Custom Authentication Provider

[Saquibadil]

I just wanted to ask a question to you not "raise an issue", but looks like this is the only way I can reach out to you.

My question is:

I have implemented Owin-MixedAuth in my project. But the new requirement is that the intranet users should be able to Login over internet (from home). We have a service which accepts username and password and returns the user details and confirms the validity of the user. What is the correct way to implement it. Here is how I started to implement it...

LocalUserObject user = service.AuthenticateIntranetuserOnInternet(model.username, model.password)
if (user.IsAuthenticated)
{
  ExternalLoginInfo loginInfo = new ExternalLoginInfo() {
    DefaultUserName = user.UserName,
    Email = user.Email,
    Login = new UserLoginInfo("Windows", "don't know what the provider key should be")
  };

  var result = await SignInManager.ExternalSignInAsync(loginInfo, isPersistent: false);
  switch (result)
  {
    case SignInStatus.Success:
      return RedirectToLocal(returnUrl);
    case SignInStatus.LockedOut:
      return View("Lockout");
    case SignInStatus.RequiresVerification:
      return RedirectToAction("SendCode", new { ReturnUrl = returnUrl });
    case SignInStatus.Failure:
    default:                                
      ModelState.AddModelError("Error", "Something went wrong. Please try again.");
      return View(model);
  }
}

I Appreciate your help!

[MohammadYounes]

Not sure why you are trying to simulate this, as your users will still be able to authenticate using the windows authentication end point over the web given they provide full domain\username.

Anyway, the missing piece in your code is the provider key, which is the _nameidentifier_ claim, The value OWIN-MixedAuth uses for this claim is the domain user SID.

Thanks.

[Saquibadil]

If I pass domain user SID, it will only authenticate the user if the user is in network.

Can you give an example of how I can configure windows authentication end point and how I can make use of it in code.

Thank you!

[MohammadYounes]

Yes, the external login will be matched against linked logins stored in the database. The local user linked to that login will be authenticated.

The windows authentication endpoint is part of MixedAuthOptions and the default path is /MixedAuth.

I thought you were trying to simulate the windows login flow ? but now I'm not sure!

[Saquibadil]

Unfortunately, our architecture does not allow to link local logins with external logins and the local logins are stored in a separate database which is only accessible via a service. Local users will never register as external user.

With that in mind we are implementing these requirements:

1. External users can register/login using forms authentication - this is achieved using asp.net identity.. works fine
2. Internal logins should be logged in automatically if the request comes from specific IP addresses. The service that I talked about authenticates the local LoginInfo... works fine as well.
3. Internal users should also be able to login over the internet (from home). The same service also authenticates the user based on the domain username and password.

1 and 2 are straight forward for authentication.

For 3, I have found this solution a little while ago... https://stackoverflow.com/questions/22027753/mixed-mode-authentication-with-owin/25128474#25128474

It connects the domain using PrincipalContext, but it takes only the domain name to connect (Is it safe?)

This solution seems to be working for me so far, but I need to also integrate Roles and Claims, can you suggest me a good way of doing that?

Thank you!

[MohammadYounes]

Is it safe ?

If you are not using HTTPS, then your domain users will be sending their AD credentials in plain text over the network.

I need to also integrate Roles and Claims, can you suggest me a good way of doing that?

See issue #9