CODEWITHSUNDEEP
authenticationasp.net-web-apioauth
HSharma
HSharma

Reputation: 403

Windows and form authentication in Web API

I am working on a SPA with AngularJS and .Net Web API. I choose Individual Accounts as the authentication type in application wizard. It created the classes for claim based oAuth authentication with owin provider.

Now I also have a need to do the windows active directory authentication. There will also be required a role based security which will be configurable by Admin user.

What changes do I need in my current code generated by wizard to authenticate users with AD and if not found there, authenticate with current oAuth implementation, and finally return a claim token to the client?

I am thinking of storing user ids of my active directory users in application database when they first time log in with their AD credentials. So that I can assign roles to them

Upvotes: 1

Views: 525

Answers (1)

Stepan Novikov
Stepan Novikov

Reputation: 1396

I suggest you using of OpenId connect IdentityServer3 (. Net) - it can be easily integrated with AD (you can use the client's Kerberos ticket inside the AD domain and it also can check user login/password outside of AD domain) and there also a lot of examples out of the box how to use it in JavaScript. So it was easy to implement it in one of my AngularJS application with .Net backend.

In addition, IdentityServer also has in-memory caching of user during the login process with all user related data in InMemoryUserService. So you don't have to develop caching of user related data, it is also out of the box in IdentityServer.

Modifications which are can help with integration with AD:

  1. Check Windows Identity before render login page like this:
    string userName = System.Security.Principal.WindowsIdentity.GetCurrent().Name;
    And if success - do not show login page, proceed it in a way like like authentication by an external source (Facebook or Twitter).

  2. To authenticate a user outside of AD domain by the domain login and password, you may modify InMemoryUserService.cs to check this. As an example:

        var user_passhash = GetString(GenerateSaltedHash(GetBytes(password)));

    var query =
        from u in _users
        where u.Username == username && u.Password == user_passhash
        select u;

    var user = query.SingleOrDefault();

    if (user == null)
    {
        var domain = ConfigurationManager.AppSettings["domain"];

        using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain))
        {
            bool isValid = pc.ValidateCredentials(username, password);
            if (isValid)
            {
                EmployeePoco employee = this.employeeManager.GetEmployee(username);

Upvotes: 1

Related Questions