Manually validating ASP.NET Identity user account

Question

I have this ASP.NET MVC 5 site which uses ASP.NET Identity (pre 2.0), the site comes with a WebAPI. I have a Windows Phone app which will consume services from this site, for which I want to validate the user account; so from the WP app I will ask for username and password to send them to the server to be validated. Now, I'd like to employ the same hashing technique ASP.NET Identity is already using on the phone, so I can just send the hash, and compare it on the other side, but I am not sure what hash it uses, plus, it seems to be using some sort of salt, because I have a couple of test user accounts with the same password, but have different hashes, maybe it's the SecurityStamp? I would prefer not to send the plain text password over the wire, I'm pretty sure that's a huge no no.

How should I approach this issue?

Thank you

Answer 1

I won't steal the thunder of the excellent existing answer which explains how ASP.NET Identity is performing the hashing under the hood.

That being said, this problem is actually much easier than you think. You can send the "plain text" password over the wire, but you need to be sending it over SSL/TLS! This is actually how most websites will send your credentials. The entire HTTP request is encrypted while going over the wire. The easy solution to this is to get yourself a certificate and stand up a web server that does SSL/TLS.

To actually answer the question (even though I don't believe this is the correct solution), while it looks like you can get the source for how the hashing is being performed, I wouldn't recommend implementing it on the client side. The reason being is what if you upgrade to a newer version of ASP.NET Identity? You will need to track down the source code and update the hashing method for your client side application. How will your users get the new hashing method on their device? They would need to upgrade to the latest version of your application. So now you're stuck with users who can't authenticate until they upgrade the application because your server-side version has been upgraded.