brockallen / brockallen.membershipreboot Goto Github PK

Use Case: Our app is targeted towards corporate employees where it is perfectly acceptable for the user to use their corporate email to make purchases. However, when they leave their company, they may no longer have access to their email. In addition, not having the ability to change username allows employer to have access to their transactions using the email (for example via reset password).

These transactions belong to user and not employer. It is insufficient to request that user create a new account as all prior history will be lost if email cannot be changed and is used as the username.

Allows email to change without breaking username consistency.

I have just added the Membership Reboot into my MVC 4 project and now the automated builds on Team Foundation Service fail advising that the referenced file can not be found (see bottom of the question). I have told the system to copy the file into the project but just wondering if there is any way to resolve this.

Builds work fine on my development machine and the project runs fine.

Please advise if you need any further info:

This is the first error it reports:
ResolveAssemblyReferences:
Primary reference "BrockAllen.MembershipReboot".
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.targets(1605,5): warning MSB3245: Could not resolve this reference. Could not locate the assembly "BrockAllen.MembershipReboot". Check to make sure the assembly exists on disk. If this reference is required by your code, you may get compilation errors.

Look into a service bus approach. This would also lend itself to other extensions.

In web.config Resharper shows 2 red flags both with 'Cannot resolve symbol:

type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"

and down in the sharedListeners section:
filter type=""

The program still compiles and runs ok so it must be just a resharper thing (as per: http://youtrack.jetbrains.com/issue/RSRP-337095) but I notice that in the References section of the class project the Assembly name 'System.identitymodel.services' shows in lower case (save for leading 'S'). Seems strange. Wondering if this is just my machine or others are seeing this?

There are three connection strings provided in the sample app. It appears only the connection string named MembershipReboot is used and the others are provided to demonstrate formatting for different types of database targets. This is useful, but can be confusing if you don't realize that only one is being used. The others could be commented out and commented, perhaps.

Hi Brock,

I am creating a new membership table, and I can't figure how the UserClaims table is supposed to work. Say for example that my User has a list of Books and a list of Blogs, so should I be creating a UserBooks & UserBlogs table with fluent API, or are we adding the value of the lists to the UserClaims table, where the Value field is the value of the BookName or BlogName? If so, then shouldn't that be BlogId and BookId instead, and what happens when a Book Entry is deleted, how do I make sure the row is deleted since there is no ON Delete Cascade. My apology it the question seems very dumb, I am just confused how this list of Claims can work when we are working with other table in db as part of the value?

Hello Brock,

For some reason I can't get AntiForgeryConfig to resolve in global.asax.cs in my sample project.

I noticed when searching the web there were some other weird issues with AntiForgeryConfig that others had been having.

I have using statements for both System.Web.Helpers and System.Web.Webpages (getting desperate here) and nothing I can do will get it to resolve and build.

What do I need to check that might be environment or configuration related?

Thanks

Here is the line of code.

AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;

I'm probably missing something really simple but I've installed it and so far can't see how I use it.

The sample application (single tenant) won't build for me and I'm finding the code difficult to follow.

Do you have any simple tutorials for getting a very basic "hello world" with login, register and reset password/forgot password working?

A lot of sites now offer the ability to log in to them using either username or email address interchangeably.

Is this possible in MembershipReboot? If so, what would be the best way to go about it?

string gender = System.Security.Claims.ClaimsPrincipal.Current.Claims.GetValue(ClaimTypes.Gender);
// gender = ""

account.RemoveClaim(ClaimTypes.Gender);
account.AddClaim(ClaimTypes.Gender, "male");
userAccountService.Update(account);

gender = System.Security.Claims.ClaimsPrincipal.Current.Claims.GetValue(ClaimTypes.Gender);
// gender = ""

On a new request following the above the gender will be set correctly... but until the end of the current request it will retain it's original value.

The claims fail be updated in the current ClaimsPrinciple until the next request.

I noticed that UserAccountService class is injected in sample controller, but should this class implement an interface, so that other classes (such as this controller) that depend on it could be unit tested, while mocking IUserAccountService?

I'm fairly new to the concept of password stretching and might be missing something. From what I understand the point of password stretching is to slow down a potential attack by increasing the time required to generate the hash. Shouldn't it be done on the client instead of the server, because if we do it on the server we are just opening it up to a potential DNS attack?

Hello,

The email capability is not working after signup when it is supposed to send out a verification email. I am trying to trace it back from the MVC app to MembershipReboot but am having problems.

It doesn't seem to ever use SMTPMessageDelivery only IMessageDelivery unless I am missing something.

This is understandably causing a hiccup in moving forwards.

Thanks for the help. I love project, especially the MVC project. Trying to get proper membership and claims going.

http://www.simplecloud.info/

I'm new to claims based security and I just downloaded the sample applications. I'm wondering how can I have roles management which is not covered in the samples.

another question what's the best way to link the UserAccounts table to my own UserProfile table?

Never mind

Like OnCreating, OnCreated, etc.

I think we need to override and extend the SessionAuthenticationModule to account for some of the shortfalls between WIF and Forms Authentication.

Here is a sample I came up with, mostly combined a few resources online together.
https://github.com/wcpro/ScaffR-Generated/blob/master/DemoApplication/DemoApplication.Security/Authentication/ClaimsAuthenticationModule.cs

[edited a bit as tenant is definitely needed in the UserAccount table as it is used everythere]

I'm struggling a bit with one area of multi-tenancy which is still an issue I need to solve for.

In my case a user/id could actually belong to more than one tenant... I guess this would mean either a primary key in the UserAccount table which is a composite between id and tenant? [which I am looking at implementing] It is too much of an architecture change to just moving the tenant value as a claim...

Your thoughts? Thanks

Perhaps this: https://github.com/smsohan/MvcMailer

We need tracing for all account activity for debug and audit purposes.

I added the AccountLockoutDuration in my web.config appSettings, but now the SecuritySettings class explodes when T GetAppSettings<T>(string, T) is called for that setting.

Apparently it doesn't have a way to parse from string to TimeSpan when runnning the following line:

return (T)Convert.ChangeType(val, typeof(T))

I supposed you can add code to check if typeof(T) is TimeSpan, then do a TryParse instead. For now, this also worked but falls back to default if it cannot convert:

var converter = TypeDescriptor.GetConverter(typeof(T));
return converter.CanConvertFrom(val.GetType()) ?
      (T)converter.ConvertFrom(val) : defaultValue;

I wanted to run the example on ARVIXE (shared hosting) and make sure it would work. It hit an error when trying to login. This may not be an issue due to the IIS version being 7.x

I did find this solution and was wondering if there was a way to fix it to use certificate based encryption?
http://stackoverflow.com/questions/5464146/is-it-possible-to-run-wif-without-loaduserprofile-true

System.InvalidOperationException: ID1074: A CryptographicException occurred when attempting to encrypt the cookie using the ProtectedData API (see inner exception for details). If you are using IIS 7.5, this could be due to the loadUserProfile setting on the Application Pool being set to false. ---> System.Security.Cryptography.CryptographicException: The data protection operation was unsuccessful. This may have been caused by not having the user profile loaded for the current thread's user context, which may be the case when the thread is impersonating. at System.Security.Cryptography.ProtectedData.Protect(Byte[] userData, Byte[] optionalEntropy, DataProtectionScope scope) at System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte[] value) --- End of inner exception stack trace --- at System.IdentityModel.ProtectedDataCookieTransform.Encode(Byte[] value) at System.IdentityModel.Tokens.SessionSecurityTokenHandler.ApplyTransforms(Byte[] cookie, Boolean outbound) at System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(XmlWriter writer, SecurityToken token) at System.IdentityModel.Tokens.SessionSecurityTokenHandler.WriteToken(SessionSecurityToken sessionToken) at System.IdentityModel.Services.SessionAuthenticationModule.WriteSessionTokenToCookie(SessionSecurityToken sessionToken) at BrockAllen.MembershipReboot.ClaimsBasedAuthenticationService.SignIn(UserAccount account, String method) at BrockAllen.MembershipReboot.ClaimsBasedAuthenticationService.SignIn(UserAccount account) at BrockAllen.MembershipReboot.Mvc.Areas.UserAccount.Controllers.LoginController.Index(LoginInputModel model) at lambda_method(Closure , ControllerBase , Object[] ) at System.Web.Mvc.ActionMethodDispatcher.Execute(ControllerBase controller, Object[] parameters) at System.Web.Mvc.ReflectedActionDescriptor.Execute(ControllerContext controllerContext, IDictionary2 parameters) at System.Web.Mvc.ControllerActionInvoker.InvokeActionMethod(ControllerContext controllerContext, ActionDescriptor actionDescriptor, IDictionary2 parameters) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass42.b__41() at System.Web.Mvc.Async.AsyncResultWrapper.<>c__DisplayClass81.<BeginSynchronous>b__7(IAsyncResult _) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethod(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass37.<>c__DisplayClass39.b__33() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass4f.b__49() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass37.b__36(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncResultWrapper.WrappedAsyncResult`1.End() at System.Web.Mvc.Async.AsyncControllerActionInvoker.EndInvokeActionMethodWithFilters(IAsyncResult asyncResult) at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass25.<>c__DisplayClass2a.b__20() at System.Web.Mvc.Async.AsyncControllerActionInvoker.<>c__DisplayClass25.b__22(IAsyncResult asyncResult)

Running a fresh installation of MembershipReboot results in a call to

UserAccountService.CreateAccount(username, password, email)

Which is a pass-thru to another overloaded CreateAccount method, passing through all parameters and adding a null value for tenant.

If SecuritySettings.Instance.MultiTenant is true then the tenant value will be null. Then there is a check to ensure it is not null:

if (String.IsNullOrWhiteSpace(tenant)) throw new ArgumentException("tenant");

Under a multi-tenant configuration, this exception will be triggered always.

Your thoughts on the following are greatly appreciated.

A thought, and something I think I am implementing... I think it would be good to have an Id field in the UserAccount table for a database identifier that will stay fixed, even if they update their username or email.

Primary use case is for referencing the user in other normal application tables - when a fixed id would be needed. I don't think it needs to be added much anywhere since it wouldn't need to be updated or reference much in the UserAccount interactions since you would always have username and tenant context there.

Places I have have seen which would need updating:

UserAccount.cs
public virtual int Id { get; private set; }

UserAccountService,cs
//Not needed in create as Id will be auto created since it is an identity
public virtual UserAccount GetById(int id)

InitialMigration.cs (SqlCe and SqlServer)
Id = c.Int(nullable: false, identity: true),

.PrimaryKey(t => new { t.Id });
(make Id the primarykey so it can link to all the other tables)
(In UserClaims keep that PrimaryKey, ForeignKey relationship)

Am I missing any other places where it would need to be?

QUESTION (brainstorming):

I think this will be a common scenario: a public-facing web application wishes to offer users to use EITHER a custom (site-specific) account (MembershipReboot) OR use an account they already have from Google, Facebook, etc.

Where should the app keep account information from the external providers?

One possibility is to use something separate like FederatedUserAccounts, and model from there. But wouldn't it be nice to be able to also use the UserClaims table we already have to flexibly model provided data, esp since it can vary from provider to provider?

Another possibility is to extend the MR UserAccounts table to include an IdentityProvider column that can be used to differentiate the provider. MR would have its own value for this and the MR functions could ignore accounts with foreign IdentityProvider values. For non-MR this would be populated with the http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider value.

Are there other good ways to model this?

Do you happen to have any samples of how this can work with Thinktecture IdentityServer v2?

An example would help me bring things all together in a more concrete way.

Thanks.

It'd be nice to have these.

It would be very useful for an admin to be able to force a user to change their password at next login.

Example use case:
Admin changes users password for them (I know they can request reset themselves... they didn't.. they are dumb)

At this point the user should really be forced to change their password to something that even the admin doesn't know when they next log in.

The reason: Most admins will use the same default password for all such password resets.

Also, giving the admin a button they can press to force a user to change their password would be nice too.

Make a boolean flag in the service method to allow for a persistent cookie. Obviously this would require another setting for timeout, and ideally sliding expiration.

Common use case is to track TenantId for multi-tenant users. This would fit naturally as an additional (optional) claim associated with the user. This would be a good feature to offer in the box so that it could be handled without the need for custom code.

FYI, there are a few nits still in converting things to multi-tenant in the sample.

LoginController.cs makes a straight shot to authSvc.SignIn(model.Username); ireespective of the MultiTenant status.

I am running things in a multi-tenant setup (so the structure is really appreciated) - will let you know what else I find along the way.

I am doing the tenant based on the subdomain and using the following function:

private static string GetSubdomain(Uri uri)
{
string subdomain = null;
if (uri.HostNameType == UriHostNameType.Dns)
{
string host = uri.Host;
int lastIndex = host.LastIndexOf('.') - 1;
if (lastIndex > 0)
{
if ((lastIndex = host.LastIndexOf('.', lastIndex)) != -1)
subdomain = host.Substring(0, lastIndex);
}
}
return subdomain;
}

Is it possible to have a foreign key to UserAccount from a POCO Entity in Entity Framework codefirst approach?

Add password rotation feature. Must at least check against current password for similar.

It would be convenient if new downloads of the project defaulted to having BrockAllen.MembershipReboot.Mvc as the default project rather than the class library.

When using the CE connection string from Web.config, I got an error when executing code in

UserAccountService.CreateAccount 

which depends on:

using (var tx = new TransactionScope())

The exception I received is same as reported here:

http://stackoverflow.com/questions/4203358/sql-ce-4-system-transaction-support

My initial work with the recently added unit tests had everything working (passing) with the code as distributed. Somewhere along the lines my adaptations (having absolutely _nothing to do with Crypto stuff) kicked up enough digital dust that the project started tossing a compiler error (pasted below)

I'm sure the error is not indicated any sort of flaw in the code but rather 'just one of those things' that occasionally happens when working the asp.net framework. Only posting it here cuz I'm betting it's an obvious solution and just in case others encounter the same.

:

Error 7 The type 'System.Web.Helpers.Crypto' exists in both 'c:\Users\foo\Documents\Visual Studio 2012\Projects\bar\BrockAllen.MembershipReboot\bin\Debug\BrockAllen.MembershipReboot.dll' and 'c:\Users\foo\Documents\Visual Studio 2012\Projects\bar\packages\Microsoft.AspNet.WebPages.2.0.20710.0\lib\net40\System.Web.Helpers.dll' C:\Users\foo\Documents\Visual Studio 2012\Projects\bar\BrockAllen.MembershipReboot.Test\Services\Crypto\CryptoHelperTests.cs 84 43 BrockAllen.MembershipReboot.Test

pointing at:

System.Web.Helpers.Crypto.HashPassword("pass");

in:

PasswordWithoutPrefix_StillValidatesWithDefault() and IncorrectPrefix_DoesNotVerify()

I've commented out those 2 test methods and am able to compile again and my most immediate use case will let me leave them untested. Still, it'd be nice to understand and fix the issue.

I'd tried the usual troubleshooting of cleaning out folders thoroughly - beyond that....any thoughts?

thx

Are linked accounts (google, facebook, etc) desirable? Something like what simple membership does?

Given some of the recent model changes, the columns names have changed for UserAccount and UserClaim.