Evaluate the usage of ASP.NET Identity

[Piedone]

Although we don't use the old ASP.NET Membership system, just FormsAuthentication in our own way (in FormsAuthenticationService) I think it's worth considering whether we want to do anything about re-writing the default authentication and user management implementation to make use of (or rather, extend) ASP.NET Identity.

I don't know enough about ASP.NET Identity to make suggestions, just wanted to bring up the matter.

[sfmskywalker]

You know nothing, John Snow.

But I want it too.

[dcinzona]

We are working on implementing a custom module that leverages Thinktecture Identity Server 3 so as to make our website a valid identity provider (ala ADFS, Google, Facebook, etc). https://identityserver.github.io/Documentation/

Any changes to the current model is of interest, so I'm going to follow this thread :)

[sebastienros]

I have actually already started to work on that. And will try to make the social identity integration reusable by other modules. There will be a way to customize the author UI. Users will be created in the Usrs table, and bindings to the social sites. Login/password will be optional.

I have seen too many teams at Microsoft having issues with AAD in orchard that I want to solve it for good. I will use the owin misdlewares as much as I can, and already have the Google one working in a two years old branch.

[CSurieux]

Could be interesting to support OpendId/OAuth + Bearing Auth and Claims as in the 'new Identity', very interesting for WebAPI calls.

[armanforghani]

Wow! ASP.NET Identity and support for OpenID/OAuth. Perfect! Special thanks to @sebastienros.

[jbraun27]

@sebastienros Looking forward to seeing progress with ASP.NET Identity and OWIN support. I was looking into Azure Active Directory too, but I think Licensing could be a real cost factor too since the basic (free) version is fairly crippled. Thank you!

[dcinzona]

We currently have IdentityServer 3 middleware working in our QA environment. We have only configured this to work with the Orchard user store as the membership repo for IdSrv. This works with two modules (the server module and the client module).

Our goal was to allow partners to use our SSO solution so our membership can log into partner applications using one username and password (the same credentials that they use to log into our website) via OAuth and OpenID Connect.

The Server module runs the IdSrv interface for the Identity Provider and Token Provider system as well as adding some UI in the Admin portal for adding / editing clients without having to do it via code (using EF to manage the Identity Server client / scopes).

The Client module re-routes the Orchard login interface to Identity Server. Enabling the client module on tenants also reroutes them to the root server module. I'm sure this could be adjusted so tenants can host their own IdSrv, but we don't have any intention of extending the modules in that way. We just needed to allow SSO for our tenants using our root tenant user store.

After we move over to Azure AD for staff, we will integrate that for login as well.

[sebastienros]

@dcinzona Would be nice to see a demo of that during a meeting.

[dcinzona]

Sure - however, this is running on QA. We have a POC that runs on a generic orchard instance... but that hasn't been updated in a while... I will need some time to update that POC so I can demo it.

[dcinzona]

I have this working in 1.9.x now (with a couple of required modifications, like updating to JSON to 7.0.x and Microsoft.OWIN to 3.0.1.0)

[jersiovic]

I'm looking for a way to implement a Webapi 2 with OAuth bearer token authentication within an Orchard 1.9.2 module. But by the moment for doing that I need to upgrade Owin dependencies. It looks @sebastienros is working on this feature. Is it available the branch/repo where he is working on it?

[dcinzona]

What version of OWIN do you need? 3.0.1.0? If so, that's what we are currently using in our QA environment with no adverse affects on Orchard, so updating OWIN to 3.0.1 shouldn't cause a problem. Just update the files in your local lib folder and make sure the binding is correct in web.config

[jersiovic]

Thank you @dcinzona I will give a try with that version.

[radrad]

Is there any source code that can be seen? Any docs about configuring it? Thanks, Rad

[douwinga]

@radrad You could look at https://github.com/RadioSystems/RadioSystems.AzureAuthentication

It is for AzureAD, but it provides a working example of using the OpenIdConnect Owin middleware in Orchard which should be easy to make work for something else. It also shows using bearer auth, but it might need a few tweaks for that to actually work.

[mattcowen]

@radrad I was able to take Identity Server's Hybrid client example and plug this into a fork of RadioSystems.AzureAuthentication very easily. I can send you this as a module if you want although you will need to make sure you have the certificates for localhost installed correctly.

[dcinzona]

@mattcowen Are you using inmemory stores or entity framework? If EF, how are you handling migrations?

[mattcowen]

@dcinzona I'm only using the inmemory stores for IdSrv right now while I get the client use cases sorted. I haven't looked into the migrations side of things but in my experience I run those only once, create a db project by importing the schema and then manage the db "manually" with the project from then on. I have had too much trouble trying to get migrations working properly in production scenarios. If only it worked as nicely as Orchard.

[dcinzona]

@mattcowen When you do get to using EF, I just got automatic migrations working. One of the things that was causing me some problems was that we had initially set up the IdSrv tables under their own Schema (IdentityServer.Clients, etc.) instead of using the default schema. This was a problem because the EF migrations just take a connection string and don't take a custom schema. So, recreating the whole thing from scratch and using the default schema allowed me to enable migrations on app startup. This worked with migrating from 2.1 to 2.2

[radrad]

@mattcowen I would appreciate if you either share your github fork or sent me a zip with RadioSystems.AzureAuthentication and Identity Server's Hybrid client integration at radoslav AT everestkc Dot net. Is there a way to run RadioSystems.AzureAuthentication integration with Orchard locally in a simulated Azure local environment or it must be run in Azure? I want to know how did you develop and debug this module locally. Can you also explain in a few sentences how does Identity Server's Hybrid client integration works. It would be best if you could create a separate branch for this so others can see it. Thanks.

[radrad]

@dcinzona you can change default schema for your tables in EF 6+ this way:

public class IdSrvContex : DbContext
{
    public DbSet<User> Users { get; set; }
    protected override void OnModelCreating(DbModelBuilder modelBuilder)
    {
        modelBuilder.HasDefaultSchema("MyDefaultDbSchema");
    }
}

I guess you will need to run migrations manually: http://stackoverflow.com/questions/32420886/code-first-migration-breaks-after-changing-default-schema-name

[radrad]

@mattcowen can you share your source code. You can you my email in above comment. Thanks

[mattcowen]

@radrad sorry for the tardy reply. I will upload a module you can use to my GitHub. It is really only a prototype but should be good for you to get started. Just be aware that I need to sort things out like sliding expiration.

[radrad]

@mattcowen Thanks for your emal. Will your hybrid scenario be a modification of RadioSystems.AzureAuthentication example or an extension (meaning will it require Azure AD). If it is latter, can I run it in a simulated Azure local environment.

I would also like to incorporate this kind of integration to DNN. See my question.: http://stackoverflow.com/questions/34079976/integrating-identity-server-3-openid-connect-with-cms-applications-like-dotnetnu Matt/Gustavo if you can comment on this on stackoverflow I would appreciate, but I would like to have a word with you privately. You can use my email for further communication

Thanks.

[SzymonSel]

Any update on this matter?

[radrad]

@SzymonSel I think @mattcowen came up with this: https://github.com/mattcowen/MC.Auth and maybe he forgot to let us know.

[smartmeter]

Can you please update to ASP Identity 2.2.1/latest for 4.6.1.

[SzymonSel]

Thanks