5

I'd like to use WebSecurity+SimpleMembership, but implement the ability to (optionally) login users via a custom/alternative authentication method.

WebSecurity.Login only has one method signature, which requires both a username and a password. I'd like to skip the password check, e.g.:

if (MyCustomAuthenticationMethod.Authenticate(username, customData)) {
    WebSecurity.Login(username); // Login without password check, method doesn't exist though
}

I assume custom-auth-methods are possible given OAuthWebSecurity exists, but I'm not sure how to go about implementing my own.

Seth
  • 2,712
  • 3
  • 25
  • 41

2 Answers2

8

Well, you could simply go back to root of authentication and call directly 

FormsAuthentication.SetAuthCookie

This will create cookie and authenticate your user. See Asp.net Memebership Authorization without password

Community
  • 1
  • 1
Kek
  • 3,145
  • 2
  • 20
  • 26
1

They didn't make it easy to login without a password. One method could be to make your own custom OAuth plug-in and simply call it with your own token like this:

OAuthWebSecurity.Login("google", "token", true);

You can find here how to create a custom OAuth provider: http://www.codeguru.com/columns/experts/implementing-oauth-features-in-asp.net-mvc-4.htm

And you can browse the code here: https://github.com/ASP-NET-MVC/aspnetwebstack/blob/master/src/Microsoft.Web.WebPages.OAuth/OAuthWebSecurity.cs

Here is a snippet from OAuthWebSecurity.cs file that shows the internals of how to user is authenticated without password:

 internal static bool LoginCore(HttpContextBase context, string providerName, string providerUserId, bool createPersistentCookie)
    {
        var provider = GetOAuthClient(providerName);
        var securityManager = new OpenAuthSecurityManager(context, provider, OAuthDataProvider);
        return securityManager.Login(providerUserId, createPersistentCookie);
    }

Perhaps someone out there already made this plugin.

bluee
  • 997
  • 8
  • 18