0

I'd like to implement a "fake" Mixed Authentication using ASP.NET Core Identity and Individual User Accounts as the underlying authorization method.

The process should be like that:

  1. database User table is populated with all employees (i.e. Username is John.Smith or Jane.Smith)
  2. user opens the Intranet app which is deployed on IIS with Windows Authentication enabled
  3. user is authenticated upon AD and its username is DOMAIN\John.Smith
  4. system does another authentication upon database data using John.Smith as a login without password
  5. system issues a new authentication ticket for John.Smith with all its roles and claims fetched from the database

I'm stuck at point 4, where should I do that "fake" authentication?

Alessandro
  • 3,666
  • 2
  • 28
  • 41
  • What do you mean with "fake" authentication? The user in the current HTTP context of the HTTP request will already be authenticated against your Active Directory domain. Sounds like you need another custom middleware which will be handled after that authentication to execute your custom database related logic. – Robin Güldenpfennig Jan 08 '20 at 13:17
  • Yes, this is the idea. It is a fake Mixed authentication because the only enabled method would be the Windows one, with the underlying Individual User Account authentication logic transparent to the user. – Alessandro Jan 08 '20 at 13:30
  • I'm not totally sure but I think the `IClaimsTransformer` is the way to go for your requirements: https://benfoster.io/blog/customising-claims-transformation-in-aspnet-core-identity – Robin Güldenpfennig Jan 08 '20 at 16:18

1 Answers1

0

You doesn't need to start a new authentication and issue a new ticket , you can keep using the ticket/principle authenticated from windows authentication , you can use IClaimsTransformation to associate your current windows authentication user with local database user :

public class ClaimsTransformer : IClaimsTransformation
{
    public Task<ClaimsPrincipal> TransformAsync(ClaimsPrincipal principal)
    {
        var id = ((ClaimsIdentity)principal.Identity);

        var ci = new ClaimsIdentity(id.Claims, id.AuthenticationType, id.NameClaimType, id.RoleClaimType);

        //read database and create/check a user in local database , add userID as claim in Principal
        if (....)
        {
            ci.AddClaim(new Claim("localUserID", "XXX"));
        }
        else
        {
            ci.AddClaim(new Claim("localUserID", "XXXX"));

        }


        var cp = new ClaimsPrincipal(ci);

        return Task.FromResult(cp);
    }
}

In IClaimsTransformation ,after windows authentication , you can check/create a local user in your database with windows user's id/name , add id which identify local user in database to ClaimsPrincipal , so that next time you can use that claim to identify local database user when performing user management .

Nan Yu
  • 26,101
  • 9
  • 68
  • 148