1

I am new to ASP.NET CORE application, and i would like your help. Basically I have designed a new ASP .NET core 5.0 web (MVC) application.

I need to use a third-party in-house authentication. The instructions on how to implement the third-party authentication are as follows.

Step1: Check for Cookie

CheckCookie

Step2: Validate Cookie

ValidateCookie

  1. The third-party application/web service sets the cookie. This application would be on the same domain as the asp.net core application
  2. Validation of the cookie value/token is done by a WCF call to the third-part service, it also supports REST.
  3. the tokenObj would also contain information on the roles of the logged in user for the specific asp.net core application. How do i go about implementing this in the Authorization model ?

Summary: The ASP.NET Core MVC application does not perform any authentication or take the users credentials. As per instructions it should simply check for a specific cookie, if cookie not present re-direct to 3rd party app for login, if cookie present, then validate against the web service, which would provide details of the user, including roles.

I have read a few articles on cookie validation and claims identity, but I am a bit confused as to how to implement this procedure the correct way in ASP.net core.

Any help would be greatly appreciated.

Telson Alva
  • 842
  • 6
  • 22
  • 37
  • Is this an MVC web application? – John Wu Mar 18 '21 at 07:19
  • yes, i have amended the description with that detail now. – Telson Alva Mar 18 '21 at 07:35
  • 1
    [Custom authentication and ASP.NET MVC](https://stackoverflow.com/a/18594643/2791540) – John Wu Mar 18 '21 at 08:53
  • Not exactly what i was looking for, the post you referred to states to use forms authentication. Here the MVC application does not perform any authentication or take the users credentials. As per instructions it should simply check for cookie, if cookie not present re-direct to 3rd party app, if cookie present, then validate against the web service, which would provide details of the user, including roles. – Telson Alva Mar 18 '21 at 10:41
  • Sounds to me like your web site is indeed authenticating the user, but instead of displaying a form and collecting a password, it is checking for a cookie; and instead of validating the password against a database, it is validating the cookie against a service. That is not much of a stretch. The alternative would be to treat this third party cookie as a *session* cookie, meaning you'd have to validate it on each and every HTTP request. Is the service performant enough to support that? Are you willing to write your own authorization filter or authentication module? – John Wu Mar 18 '21 at 15:55
  • Yes, looks like that is the way to go, write my own authentication module/middleware. But is that the best option? – Telson Alva Mar 18 '21 at 18:33
  • 1
    If your core business is writing frameworks for web sites, that’s a good option. If your core business is selling a product or service, a bespoke authentication module is a code asset you have to maintain that adds no value to your business. I would do it the easier way. – John Wu Mar 18 '21 at 23:38

1 Answers1

0

Ended up creating a custom middleware referring- > https://learn.microsoft.com/en-us/aspnet/core/fundamentals/middleware/write?view=aspnetcore-5.0

And for session management -> https://learn.microsoft.com/en-us/aspnet/core/fundamentals/app-state?view=aspnetcore-5.0

Telson Alva
  • 842
  • 6
  • 22
  • 37