Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can ASP.NET Membership interoperate with ASP.NET Core? #1501

Closed
epignosisx opened this issue May 24, 2016 · 12 comments
Closed

Can ASP.NET Membership interoperate with ASP.NET Core? #1501

epignosisx opened this issue May 24, 2016 · 12 comments

Comments

@epignosisx
Copy link
Contributor

We have a big website composed of several ASP.NET apps. We are using ASP.NET Membership for authentication.

Does ASP.NET Core provides anything out of the box to interoperate with Membership, like being able to decrypt/validate the auth cookie?
@MaximRouiller
Copy link

Short answer: No.

Long answer: Everything has been rewritten and the ASP.NET Membership is hooked in the old pipeline. Since the old pipeline was ripped, then no. Not compatible.

@brockallen
Copy link

The old membership system (like the current one) is just a wrapper around some DB calls. I don't see why you can't build something in .NET core to use the data that's in the old format. The passwords are the only real concern and hopefully they're just hashed -- you can still do that validation in .NET Core.

@epignosisx
Copy link
Contributor Author

Thanks for the quick responses folks! My main concern is how to validate that a request has a valid Auth cookie token and be able to decrypt it. This is all part of the FormsAuthentication in ASP.NET and I believe this relies on the machine keys which are not used in ASP.NET Core.

Are the inner APIs available in .NET Core so I can do the auth ticket validation/decryption on my own?

@brockallen
Copy link

brockallen commented May 24, 2016
edited

Well, that's not membership -- that's forms auth. So yes, as @MaximRouiller said there's no port of that in ASP.NET core. You'd just change your app to use the cookie authentication middleware. That's the replacement.

@epignosisx
Copy link
Contributor Author

Thanks @brockallen. Changing all our apps to use the cookie auth middleware would be a major effort I doubt I can sell to business.

Can you tell me if from a security perspective this is a bad idea: Create an ActionFilter in the new ASP.NET Core app that will get the auth ticket and do an HTTP request to one of our existing apps and get back a response saying is the auth ticket is still valid? Aside from the obvious latency added on each request that requires auth validation, is there a security risk that I am missing?

@brockallen
Copy link

brockallen commented May 24, 2016
edited

Changing all our apps to use the cookie auth middleware would be a major effort I doubt I can sell to business.

Sure, and it'd be more effort to convert the app code themselves to ASP.NET Core.

Can you tell me if from a security perspective this is a bad idea

Sounds like you'd really need to spend time thinking about this.

@davidfowl
Copy link
Member

Check this issue out aspnet/Security#617

/cc @blowdart

@blowdart
Copy link
Contributor

The answer is yes. Kind of.

We have a shim for .NET 4.5.2 which switches the cookie code to use the new format. https://www.nuget.org/packages/Microsoft.AspNetCore.DataProtection.SystemWeb/1.0.0-rc2-final It's even documented - https://docs.asp.net/en/latest/security/data-protection/compatibility/cookie-sharing.html (although the docs haven't been updated for RC2 year). With that a cookie issued by a 4.5.2 app should be readable by a core app.

In addition there's code coming which upgrades the membership database to something both things can understand that, so you can share a database too. @HaoK has a PR in for that.

@anil-kk
Copy link

anil-kk commented Jul 19, 2016
edited

Hello Open Source Aspirants, Experienced developers and Architects ,
I needed some information.
We have few systems built in previous .NET Frameworks that uses FormsAuthToken (Cookie)
And we started to build a new system in AspDotNetCore we would like to share the credentials that is being used by other systems seamlessly. So far we could able to decrypt the FormsAuth Cookie using Darrell Tunnell code, it was usefull for decryption part, yet needs some work arround encryption to have a seamless solution (single-sign-on experience).
https://gist.github.com/dazinator/0cdb8e1fbf81d3ed5d44
Without making changes to old working systems
(I read the above conversation and also from the link aspnet/Security#617 which suggests upgrades to old systems),
Is there any other alternative way that is built in to AspDotNetCore framework or some 3rd party solution like the one Darrell Tunnell, came up with , so that we can seamlessly have single-sign-on experience between different systems, like reading(Decryption) credentials if they already exist or writing(Encryption) credentials if they do not exist. In AspDotNetCore I do not see the possibility in sharing MachineKey that is used for Encryption and Decryption of FormsAuthToken(Cookie) from other systems.

//cc @davidfowl @brockallen

@brockallen
Copy link

we would like to share the credentials that is being used by other systems seamlessly

What I would suggest is designing with proper single signon. IdentityServer can be used for that: https://github.com/IdentityServer/IdentityServer4

@aspnet-hello
Copy link

This issue is being closed because it has not been updated in 3 months.

We apologize if this causes any inconvenience. We ask that if you are still encountering this issue, please log a new issue with updated information and we will investigate.

jkotalik added a commit that referenced this issue Nov 1, 2018
@jkotalik
Merge pull request #1501 from dotnet-maestro-bot/merge/maestro/releas…
fc40985 
…e/2.2-to-release/2.2

[automated] Merge branch 'maestro/release/2.2' => 'release/2.2'
ryanbrandenburg pushed a commit that referenced this issue Nov 22, 2018
@tstojecki @Tratcher
Added support for multiple values (arrays) in default claim action (#…
88cb3df 
…1501)

* Added support for multiple values (arrays) in default claim action

* Added tests to claim action update to support array values
ryanbrandenburg pushed a commit that referenced this issue Nov 27, 2018
@pakrym
Pipelines in corefx (#1501)
8908eec
@th0mk
Copy link

th0mk commented Jan 28, 2019

I know this is an old issue, but in case anyone is looking for a way to easily migrate:
https://docs.microsoft.com/en-us/aspnet/core/migration/proper-to-2x/membership-to-core-identity

@phantasm33 phantasm33 mentioned this issue Feb 2, 2019
Closed
SteveSandersonMS added a commit that referenced this issue Feb 4, 2019
@SteveSandersonMS
Strong-name the dotnet-blazor CLI tool. Fixes #1501
5ff1377
SteveSandersonMS added a commit that referenced this issue Feb 5, 2019
@SteveSandersonMS
Strong-name the dotnet-blazor CLI tool. Fixes #1501
cc3b164
@dotnet dotnet locked as resolved and limited conversation to collaborators Dec 4, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
8 participants
@davidfowl @MaximRouiller @brockallen @epignosisx @blowdart @anil-kk @th0mk @aspnet-hello