0

In my ASP.NET MVC 5 application I need to use custom Authentication. Basically a custom library on which I call a method and which returns an object that contains information about the user.

I've created a new MVC 5 application and selected the "No Authentication" option. Then I've added an Http Module which currently looks like this:

private void Context_AuthenticateRequest(object sender, EventArgs e)
{
    // Make the call to authenticate.
    // This returns an object with user information.
    AuthResult result = new AuthLib().SignOn();

    // Inspect the returned object and create a list claims.
    var claims = new List<Claim>
    {
        new Claim(ClaimTypes.NameIdentifier, result.Username),
        new Claim(ClaimTypes.GivenName, result.Name)
    }
    claims.AddRange(result.Groups.Select(g => new Claim(ClaimType.Role, g));

    // Create principal and attach to context
    var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "Sso");
    HttpContext.Current.User = principal;
    Thread.CurrentPrincipal = principal;
}

private void Context_PostAuthenticateRequest(object sender, EventArgs e)
{
    var principal = ClaimsPrincipal.Current;
    ClaimsAuthenticationManager transformer = FederatedAuthentication.SessionAuthenticationModule.FederationConfiguration.IdentityConfiguration.ClaimsAuthenticationManager;
    transformer.Authenticate(string.Empty, principal);
}

My claimstransformer looks like this:

public override ClaimsPrincipal Authenticate(string resourceName, ClaimsPrincipal incomingPrincipal)
{
    if (!incomingPrincipal.Identity.IsAuthenticated)
    {
        return base.Authenticate(resourceName, incomingPrincipal);
    }

    ClaimsPrincipal newPrincipal = CreateApplicationPrincipal(incomingPrincipal);

    EstablishSession(newPrincipal);

    return newPrincipal;
}

private void EstablishSession(ClaimsPrincipal newPrincipal)
{
    var sessionToken = new SessionSecurityToken(newPrincipal, TimeSpan.FromHours(8));
    FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(sessionToken);
}

private ClaimsPrincipal CreateApplicationPrincipal(ClaimsPrincipal incomingPrincipal)
{
    // Convert AD group to known role in our application.
    string group = incomingPrincipal.FindFirst(ClaimTypes.Role).Value;
    string role = new ADGroupToRoleConverter().ConvertADGroupToRole(group);

    // Add claims for group.
    // These would be loaded from a db.
    List<Claim> claims = new ClaimDb().GetClaimsForRole(role);

    // Just copy the claims for id and given name.
    claims.Add(incomingPrincipal.FindFirst(ClaimTypes.NameIdentifier));
    claims.Add(incomingPrincipal.FindFirst(ClaimTypes.GivenName));

    return new ClaimsPrincipal(new ClaimsIdentity(claims, "MyApp"));
}

The main issue that I'm facing is that the authentication step is called for every request even though a session exists. How can I detect that a session exists and just load the session instead of going through the entire authentication process.

Another issue is that the call to the authentication library might take a while. I guess ideally it should also be moved to the claims transformer?

Any ideas to improve this code further are also very much appreciated.

Please let me know if something is not clear or if I need to provide more detailed information.

Aetherix
  • 2,150
  • 3
  • 24
  • 44
  • 1
    Looks like you need to cache the claims - this looks close to what you are after. http://stackoverflow.com/questions/16904639/simple-claims-transformation-and-caching-w-windows-authentication – Murray Foxcroft May 25 '16 at 11:02

1 Answers1

0

It seems to me that you do not provide authentication information with each request after the authentication. Can you verify that you have some session cookie or authentication header sent with each request after the authentication happens?

Ilya Chernomordik
  • 27,817
  • 27
  • 121
  • 207