0

I am working on a asp.net MVC 5-solution where I now need to implement authentication and authorization. The solution has a external service managing the "Heavy work" that will take the username and password on every request, and on successfull verification send back a token with the users permissions(roles) which should be matched against Attributes in the controller.

A request to the external service should be made on every request to my solution. How can I implement this in a simple way in my exising asp.net MVC 5-solution? I have looked at Identity and Owin but they feel overly bloated for what Im trying to achieve. I've also found some info about Forms auth, but it seems to be deprecated?

The workflow I have tried with is something like this:

A user request a controller. The controller is marked with an attribute like "Require(Roles="IT")". I implement the IauthenticationFilter and call my service in the OnAuthentication to verify the users request. From the return I will verify that the user is in fact who he says he is and also if he is permitted to enter the said action on said controller.

Any input is appreciated as I'm having a hard time finding solid info on how to implement a custom auth-solution. Is there any best practice?

Thanks!

  • Have you tried [IdentityServer4](http://docs.identityserver.io/en/release/)? – rmjoia Oct 13 '17 at 09:55
  • Basically we have a full identity-solution rolling as a service which will do the heavy lifting and administration. But now we have a small mvc-solution which needs to use this. So what Im looking for is more of a way to tell MVC to for each request ask our identity server for credentials instead of built in identity. –  Oct 13 '17 at 09:58
  • I guess as you already said, is a matter of implementing a custom. About Best practices, that's mostly a opinion based question, so you will get a lot of them, or none.. [Customizing ASP.NET Authentication with Identity](https://mva.microsoft.com/en-us/training-courses/customizing-asp-net-authentication-with-identity-8647), [Implementing custom authentication (MVC5)](https://stackoverflow.com/questions/39612257/implementing-custom-authentication-mvc5), usually I go with IdentityServer, sorry, can't help much :( – rmjoia Oct 13 '17 at 10:04

1 Answers1

2

MVC builds upon ASP.NET's interfaces IPrincipal and IIdentity. If you implement these interfaces, you can tap into the existing [Authorize] / [AllowAnonymous] attribute functionality of MVC and only extend it if you need some functionality other than users/roles.

I won't repeat the implementation here - there are several posts about how to properly implement these interfaces (which should be set in the Application_PostAuthenticateRequest event in ASP.NET/MVC).

NightOwl888
  • 55,572
  • 24
  • 139
  • 212