Shared Authentication between applications

Question

I am trying to share authentication and authorization between different web applications (asp.net application and a MVC4 Application).

I read that you should set the machine key and those values to be the same between the sites. I have done this and the authentication is working properly.

But now in the MVC Application i want to use the Authorize attribute to make sure users can only see what the are supposed to see. This is not working.

I also checked.

When I call User.IsInRole("Admin") from the ASP.Net application(this is where the login is done) the value returned is true, but then when navigating to the MVC application the same call returns false.

It seems that the roles is not being shared across the application, is it possible to get is working or should i Create a custom Authorize Attribute ?

thanks in davance

Answer 1

The more applications you have, the more problematic it is to share the forms cookie. And ultimately, if two applications are on different domains (something.foo.com and somethingelse.bar.com) this won't work as you can't force your browser to submit a cookie to two different domains.

This only works if you have manual control over your forms cookie and issue it for .yourdomain.com top level domain and you have your applications in subdomains (app1.yourdomain.com, app2.yourdomain.com). And this could be a serious restriction.

What you could possibly do is to externalize your authentication, i.e. create a separate web application with the sole goal to authenticate and authorize your users. You pick one of Single Sign-on protocols (WS-Federation, OAuth2, OpenID) and federate your application environment around this authentication provider.

It possibly sounds difficult, especially if this is new to you but if you invest your time, there are only benefits.