3

I'm very new to the identity management world, so please spare me. :)

What I would like to do, is to have multiple client (MVC) applications that talk to a single Web API application to authenticate their users against. In that Web API application, I would like to use ASP.NET Identity to talk to a database with users.

That way, I could use SSO for the client applications (I guess).

Does that make sense? Could someone help me on my way to implement this (links are also welcome of course)? I don't know if IdentityServer could help me with what I want?

And as a side question: when I could implement this the way I would like to, how do I deal with the same-origin policy?

DeveTho
  • 371
  • 1
  • 16

3 Answers3

3

Thank you for all the help. :)

I did some research myself during the last few months and I learnt a lot about the identity management stuff. Many of that also thanks to the guys from IdentityServer (and their other projects).

What I finally did was the following (very briefly):

  • IdentityServer is used as a provider for all client applications. The cookie and OIDC middleware are used.
  • I used the ASP.NET Identity user service to store the users in an SQL Server database. (The IdentityServer configuration is by the way also stored in a database.)
  • I set up a Web API service that uses the ASP.NET Identity user manager for user configuration (change password, create new users, ...). It uses bearer authentication with the application with IdentityServer as provider.
  • As a side note, IdentityManager is used as an internal admin tool to manage all the users.

If anyone is looking for some help setting up his / her identity management system (and thinks I can help): please ask. ;)

DeveTho
  • 371
  • 1
  • 16
  • Thanks for the info. How did this go for you? How do you manage roles and permission with this approach? – GutierrezDev May 09 '17 at 01:46
  • 1
    @GutierrezDev I still like IdentityServer **a lot**, though, as is usual for security things, it's quite complicated. The roles and permissions (claims) can be managed through their [IdentityManager](https://github.com/IdentityManager/IdentityManager) application (watch out, this is not the newest (.NET Core) version!) and the applications themselves with their (newer) [IdentityAdmin](https://github.com/IdentityServer/IdentityServer3.Admin). Hope it helps! – DeveTho May 11 '17 at 20:25
  • Nice @DeveTho. Im watching IdenityServer4 too. Thanks for the IdentityAdmin mention. – GutierrezDev May 12 '17 at 04:05
  • @DeveTho, Curious, how do you manage users with different roles on multiple different applications? For example, 1 user will be administrator on 1 app, but not on other. – penleychan Apr 20 '18 at 19:33
  • @penleychan I think you're mixing authentication and authorisation. IdentityServer does the authentication part: it defines which apps can request what data about an end user. Depending on the data given back by the provider, you can allow or deny the user to do a specific thing (authorisation), and this will be different for every type of app. In your case, you could have a specific "role" claim with "App1Admin" a second one with "App2User". If you'd like to go further with your authorization logic: the guys from IdentityServer built this really cool thing recently: https://policyserver.io/ ! – DeveTho Apr 28 '18 at 17:22
1

Many articles on active profile e.g. Federated Security: How to setup and call a WCF service secured by ADFS 2.0. But that article assumes you want to use AD?

I'm guessing you want to use ASP.NET Identity for the provisioning?

IdentityServer OOTB supports a SQL DB and has basic user provisioning built in. It allows users to authenticate against the DB and supports WIF.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • Thanks again. :) Sorry when I'm being unclear. I'm just very new to this world, but I've been doing research on it for a couple of days now and I noticed how complex it is (and it should be that way, I guess). :) What I would just like, is to use multiple client (MVC) applications (with their own login, registration, user management pages) that, for their authentication (and authorization) talk to a single (Web API) service with all the logic in it. The service then should talk to the data store, whether it is Active Directory or an SQL DB. SSO would be nice, but isn't a requirement. – DeveTho Apr 01 '15 at 20:20
  • I'm not sure that you completely understand what I want to do and that I understand what you mean. :p I don't think I want to use two repositories? The MVC apps shouldn't be in direct contact with the user store. They should, however, be able to access a Web API service that has access to it and contains some logic. I just want to send credentials from the client app to the service and the service should then return a token or something that can then be used for accessing secured pages of the client app and secured methods of the service. But that isn't possible, you say? – DeveTho Apr 02 '15 at 08:07
  • Sorry for my late answer. At the moment, I'm busy implementing IdentityServer for authentication and authorization (and user management using custom services). The IdentityServer would use ASP.NET Identity to talk to the user store (a database). So that would be completely different than what I said in my original question, but I think it would make sense, wouldn't it? I'll post a more extensive answer once I've implemented this further. – DeveTho Apr 18 '15 at 12:53
1

This scenario is also close to what you need, take a look at the answers:

How to implement an OWIN Authentication server with a MVC Web Api content server and an Android end-user apk

I also recommend reading this article: Decouple OWIN Authorization Server from Resource Server

Community
  • 1
  • 1
A-Sharabiani
  • 17,750
  • 17
  • 113
  • 128