Identity & stuff §Slavomír Moroz §2016 Action constraint •Supports conditional logic to determine whether or not an associated action is valid to be selected for the given request. •Inherites Attribute, IActionConstraint •[HttpGet][HttpPost] § § § § § § §https://docs.asp.net/en/latest/mvc/controllers/routing.html#understanding-iactionconstraint § §Stuff Action filters •Filters in ASP.NET MVC allow you to run code before or after a particular stage in the execution pipeline. Filters can be configured globally, per-controller, or per-action. • •Filter types: Authorization, Resource, Action, Exception, Result • •Different filter types run at different points within the pipeline. • • • • § • •https://docs.asp.net/en/latest/mvc/controllers/filters.html • §Stuff Show diagrams from link Authorization filters •Authorization filters are used to determine whether the current user is authorized for the request being made. • •Authorization filter attributes •AuthorizeAttribute •AllowAnonymousAttribute § § § § §https://docs.asp.net/en/latest/mvc/controllers/filters.html#authorization-filters §https://docs.asp.net/en/latest/security/authorization/simple.html § § § • § • • • • §Stuff Todo custom auth attribute Claim •A claim is a statement that one subject makes about itself or another subject. •The statement can be about a name, identity, key, group, privilege, or capability, § § § § § § § § §https://msdn.microsoft.com/en-us/library/system.identitymodel.claims.claimtypes(v=vs.110).aspx •Pre-defined claim types: § § § § § § § § § § § § § § §Stuff ClaimPrincipal -> ClaimsIdentity vs Custom Identity •ASP.NET Core Identity is a membership system which allows you to add login functionality to your application. Users can create an account and login with a user name and password or they can use an external login providers such as Facebook, Google, Microsoft Account, Twitter and more. § •You can configure ASP.NET Core Identity to use a SQL Server database to store user names, passwords, and profile data. Alternatively, you can use your own persistent store to store data in another persistent storage, such as Azure Table Storage. • • •https://docs.asp.net/en/latest/security/authentication/identity.html • §Identity Requires database Cookie Middleware •Serializes a user claim principal into an encrypted cookie and then, on subsequent requests, validates the cookie, recreates the principal and assigns it to the User property on HttpContext. • § •If you want to provide your own login screens and user databases you can use the cookie middleware as a standalone feature. § § § § § §https://docs.asp.net/en/latest/security/authentication/cookie.html § §Cookie stuff Custom backend Authrocket example Show code, remove authorize attribute from Games.Details action Authorization •Declarative •Simple or policy based •Defined at code level •Not suitable for multitenant applications •Leverages authorization filters • •Imperative •Authorization per resource handled by our own code •Leverages ChallengeResult § § §https://docs.asp.net/en/latest/security/authorization/index.html § § §Authorization stuff Show simple auth attribute and claim policy Explain custom policy on doc Limitations of cookie if not mentioned before – cookie length, claims validation Explain resource auth and why should they need it – resources are not loaded with declarative approach (declarative vs imperative) Challenge result, show example in doc Mention schema – middleware targeting, Redirect uri props of challenge result Identity •Microsoft.AspNetCore.Identity •the core set of interfaces for ASP.NET Core Identity. • •Microsoft.AspNetCore.Authentication.Cookies •middleware that enables an application to use cookie based authentication. • • §Identity § § §Identity § Mentioned available providers Explain why they cant use EF6 with aspnetcore.identity on 4.6 (the compatibility provider requires .net standard 1.6 which is available only in core projects. Show template with entity framework core. Identity class overview •IdentityUser – implementation of IUser •UserManager – APIs to CRUD user, claim and auth info via UserStore •RoleManager – APIs to CRUD roles via RoleStore •UserStore – Talks to data layer to store users, login providers (external auth), user claims, user roles •RoleStore – Talks to data layer to store roles • •SignInManager •High level API to sign in users §Identity & OWIN § OAuth §Authentication stuff Add google middleware, setup google app https://console.developers.google.com/ Do not forget to enable Social API Setup middleware, add login button, show claims in debug Show middleware side by side, schema (middleware identification) Show sample with redirect uris and google user activation. View components •Similar to partial views •Intended anywhere you have reusable rendering logic that is too complex for a partial view •Can have parameters and business logic § § § § § § § § §https://docs.asp.net/en/latest/mvc/views/view-components.html § § §Stuff Show view component in google auth sample project Resources §https://docs.asp.net/en/latest/security/authentication/index.html §https://docs.asp.net/en/latest/security/authorization/index.html § §Stuff New syllabus