What solutions have people come up with to develop their web applications offline when they made the decision to use OpenId for site membership?
Couple of ideas:
Create two login pages one for OpenId and one for ASP.NET Membership
Create local OpenId provider with test accounts
Any thoughts?
You could use an inversion of control container to contain your OpenID implementation and for a quick implementation you could use Moq to provide preconfigured responses.
Just mock it!
I hardwire my login.aspx page to always do:
FormsAuthentication.RedirectFromLoginPage("http://blog.nerdbank.net/")
or something like that based on some variable. That way, I don't actually log in using OpenId but it looks to the rest of the web site like I did.
Just be sure to either revert the change, or make it based on some condition that is only true in development. :)
Related
I have a problem with Owin. It's old and not much appreciated anymore. Moreover, it's really not workable in ISS when combined with .NET Remoting.
I really need to know if any other security middle layer exists which can be plugged and can be used to read Claims and tokens sent to the Web server from the client side. ( Probably access_token accessed using adal.net )
For example in Startup, can anything else be used?
I really don't want to use OWIN.
There is no solution other than using OWIN, apart from maybe creating custom middleware.
Why do you not want to use it? Without OWIN you may be able to achieve what you want through System.Web or with the HTTP abstractions that come with ASP.NET 5. But then you'll need to support different runtimes and it will be a lot more complex.
OWIN is supported by all the ASP.NET worlds so it's really the best and only option.
https://learn.microsoft.com/en-us/aspnet/core/fundamentals/middleware/?view=aspnetcore-2.1
I'm developing Asp .Net(MVC3) web application for my company.Some users use this site in internal network and some will use internet site.I've to Authenticate Users using the website.How can i do it?
Whether it is possible to check the Authentication code only after deploying the Solution? How can i check it in my local solution?Can Anyone Explain Step by step Process involved in this?
Its hard to give you a step by step procedure given that I don't know much about your infrastructure, or your dev environment.
With that said, it sounds like you want forms authentication for your external site, and integrated authentication for your internal. In both cases, the back end authentication would be done by Active Directory. A VERY common scenario.
All you need to know is the right terms to use, and you'll quickly find examples online. Google up something like "mix form and windows authentication mvc". But again, given all the different versions of IIS and MVC, there are quite a few scenarios so you may not find a definitive guide and instead you'll have to wind up evaluating each and mashing up a solution for your environment.
I have a website and I wanted to become an open ID publisher. How to do that?
Depending on your exact requirements, you might want to try OpenID delegation instead. You can then use your website as a layer of abstraction over a third party provider.
As you're building for asp.net - take a look at DotNetOpenAuth. It's a free, open-source library that can make your asp.net webrite an OpenID provider (your website can be used to identify you) or a relying party (users can log in on your website using OpenID).
In fact, StackOverflow uses it as well, and so do I. It has a number of examples, and it's pretty reliable and secure.. Definitely recommended! :)
If you just want to run your own identity server, then a good place to start looking is here. I run phpMyID on my site that acts as an openID server for me, it was easy to set up, seems to work, and no-one has stolen my identity ..yet.
Setup:
Multiple web servers with synchronized
forms authentication.
Multiple asp.net Applications running on these severs.
What's working:
SSO across all servers
Authorization using asp.net roles
What's not so good:
All roles are "global" - I have "admin-app1" and "admin-app2" etc.
Question:
I know this can be solved by defining different "ApplicationNames" for each of the different applications but what is the most easy way to compile a list of all the different applications a logged on user has a role in?
I would like to do something similar to: CurrentUser.Applications()
to get a list of "all applications in which the current user has any role".
Up to now I have used Roles.GetRolesForUser() to compile the list not very elegant or scalable.
Using the SqlRoleProvider I can hack inte the DB to get the complete list of Applications and then compile an application list for the user by query the different application's role providers. My best shot so far but it doesn't feel like the best solution...
Any hints or comments?
BR, Jens
I have come to the conclusion that this cannot be done using the framework.
Anyone who tries to do something similar e.g. buiding a dashboard of all asp.net applications hosted has either to maintain the list of applications separately or hack into the sql tables if you are using the SqlRoleProvider .
Happy hacking!
/Jens
I think ApplicationName is for completely separating applications while using the same database. Are you sure you can link users in one application name to roles in another?
Your best bet is probably to keep the same application name and implement a custom role provider.
http://msdn.microsoft.com/en-us/library/8fw7xh74.aspx
In my current project, we need to authenticate users of an ASP.NET application against Active Directory. I think it can be achieved using the membership provider without too much problems. but we need also to manage user roles that will be kept in the ASP roles management tool.
Did anyone implement this configuration? Does it look feasible?
Any tip for one or the other point?
Thanks.
David
Yes! The ASP.NET role provider is designed to work exactly in that case - the particulars of the authentication provider are irrelevant to the role provider, and it will store the bare essential information to make the two work together - basically the user's AD identity (domain\user) is tracked in the role database and matched up when necessary.
There is an ActiveDirectoryMembershipProvider that can be used to use Active Directory for authenticating users.
Alternatively, you could roll your own MembershipProvider by extending the abstract MembershipProvider class and then use System.DirectoryServices to check against Active Directory when validating a user (ValidateUser method of MembershipProvider). This is pretty straightforward to do and you need only implement the methods that you actually need in the custom provider.
You might consider implementing your own RoleProvider too, depending on whether the default fits your needs.
Use it all the time, intranet only of course.
You may be interested in the WindowsTokenCachingRoleProvider. In scenarios where performance is essential, this really shines:
http://lvildosola.blogspot.com/2007/02/improve-performance-when-using.html
Simple and elegant.
Please take a look at this question, seems like you're asking for pretty much the same thing, and my answer there should give you what you need.
ASP.NET Membership and Role providers that can be used from ASP.NET and WinForms/WPF clients as needed.