4

I'm trying to separate a ASP.Net MVC login client from an authentication server that will use token bearers and will contain all the authentication business logic. Those 2 things sit in 2 different webroles

I'm pretty much done using the current implementation of Identity 2.0.

The UserManager and UserStore sit in the AuthServer and the login client knows nothing about the userId. Only the UserName.

For now, to generate the claims of a user in the client project, I use this implementation:

public async Task<ClaimsIdentity> GenerateUserIdentityAsync()
    { 
        // Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType
        var claims = new List<Claim>()
       {
            new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name", this.UserName),
            new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", this.UserName),
            new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity"),
       };
        var claimsIdentity = new ClaimsIdentity(claims, DefaultAuthenticationTypes.ApplicationCookie);

        //var userIdentity = await manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie);

        // Add custom user claims here

        return claimsIdentity;
    }

As you can see, i got rid of the manager here but i'm afraid I'm missing some security features like the CookieAuthenticationProvider in Startup.Auth.cs who makes use of the SecurityStamp of the users.

Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                    validateInterval: TimeSpan.FromMinutes(30),
                    regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync())
            }

I tried to call the the GenerateUserIdentityAsync of the AuthServer which calls manager.CreateIdentityAsync(this, DefaultAuthenticationTypes.ApplicationCookie) function but I need the userID for that... thing that the client knows nothing about.

Any ideas? The code of CreateIdentityAsync seems to not be open source.

Thanks and sorry for the long post.

Improve this question
1

1 Answer 1

Reset to default
1

I just called the AuthenticationServer Api being authenticated by the token bearer in the authorization header. AuthServerProxy has been passed the bearer token taken from a cookie.

public async Task<ClaimsIdentity> GenerateUserIdentityAsync()
{
// Note the authenticationType must match the one defined in CookieAuthenticationOptions.AuthenticationType

        var userIdentity = await AuthServerProxy.CreateIdentityAsync(DefaultAuthenticationTypes.ApplicationCookie);

        // Add custom user claims here

        return userIdentity;
    }

I call the Authentication Server with the authorization header (bearer token)

[Route("CreateIdentity")]
public async Task<IHttpActionResult> CreateIdentity([FromBody] string authenticationType)
    {
        ApplicationUser user = await UserManager.FindByIdAsync(User.Identity.GetUserId());
        ClaimsIdentity userIdentity = await user.GenerateUserIdentityAsync(UserManager, authenticationType);
        return Ok(userIdentity);
    }

Therefore, there is no more UserManager in the Login client web role. This can be cleaned up more but at least, the SoC is respected and EF disappeared from the client.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.