Geek Answers Handbook

Understanding the new ASP.NET MVC5 authentication mechanism

Hey. I'm trying to understand how the new authentication mechanism works in MVC5 in the SPA template, and it seems to me that they are confusing me. My ultimate goal is to create an API that will be open to SPA, iOS, Android Clients and Windows Phone

Here is what I understand:

I understand that somehow at startup the class decorated with:

[assembly: OwinStartup(typeof(WebApplication1.Startup))]

is a magic call to the ConfigureAuth method:

Inside this method, I have 3 lines of code and inside the constructor of the launch class, I initialized the OAuth authentication options:

  static Startup(){ PublicClientId = "self"; UserManagerFactory = () => new UserManager<IdentityUser>(new UserStore<IdentityUser>()); OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"), Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory), AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(14), AllowInsecureHttp = true }; } public void ConfigureAuth(IAppBuilder app) { app.UseCookieAuthentication(new CookieAuthenticationOptions()); app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); app.UseOAuthBearerTokens(OAuthOptions); }

The first two lines in ConfigureAuth seem to set my application and an external application to use cookies to store authentication status, and the third seems to indicate that it uses media tokens for my application.

From what limited knowledge that I still have about native mobile device applications, I do not understand cookies, and I have to use tokens for authentication.

If so, should the externalSignIn parameter be set for carrier labels instead of an external cookie?

During debugging, I also noticed that in OAuthProvider, the authentication type is actually set for media tokens. If so, what makes this line of code valid:

app.UseCookieAuthentication (new CookieAuthenticationOptions () function);

Some clarification of how this works would be greatly appreciated, I could only find information on the Internet that shows me how to use external logins.

+6
source share
1 answer

It seems to me that the MVC 5 SPA template is a demonstration of what is possible more than a commitment to specific best practice.

I found that deleting the string app.UseCookieAuthentication(new CookieAuthenticationOptions()); does not affect SPA at all, because, as is typical for SPA, all the necessary HTML files are received anonymously, and after that all authentication is performed on any subsequent data requests. In this case, the data will be retrieved from the WebAPI endpoints and protected by carrier tokens.

I do not know why this was done. There are a number of other areas where two different issues are a bit confusing. for example, the traditional Global.asax MVC Application_Start is still in place, but there is also a new OWIN trigger mechanism. There is no reason why everything in Application_Start (filtering / routing / binding, etc.) could not be processed when starting OWIN.

There are other problems. If you enable External Auth (for example, from Google) and then reduce AccessTokenExpireTimeSpan , you will find that when the token has expired, your SPA represents "Authorization was rejected for this request." message. In other words, there is no mechanism for updating tokens. This is not immediately visible from the box, because the access token timeout is set to 14 days, which is rather unsafe when considering attacks like Cross-Site Request Forgery, etc. In addition, there is no transport security mechanism, such as SSL. Tokens are not inherently protected and must be protected in transport to prevent CRSF attacks and data retrieved in transit.

So MVC 5 SPA is good as a demo, I think, but I would not use it in production. It shows what the new OWIN middleware can do, but it does not replace a comprehensive token-based security knowledge.

+5
source

More articles:


All Articles