there's a provider called the SimpleMembership provider. It gives more control to the developer of the Users, Roles and Membership info stored on websites. More here:
http://blog.osbornm.com/archive/2010/07/21/using-simplemembership-with-asp.net-webpages.aspx

Best practice to join nhibernate and ASP.NET membership/role/profile services

I've got a generic ASP.NET (MVC) application, that uses NHibernate as the model persistence layer, and ASP.NET Membership/role/profile services as the user management layer.
The question is what can be considered as the best practice to create linkings between the domain data and the users. (For example is I want to create a forum system I want to link each topics/posts to a specific user, and want to display the user at each request).
These are the posiibilites I've been thinking of:
Store the user ID in NHibernate (like having a Guid column in all your domain classes (Posts, Topics etc.) that needs to reference a User) and use GetUser each time you need the name of the user from the guid (which might result in n+1 queries)
B variant: Alternatively store the user name too.
Use the same database, and create a read-only NHibernate maintaned domain object User, that maps to the same data as the M/R/P services do.
Forget about M/R/P and create a separate user management service based on NHibernate
Forget about both and use J2EE/RoR/merb/DJango/etc. (please don't pick this option :) )
other...
I would go for step 2 (almost, as it does not necessarily needs to be readonly) and create a custom membership provider for NHibernate.
To save time you can use an existing one like the one from Manuel Abadia.
With that you keep the full power of NHibernate (lazy loading, etc.) and enjoy M/R/P services too.
There is also a NHibernate based Membership provider at CodePlex
4 guys from rolla have an excellent post if you want to buil your own provider on top of the asp.net membership API : https://web.archive.org/web/20211020114106/https://www.4guysfromrolla.com/articles/110310-1.aspx

secure way to authenticate administrator in ASP.NET site using OpenID with DotNetOpenID

Encouraged by SO, I'm trying to write an ASP.NET site that uses OpenID for user authentication. It's a regular WinForms site (not MVC.NET), using the DotNetOpenId library for authentication.
Is it safe for me to permit/deny administrative functions on the site by simply comparing the current session's "ClaimedID" (as returned in the OpenIdLogin_LoggedIn event, as member DotNetOpenId.RelyingParty,OpenIdEventArgs.Response.ClaimedIdentifier) to a known administrator's OpenID (i.e. mine)?
If so, is it safe for this ID to be visible (e.g. in open source code), or should it be "hidden" in a configuration file or a database row? (I know it's better design to make it configurable, my question is just about safety.)
My solution is to follow the same idea of the Roles table. After you've authenticated the user, look up that user's roles. If the user has role "Administrator" in the UserRoles table, then they can do whatever the Administrator can do.
I don't broadcast open ID's in my app. They're stored in the table. On every action result, I'm hitting the Users table, since I have also modified mine to store various user state information. With the exception of the home page, there is going to be some user information that I need from that table. I'm using LINQ, so I include the .LoadWith() to load the User with his list of roles when it serializes.
Jarrett makes some good comments about using database tables.
Just to answer another one of your questions, no, it's not a confidentiality thing to put your OpenID in your code generally. If setting up roles seems overkill for your site, a simple equality check against your ClaimedIdentifier is just perfect.

Resources