Identity & OWIN §Slavomír Moroz §2015 Authorization •Authorization filter attributes •AuthorizeAttribute •AllowAnonymousAttribute § §https://msdn.microsoft.com/en-us/library/system.web.mvc.authorizeattribute(v=vs.118).aspx §https://msdn.microsoft.com/en-us/library/system.web.http.allowanonymousattribute(v=vs.118).aspx § •You can also return unauthorized access from your action by returning HttpUnauthorizedResult • §https://msdn.microsoft.com/en-us/library/system.web.mvc.httpunauthorizedresult(v=vs.118).aspx § • § • • • • §Identity & OWIN Owin •OWIN defines a standard interface between .NET web servers and web applications. • •Katana - OWIN implementations for Microsoft servers and frameworks §Identity & OWIN § ISS + System.Web vs. owin Owin pipeline §Identity & OWIN § § •Explain middleware and System.Web •install-package Microsoft.Owin, Microsoft.Owin.Host.SystemWeb •Create Startup.cs •Explain IAppBuilder •install-package Microsoft.Owin.Diagnostics •UseWelcomePage •Register StartupClass •Explain Appfunc •Create HelloWorld component •Call next, show environment in debug •Write to response body •Create new OwinContext •Extension method to register HelloWorld component •IAppBuilder.Use method with OwinContext - log request path and status code Owin resources §http://www.asp.net/aspnet/overview/owin-and-katana/getting-started-with-owin-and-katana §http://benfoster.io/blog/how-to-write-owin-middleware-in-5-different-steps § §http://www.asp.net/mvc/videos/pluralsight-aspnet-mvc-5-fundamentals (video) •“OWIN and katana” chapter • §Identity & OWIN § ASP.NET 5 (vNext) §Identity & OWIN § http://www.asp.net/vnext Claim •A claim is a statement that one subject makes about itself or another subject. •The statement can be about a name, identity, key, group, privilege, or capability, § § § § § § § §https://msdn.microsoft.com/en-us/library/ff359101.aspx §https://msdn.microsoft.com/en-us/library/system.identitymodel.claims.claimtypes(v=vs.110).aspx •Pre-defined claim types: § § § § § § § § § § § § § § §Identity & OWIN § Identity •Microsoft.Owin.Security •Common types which are shared by the various authentication middleware components •IAuthenticationManager •Interacts with authentication middleware that have been chained in the pipeline. •HttpContext.GetOwinContext().Authentication • •Microsoft.Owin.Security.Cookies •Middleware that enables an application to use cookie based authentication, similar to ASP.NET's forms authentication. • •Microsoft.AspNet.Identity.Core •Core interfaces for ASP.NET Identity. • •Microsoft.AspNet.Identity.EntityFramework •ASP.NET Identity providers that use Entity Framework. • •Microsoft.AspNet.Identity.Owin • Owin extensions for ASP.NET Identity. §Identity & OWIN § •Rewrite the code to use OWIN cookie auth •Set antiforgery claim type, explain why •Show that authorize attributes are working •Show how to access claims from controller §Identity & OWIN § Identity class overview §Microsoft.AspNet.Identity.EntityFramework •IdentityUser – implementation of IUser •UserManager – APIs to CRUD user, claim and auth info via UserStore •RoleManager – APIs to CRUD roles via RoleStore •UserStore – Talks to data layer to store users, login providers (external auth), user claims, user roles •RoleStore – Talks to data layer to store roles • •SignInManager (Microsoft.AspNet.Identity.Owin) •High level API to sign in users •Calls UserManager and IAuthenticationManager internally §Identity & OWIN § •Add User, UserManager, IdentityDbContext •Enablemigrations, create seed •CreatePerOwinContext •Modify login action, use user manager and IAuthenticationManager •Use SignInManager •Show template and all it’s features •Explain revalidation – User.Identity vs. DB claims vs DB data (E.g. permissions table) •One DBContext vs multiple. String IDs, soft relationships. •Mention authentication options, external providers, two factor Identity resources §https://channel9.msdn.com/Series/Customizing-ASPNET-Authentication-with-Identity (video) •All videos except 05 § §http://www.asp.net/mvc/videos/pluralsight-aspnet-mvc-5-fundamentals (video) •“Identity and Security” chapter § §http://www.asp.net/identity •Complete learning documentation § §Identity & OWIN §