In Visual Studio 2013 we revamped the membership and authentication system for ASP.NET web developers.
We added ASP.NET Identity which is a modern membership system for ASP.NET applications. It includes features such as Two-Factor Authentication which is becoming a common practise for securing web applications. For more information on why did we create ASP.NET Identity please read http://www.asp.net/identity/overview/getting-started/introduction-to-aspnet-identity
As part of Microsoft OWIN Components (Katana) We also added support for OWIN and added OWIN middlewares such as OWIN Cookies (and more) which replaces the FormsAuthentication module. The move to be OWIN compliant Framework will allow us to build apps which are more flexible, portable, lightweight, and provide better performance. For more information please read http://www.asp.net/aspnet/overview/owin-and-katana/an-overview-of-project-katana
We are in the processing of adding documentation for these changes but we do realize that documenting everything around these changes is a huge task and if we were to do it alone, it will take us a long time before we can add documentation for everything.
We're asking for your feedback to help validate and prioritize the document list. We also welcome any contributions and will determine a way to accept them or reference them from the official locations at a later date so that all our customers can benefit.
Action Items
- Give feedback around other areas/ scenarios related to securing web applications that you need more information on.
- Add a link to your favorite security article that you have found useful while building your application. THis can an article that expalins an idea or provides detailed information on how to secure your web application.
- Add a link to an existing article that might already cover these areas.
Follow ups
- Once we have a list of areas/ scenarios I would like to solicit the experts to help us write the docs I do appreciate your input and help in getting more information out for everyone to use.
- **Overview of authentication**
- What are the different authentication options such as Windows/ FormsAuth/ Organization Accounts etc. and which one should I use?
- **ASP.NET Identity Overview and Basics**
- What is Identity and why do I need it?
- Unit Testing
- Core concepts
- UserManager
- UserStore
- Create Users
- Do Validation
- Add Profile data
- Create Roles
- Database
- Where it is
- Customize tables
- How is EF Used
- **Local Logins**
- How do I login by creating a username and password
- Create User and SignIn
- ClaimsIdentity
- OWIN cookies middleware
- Configuration of OWIN cookies
- Assign User To Roles
- Roles as Claims
- **Social Logins**
- How do I login by social providers such as Facebook, Google, Microsoft Account etc.
- Add Social Login such as Facebook
- OWIN Facebook middleware
- External Cookies
- Challenge concept
- Active vs Passive middleware
- Associate a user with different logins
- A user can add or remove a login
- Customize the Facebook button
- Get more data from Facebook such as Friends pics
- Protect against XSRF
- For Form posts
- For ExternalLoginCookie
- **ASP.NET Identity Entity Framework Extensibility & Extending UserStore**
- Using Identity DbContext
- Plugin your own DbContext
- Plugin you own POCO classes for User
- Use the PK of your own choice
- Plug in existing database into Identity
- Migrating from Custom Membership provider to Identity
- **ASP.NET Identity Storage persistence & Customization**
- Overview of Identity infrastructure
- Optional interfaces
- Write your own Custom storage providers
- Storing Roles as Claims in the Claims Table
- **Security concerns overview/ Guidelines**
- Password complexity
- Password Hashing
- Pluggable
- Account Lockout
- Storing Question & Answer
- Account Lockout
- Password policies
- XSRF checks
- Sql Injection
- XSS checks
- **Account Confirmation/ Password Reset/ Single SignOut From everywhere**
- Security Token provider
- CookieValidatorProvider
- Implement Account Confirmation
- How are account confirmation tokens managed and how to configure them
- Create Users which are not confirmed
- **Two-Factor Authentication**
- What it is and what is the flow
- How do I configure the services such as SMS/ emails
- How are the tokens generated and how long are they valid for.
- Use of Account Lockout
- Admins has Account Lockout disabled
- **Securing ASP.NET Web API**
- OAuth Server
- Managing Tokens
- Authentication Filters
- Building a connected application which works on Windows Phone App, Windows Store App and Web Application
- Getting Facebook Access Token and storing it
- **Migrating membership data**
- Migrating from Membership providers (SQL/ Universal) to Identity
- Migrating from Simple Membership provider to Identity
- Migrating from Custom Membership provider to Identity
- Supported Matrix
- .NET 4.5 is the minimum FX required.
- Use ASP.NET Identity with MVC 4
- **Identity Guidelines**
- Does
- UserManager Factory
- RoleManager Factory
- DbContext Factory
- Use IdentityDbContext
- Don’t's
-**Web Administration**
- Create/ Edit/ Delete Users
- Create/ Edit/ Delete Roles
- Add/ Remove Users From Roles
- See the list of Registered Logins for the User
- Enable/ Disable 2FA for the user
- Enable/ Disable Account Lockout
-**Microsoft OWIN Components (Katana)**
- What is OWIN?
- What is Microsoft OWIN Components (Katana)?
- What are the Katana components?
- What is an OWIN Middleware and how do I use it?
- What are the Katana components?
- **Authorization**
- Authorizing using Roles
- Implementing Groups and permissing using Roles
- **Organizational Accounts**
- Building Web apps using Single Sign On Using Windows Azure Active Directory
- Building Web APIs using Single Sign On Using Windows Azure Active Directory
- Building SaaS (Software as a Service) apps Using Windows Azure Active Directory
- Building Web apps and Web APIs Using On Premises Active Directory
- **Miscellaneous**
- Unit Testing your application code using ASP.NET Identity
- Show how to secure ASP.NET MVC and Web API in the same application
- Moving from Membership to Identity
- How did you create Users/ Roles in Membership and how do you do in Identity
- Moving from FormAuthentication module to OWIN cookie
- How did you generate a cookie using FormAuthentication module and how do you do using OWIN cookies
Hey Pranav, this looks really good.
Whilst the templates offer a great way to try out all the features it can sometimes be a bit tricky to see exactly what is going on. I'm currently working on a blog series starting with MVC that gradually builds the auth/membership system using the new features in ASP.NET Identity. The first post can be found at http://ben.onfabrik.com/posts/aspnet-identity-stripped-bare-mvc-part-1.
There are a few additional areas I'd like to see covered:
Hybrid scenarios
The SPA and MVC templates have a very different identity implementation. In reality it's not always as clear cut as this. Often we have MVC applications that may contain several "mini" SPAs. This means that we typically handle the authentication at the MVC layer (using cookie auth) but still need a way to authenticate to our API (that may live in a separate application/url) from the client - e.g. using token based auth.
I blogged about how we did this a year ago but it would good if we had some guidance on how to support this scenario.
OAuth Server implementation
The SPA template makes the assumption that the JavaScript client and the API have the same level of trust e.g. they are the same company. This means that it is okay to use the resource owner password credentials flow in OAuth to obtain a bearer token that can be used to authN against the API.
I'd like to see an OAuth server implementation provided that allows us to operate as an external authorization server so we can support the authorization code flow, essentially making my service no different to that of Facebook or Twitter e.g. you could allow your users to log in with "My Service" or more importantly access their information on "My Service".