0

I am trying to share authentication and authorization between different web applications (asp.net application and a MVC4 Application).

I read that you should set the machine key and those values to be the same between the sites. I have done this and the authentication is working properly.

But now in the MVC Application i want to use the Authorize attribute to make sure users can only see what the are supposed to see. This is not working.

I also checked.

When I call User.IsInRole("Admin") from the ASP.Net application(this is where the login is done) the value returned is true, but then when navigating to the MVC application the same call returns false.

It seems that the roles is not being shared across the application, is it possible to get is working or should i Create a custom Authorize Attribute ?

thanks in davance

Captain0
  • 2,583
  • 2
  • 28
  • 44

1 Answers1

1

The more applications you have, the more problematic it is to share the forms cookie. And ultimately, if two applications are on different domains (something.foo.com and somethingelse.bar.com) this won't work as you can't force your browser to submit a cookie to two different domains.

This only works if you have manual control over your forms cookie and issue it for .yourdomain.com top level domain and you have your applications in subdomains (app1.yourdomain.com, app2.yourdomain.com). And this could be a serious restriction.

What you could possibly do is to externalize your authentication, i.e. create a separate web application with the sole goal to authenticate and authorize your users. You pick one of Single Sign-on protocols (WS-Federation, OAuth2, OpenID) and federate your application environment around this authentication provider.

It possibly sounds difficult, especially if this is new to you but if you invest your time, there are only benefits.

Wiktor Zychla
  • 47,367
  • 6
  • 74
  • 106
  • I doubt the application will be on separate domains. Do you now of a way to get the roles through to the second application though ? – Captain0 Aug 16 '12 at 08:01
  • Yes. The trick is that when you create your forms cookie, you store roles in userdata section of the forms cookie in a form "role1|role2|...". Then you provide your own role provider which reads roles from the userdata section of the forms cookie. This way, if your apps share the forms cookie, they also share roles. – Wiktor Zychla Aug 16 '12 at 08:09
  • Do you think WIF is the way to implement a single sign on solution for this ? – Captain0 Aug 16 '12 at 09:30
  • Definitely yes if you want to take the longer but more profitable route. – Wiktor Zychla Aug 16 '12 at 09:34