We Keep Coding

How to authenticate with Azure AD / OpenId but use Entity Framework based user/role data

I'm trying to improve the authentication story for a legacy ASPNet MVC/OWIN app - Currently, it uses the AspNetUsers / AspNetRoles / claims etc tables along with forms + cookie based authentication.
I want to use Azure AD / OpenID Connect for authentication but then load the user profile/roles from the database as currently. Basically, no more password management within the app. Users themselves will still need to exist/be created within the app.
The application is quite dependent on some custom data associated with these users so simply using the roles from Active Directory isn't an option.
The OpenID auth works, however I'm not sure how to use the existing Identityuser / IdentityUserRole / RoleManager plumbing in conjunction with it.
Basically once the user authenticates with Open ID we'll want to load the corresponding user from the database (matching on email address) and use that user profile / roles going forward.
In particular, the AuthorizeAttribute (with specific roles specified) should continue to function as before.
This is what I have so far:
public class IdentityConfig
{
public void Configuration(IAppBuilder app)
{
app.CreatePerOwinContext(AppIdentityDbContext.Create);
app.CreatePerOwinContext<AppUserManager>(AppUserManager.Create);
app.CreatePerOwinContext<AppRoleManager>(AppRoleManager.Create);
ConfigureAuth(app);
}
/// <summary>
/// Configures OpenIDConnect Authentication & Adds Custom Application Authorization Logic on User Login.
/// </summary>
/// <param name="app">The application represented by a <see cref="IAppBuilder"/> object.</param>
private void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
//Configure OpenIDConnect, register callbacks for OpenIDConnect Notifications
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = ConfigHelper.ClientId,
Authority = String.Format(CultureInfo.InvariantCulture, ConfigHelper.AadInstance,
ConfigHelper.Tenant), // For Single-Tenant
PostLogoutRedirectUri = ConfigHelper.PostLogoutRedirectUri,
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
RoleClaimType = "roles",
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("/Error/OtherError?errorDescription=" +
context.Exception.Message);
return Task.FromResult(0);
},
SecurityTokenValidated = async context =>
{
string userIdentityName = context.AuthenticationTicket.Identity.Name;
var userManager = context.OwinContext.GetUserManager<AppUserManager>();
var user = userManager.FindByEmail(userIdentityName);
if (user == null)
{
Log.Error("User {name} authenticated with open ID, but unable to find matching user in store", userIdentityName);
context.HandleResponse();
context.Response.Redirect("/Error/NoAccess?identity=" + userIdentityName);
return;
}
user.DateLastLogin = DateTime.Now;
IdentityResult result = await userManager.UpdateAsync(user);
if (result.Succeeded)
{
var authManager = context.OwinContext.Authentication;
ClaimsIdentity ident = await userManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ExternalBearer);
// Attach additional claims from DB user
authManager.User.AddIdentity(ident);
// authManager.SignOut();
// authManager.SignIn(new AuthenticationProperties { IsPersistent = false }, ident);
return;
}
throw new Exception(string.Format("Failed to update user {0} after log-in", userIdentityName));
}
}
});
}
}

Here's what I ended up doing:
public class IdentityConfig
{
public void Configuration(IAppBuilder app)
{
app.CreatePerOwinContext(AppIdentityDbContext.Create);
app.CreatePerOwinContext<AppUserManager>(AppUserManager.Create);
app.CreatePerOwinContext<AppRoleManager>(AppRoleManager.Create);
ConfigureAuth(app);
}
/// <summary>
/// Configures OpenIDConnect Authentication & Adds Custom Application Authorization Logic on User Login.
/// </summary>
/// <param name="app">The application represented by a <see cref="IAppBuilder"/> object.</param>
private void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
CookieDomain = ConfigHelper.AuthCookieDomain,
SlidingExpiration = true,
ExpireTimeSpan = TimeSpan.FromHours(2)
});
//Configure OpenIDConnect, register callbacks for OpenIDConnect Notifications
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = ConfigHelper.ClientId,
Authority = String.Format(CultureInfo.InvariantCulture, ConfigHelper.AadInstance, ConfigHelper.Tenant),
TokenValidationParameters = new System.IdentityModel.Tokens.TokenValidationParameters
{
RoleClaimType = ClaimTypes.Role
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
AuthenticationFailed = context =>
{
context.HandleResponse();
context.Response.Redirect("/Error/OtherError?errorDescription=" + context.Exception.Message);
return Task.FromResult(0);
},
RedirectToIdentityProvider = context =>
{
// Set the post-logout & redirect URI dynamically depending on the incoming request.
// That allows us to use the same Azure AD app for two subdomains (these two domains give different app behaviour)
var builder = new UriBuilder(context.Request.Uri);
builder.Fragment = builder.Path = builder.Query = "";
context.ProtocolMessage.PostLogoutRedirectUri = builder.ToString();
context.ProtocolMessage.RedirectUri = builder.ToString();
return Task.FromResult(0);
}
}
});
app.Use<EnrichIdentityWithAppUserClaims>();
}
}
public class EnrichIdentityWithAppUserClaims : OwinMiddleware
{
public EnrichIdentityWithAppUserClaims(OwinMiddleware next) : base(next)
{
}
public override async Task Invoke(IOwinContext context)
{
await MaybeEnrichIdentity(context);
await Next.Invoke(context);
}
private async Task MaybeEnrichIdentity(IOwinContext context)
{
ClaimsIdentity openIdUserIdentity = (ClaimsIdentity)context.Authentication.User.Identity;
string userIdentityName = openIdUserIdentity.Name;
var userManager = context.GetUserManager<AppUserManager>();
var appUser = userManager.FindByEmail(userIdentityName);
if (appUser == null)
{
Log.Error("User {name} authenticated with open ID, but unable to find matching user in store", userIdentityName);
return;
}
appUser.DateLastLogin = DateTime.Now;
IdentityResult result = await userManager.UpdateAsync(appUser);
if (result.Succeeded)
{
ClaimsIdentity appUserIdentity = await userManager.CreateIdentityAsync(appUser, DefaultAuthenticationTypes.ExternalBearer);
openIdUserIdentity.AddClaims(appUserIdentity.Claims);
}
}
}
It's quite similar to what I had originally - (note: RoleClaimType = ClaimTypesRoles not "roles") except instead of trying to deal with the user in the SecurityTokenValidated callback, I've added some custom middleware that finds a matching user (by email address) and adds the claims (app roles) from the matching app user to the authenticated user identity (OpenID identity).
Finally, I protected all controller actions with a (custom) AuthorizeAttribute (not shown here) that ensures the authenticated user at least belongs to the "User" role (if not, redirects them to a "no access" page indicating that we've authenticated them but they have no access in the system).

The OpenID auth works, however I'm not sure how to use the existing Identityuser / IdentityUserRole / RoleManager plumbing in conjunction with it.
The application is quite dependent on some custom data associated with these users so simply using the roles from Active Directory isn't an option.
For your requirement, I assume that you could build your identity server (e.g. IdentityServer3) and leverage IdentityServer3.AspNetIdentity for identity management using ASP.NET Identity.
For your web client application, you could use OpenID Connect middleware and set Authority to your custom identity server and set your pre-configured ClientId on your identity server.
Moreover, you could follow this tutorial for quickly getting started with IdentityServer3 and the full samples IdentityServer3 Samples.

How can i access a temporarily argument (password-reenter) in a Validator with PHP in TYPO3 without make an extra sql-field?

TYPO3-Version: 8.7.7
I want to access $this->request->getArguments() in a Validator for TYPO3 in PHP.
I set a temporary field in fluid with:
<label for="reenter_password" class="reenter_password{rm:hasError(property:'reenter_password',then:' text-danger')}">
Reenter Password*
</label><br>
<f:form.password name="reenter_password" id="reenter_password"/>
If i set property instead of name in <f:form.password name="reenter_password" id="reenter_password"/> i get the following Error:
#1297759968: Exception while property mapping at property path "": Property "reenter_password" was not found in target object of type "RM\RmRegistration\Domain\Model\User".
I don't want to set a Model-Property, because this property should only use for checking with the passwortfield for equality and shouldn't get a TCA or SQL-Table for Storage.
Here is my Action, where i call the Validators:
/**
* Complete New User Registeration
*
* #param User $newRegisteredUser
* #validate $newRegisteredUser \RM\RmRegistration\Validation\Validator\NewRegisteredUser
* #validate $newRegisteredUser \RM\RmRegistration\Validation\Validator\CompleteProfileUser
*/
public function completeNewRegisteredUserAction(User $newRegisteredUser)
{
// Store Changes, Update and Persist
$newRegisteredUser->setPassword($this->saltThisPassword($newRegisteredUser->getPassword()));
$this->userRepository->update($newRegisteredUser);
$this->objectManager->get('TYPO3\\CMS\\Extbase\\Persistence\\Generic\\PersistenceManager')->persistAll();
}
In the Validator i can get to the Password-Field with:
\TYPO3\CMS\Core\Utility\GeneralUtility::_POST()['tx_rmregistration_registration']['reenter_password']
But is it possible to get the Value temporary to the UserModel to check it in the Validator like this:
// Compare Entered Passwords
if ($user->getPassword() == $user->getReenteredPassword()) {
return TRUE;
} else {
return FALSE;
}

Make an own (view) model for the password verification process or give the $newRegisteredUser a (transient or not) property for the reenterd password. Then use an own validator (see here).
class UserValidator extends \TYPO3\CMS\Extbase\Validation\Validator\AbstractValidator {
/**
* Object Manager
*
* #var \TYPO3\CMS\Extbase\Object\ObjectManager
* #inject
*/
protected $objectManager;
/**
* Is valid
*
* #param mixed $user
* #return boolean
*/
public function isValid($user) {
if ($user->getPassword() !== $user->getPasswordConfirmation()) {
$error = $this->objectManager->get(
'TYPO3\CMS\Extbase\Validation\Error',
'Password and password confirmation do not match.', time());
$this->result->forProperty('passwordConfirmation')->addError($error);
return FALSE;
}
return TRUE;
}
}
And use in controller like this:
/**
* action create
*
* #param \Vendor\Ext\Domain\Model\User $user
* #validate $user \Vendor\Ext\Domain\Validator\UserValidator
*
* #return void
*/
public function createAction(\Vendor\Ext\Domain\Model\User $user) {
}

Redirect inside a service class?

I've created my own service class and I have a function inside it, handleRedirect() that's supposed to perform some minimal logical check before choosing to which route to redirect.
class LoginService
{
private $CartTable;
private $SessionCustomer;
private $Customer;
public function __construct(Container $SessionCustomer, CartTable $CartTable, Customer $Customer)
{
$this->SessionCustomer = $SessionCustomer;
$this->CartTable = $CartTable;
$this->Customer = $Customer;
$this->prepareSession();
$this->setCartOwner();
$this->handleRedirect();
}
public function prepareSession()
{
// Store user's first name
$this->SessionCustomer->offsetSet('first_name', $this->Customer->first_name);
// Store user id
$this->SessionCustomer->offsetSet('customer_id', $this->Customer->customer_id);
}
public function handleRedirect()
{
// If redirected to log in, or if previous page visited before logging in is cart page:
// Redirect to shipping_info
// Else
// Redirect to /
}
public function setCartOwner()
{
// GET USER ID FROM SESSION
$customer_id = $this->SessionCustomer->offsetGet('customer_id');
// GET CART ID FROM SESSION
$cart_id = $this->SessionCustomer->offsetGet('cart_id');
// UPDATE
$this->CartTable->updateCartCustomerId($customer_id, $cart_id);
}
}
This service is invoked in the controller after a successful login or registration. I'm not sure what's the best way to access redirect()->toRoute(); from here (or if I should do it here).
Also if you have other comments on how my code is structured please feel free to leave them.

Using plugins within your services is a bad idea as they require a controller to be set. When a service is created and you inject a plugin it has no idea of the controller instance so it will result in an error exception. If you want to redirect the user you might just edit the response object as the redirect plugin does.
Notice that I stripped the code to keep the example clear and simple.
class LoginServiceFactory implements FactoryInterface
{
public function __invoke(ContainerInterface $container, $requestedName, array $options = null)
{
return new LoginService($container->get('Application')->getMvcEvent());
}
}
class LoginService
{
/**
* #var \Zend\Mvc\MvcEvent
*/
private $event;
/**
* RedirectService constructor.
* #param \Zend\Mvc\MvcEvent $event
*/
public function __construct(\Zend\Mvc\MvcEvent $event)
{
$this->event = $event;
}
/**
* #return Response|\Zend\Stdlib\ResponseInterface
*/
public function handleRedirect()
{
// conditions check
if (true) {
$url = $this->event->getRouter()->assemble([], ['name' => 'home']);
} else {
$url = $this->event->getRouter()->assemble([], ['name' => 'cart/shipping-info']);
}
/** #var \Zend\Http\Response $response */
$response = $this->event->getResponse();
$response->getHeaders()->addHeaderLine('Location', $url);
$response->setStatusCode(302);
return $response;
}
}
Now from within your controller you can do the following:
return $loginService->handleRedirect();

How to create a user using microstrategy SDK in java (External Security Module)

My goal is to create user using microstrategy SDK and assign filters and groups to the user.
I have a java class CreateUser & SSOESM from SDK. Do I have to create a plugin of the create user class and deploy it in microstrategy intelligence server.
public class CreateUser {
public static WebIServerSession sessionInfo;
public static final String loginName = "NewUser";
public static final String password= "";
public static final String fullName= "New User";
public static final String description="New User Created Programattically";
/* The following information is required to login and manipulate the User management API */
/* iServerName is the IServer we are connecting to */
public static final String iServerName = "localhost";
/* projectName is the project name we are connecting to */
public static final String projectName = "";
/* loginName is the user name we use to login the project */
public static final String adminLoginName = "administrator";
/* loginPasswd is the password we use to login the project */
public static final String adminLoginPasswd = "";
public static void main(String[] args) {
sessionInfo = getServerSession(iServerName, projectName, adminLoginName, adminLoginPasswd);
UserBean user = null;
try {
//Instantiate a new user
user = (UserBean)BeanFactory.getInstance().newBean("UserBean");
user.setSessionInfo(sessionInfo);
user.InitAsNew();
//Fetch properties for the user
WebUser ua = (WebUser) user.getUserEntityObject();
WebStandardLoginInfo loginInfo = ua.getStandardLoginInfo();
//Set basic user information
ua.setLoginName(loginName);
ua.setFullName(fullName);
user.getObjectInfo().setDescription(description);
loginInfo.setPassword(password);
//Set other properties
Calendar cal = Calendar.getInstance();
cal.set(2012, 11, 21);
Date d = cal.getTime();
loginInfo.setPasswordExpirationDate(d); //Password expires on November 21, 2012
loginInfo.setPasswordExpirationFrequency(90); //90 days to expire
loginInfo.setPasswordExpiresAutomatically(true); //If set to false, password never expires
loginInfo.setStandardAuthAllowed(true); //The user can log in using standard auth
user.save();
} catch (WebBeanException ex) {
System.out.println("Error creating a user: " + ex.getMessage());
}
}
public static WebIServerSession getServerSession(String serverName, String Project, String loginName, String password) {
WebIServerSession sessionInfo = null;
try {
WebObjectsFactory woFact = WebObjectsFactory.getInstance();
sessionInfo = woFact.getIServerSession();
sessionInfo.setServerName(serverName);
sessionInfo.setProjectName(Project);
sessionInfo.setLogin(loginName);
sessionInfo.setPassword(password);
sessionInfo.setApplicationType(EnumDSSXMLApplicationType.DssXmlApplicationCustomApp);
//Create a new session
sessionInfo.getSessionID();
} catch (WebObjectsException ex) {
System.out.println("Error creating a sesion");
}
return sessionInfo;
}
}
My goal is when a user try to logon the user should be created on the fly using the sdk classes.

I have to create a plugin and configure the plugin to use the java class you have created as an ESM.
https://lw.microstrategy.com/msdz/MSDZ_World2015/docs/projects/WebSDK/output/HTML5/Content/topics/esm/specifying_the_custom_esm_to_use.htm
With that said its important to understand that the actions you are performing are very expensive. They may degrade the user experience if you are attempting to provide a fast SSO experience. Depending on the implementation you have it may be better to create a custom task, which can be fired when the user authenticates with the third party application. This task can perform all the actions you are describing, and then return a session state. Which can be used in any subsequent connections to MicroStrategy Web.

Custom Principal won't be propagated to EJB SessionContext on Jboss AS

In a EJB project, I need to replace the call princial name in "javax.ejb.SessionContext". I use Jboss AS 6.0 Final as the application server.
I defined a custom UserLoginModule that extends UsernamePasswordLoginModule and added a custom principal, but my custom principal won't be propagated to EJB SessionContext.
Here is some code from my custom login module:
#Override
protected Group[] getRoleSets() throws LoginException {
Group[] groups = new Group[2];
groups[0] = new SimpleGroup("Roles");
groups[0].addMember(createRoleIdentity());
Group callerPrincipal = new SimpleGroup("CallerPrincipal");
callerPrincipal.addMember(createIdentity(this.getUsername()));
groups[1] = callerPrincipal;
subject.getPrincipals().add(callerPrincipal);
return groups;
}
#Override
protected Principal createIdentity(String username) throws LoginException {
return new MyCustomPrincipal(username);
}
}
My custom login module works well, but the caller principal I get from "javax.ejb.SessionContext" is still SimplePrincipal.
It turned out that there is a Jobss bug: EJBContext.getCallerPrincipal() is not returning custom principal https://issues.jboss.org/browse/JBAS-8427
And a related topic: http://community.jboss.org/thread/44388.
I wonder if you have some experiences on this and is it safe to replace the default principal Jboss creates? Are ther any side effects?

With the help of my team, I got a solution, hope this can be helpful to those who have the same problem.
Instead of "sessionContext.getCallerPrincipal()"
Use the following to get the custom principal:
try {
Subject subject = (Subject) PolicyContext.getContext("javax.security.auth.Subject.container");
Set<Group> subjectGroups = subject.getPrincipals(Group.class);
Iterator<Group> iter = subjectGroups.iterator();
while (iter.hasNext()) {
Group group = iter.next();
String name = group.getName();
if (name.equals("CallerPrincipal")) {
Enumeration<? extends Principal> members = group.members();
if (members.hasMoreElements()) {
Principal principal = (Principal) members.nextElement();
return principal;
}
}
}
}
} catch (PolicyContextException e1) {
...
}