ASP.NET MVC – Authorization and Authentication Using Multiple Types of Authentication

asp.net-mvcauthentication

Currently I am managing a team where we're building a new SaaS application.

The way it is currently structured is that we have a solution that has our business logic and data, and a solution that holds our website (and related projects)

In our current user base, there are clients that use different types of authentication:

username/password using the aspnet membership architecture
Homegrown SOAP web services that allow a developer to connect via SSO
SAML

Clients may have different settings for logging in, but users within the clients log in the same way. The big challenge with our legacy system is that these are somewhat 'hacked' together and very hard to manage. I want to make sure we are much more scalable for the future.

I've looked into claims-based authentication using the MVC framework and understand that pretty well, so I'm confident our team can build the framework to support it. My challenge is with the STS (identity server), so I have a few questions:

Fundamentally, am I going in the right direction?
What system owns the knowledge of where a user should be authenticated? I would suspect the STS because that would mean the claims-based system can truly not worry about authentication or authorization
I've looked into OpenAM, OpenIDM and IdentityServer for the STS, but cannot really figure out how to plug them in. Are these even STS systems?
I am willing to spend money on a solution as well, is there any other solutions I should be looking into?

Best Answer

This has been sitting for a while, and I figured to answer my own question since we've solved this problem by now...

We decided to convince those clients that were using the homegrown SOAP services to utilize SAML, and we partnered with Ping Identity to help us out with the SAML component as we weren't experts.

As for our design, we were able to keep it relatively simple: Some SAML clients were also in need of a username/password authentication type for certain users, so we designed both a connection for SAML as well as for username and password.

We also decided to go with an IdP only approach, which so far, hasn't been an issue.

Related Solutions

API Authentication – How to Authenticate Against an API

In general:

User logs into some authentication system.
Authentication system provides a token that effectively says "Authentication System X asserts that you are Bob, until 3:00 PM 8/31/2015 UTC".
User then passes that token as metadata (header, some data envelope) to the various APIs.
The various APIs look at it and decide if they trust Authentication System X. If they do, they let Bob in, since only Bob could've had the authorization credentials (password, fingerprint, retina, etc) to get this token.

The nitty gritty details of setting all that up will vary depending on what Authentication System, what sort of Token, and what API libraries you're using. Though if you're doing something beyond basic google/facebook integration, it's likely to be agonizing.

Security – Authorization and Authentication System for Microservices

Authentication and authorization are always good topics

I will try to explain to you how we deal with authorizations in the current multi-tenant service that I am working. The authentication and authorization are token based, using the JSON Web Token open standard. The service exposes a REST API that any kind of client (web, mobile, and desktop applications) can access. When a user is successfully authenticated the service provides an access token that must be sent on each request to the server.

So let me introduce some concepts we use based on how we perceive and treat data on the server application.

Resource: It is any unit or group of data that a client can access through the service. To all the resources that we want to be controlled we assign a single name. For instance, having the next endpoint rules we can name them as follow:

product

/products
/products/:id

payment

/payments/
/payments/:id

order

/orders
/orders/:id
/orders/:id/products
/orders/:id/products/:id

So let's say that so far we have three resources in our service; product, payment and order.

Action: It is an operation that can be performed on a resource, like, read, create, update, delete, etc. It is not necessary to be just the classic CRUD operations, you can have an action named follow, for instance, if you want to expose a service that propagates some kind of information using WebSockets.

Ability: The ability to perform an action on a resource. For instance; read products, create products, etc. It is basically just a resource/action pair. But you can add a name and description to it too.

Role: A set of abilities that a user can own. For example, a role Cashier could have the abilities "read payment", "create payment" or a role Seller can have the abilities "read product", "read order", "update order", "delete order".

Finally, a user can have various roles assigned to him.

Explanation

As I said before, we use JSON Web Token and the abilities that a user possesses are declared in the payload of the token. So, suppose we have a user with the roles of cashier and seller at the same time, for a small retail store. The payload will look like this:

{
    "scopes": {
        "payment": ["read", "create"],
        "order": ["read", "create", "update", "delete"]
    }
}

As you can see in the scopes claim we don't specify the name of the roles (cashier, seller), instead, just the resources and the actions that are implicated are specified. When a client sends a request to an endpoint, the service should check if the access token contains the resource and action required. For example, a GET request to the endpoint /payments/88 will be successful, but a DELETE request to the same endpoint must fail.

How to group and name the resources and how to define and name the actions and abilities will be a decision made by the developers.

What are the roles and what abilities will have those roles, are decisions made by the customers.

Of course, you must add extra properties to the payload in order to identify the user and the customer (tenant) that issued the token.

{
    "scopes": {
        ...
    },
    "tenant": "acme",
    "user":"coyote"
}

With this method, you can fine-tune the access of any user account to your service. And the most important, you don't have to create various predefined and static roles, like Admin, Agents, and End-Users as you point out in your question. A Super User will be a user that owns a role with all the resources and actions of the service assigned to it.

Now, What if there are 100 resources and we want a role that gives access to all or almost all of them?. Our token payload would be huge. That is solved by nesting the resources and just adding the parent resource in the access token scope.

Authorization is a complicated topic that must be addressed depending on the needs of each application.

Best Answer

Related Solutions

API Authentication – How to Authenticate Against an API

Security – Authorization and Authentication System for Microservices

Explanation

Related Topic