Cross-domain authentication ASP.net MVC

后端 未结 6 626
刺人心
刺人心 2021-02-04 12:00

I have two different web application built with ASP.net MVC. This two application may not be running in the same server nor in the same domain.

I would like that if a us

相关标签:
6条回答
  • 2021-02-04 12:40

    I think what you are after is CAS (Central Authentication Service) https://en.wikipedia.org/wiki/Central_Authentication_Service

    there are numbers of CAS provider available. I would recommend you to check this out https://wiki.jasig.org/display/CAS/Home

    it will give you number of out-of-the-box solutions exist to enable web services written in a specific language, or based on a framework, to use CAS. This will help you implement a SSO solution in a matter of hours

    0 讨论(0)
  • 2021-02-04 12:41

    My Answer may not be the the best one, However you can use some tricky mechanism like

    1. whenever you are going on another application you need to pass one token from application A to B.
    2. Validate this token on B site.
    3. and Authorized that user based on token. (i mean apply silent or backdoor login)
    0 讨论(0)
  • 2021-02-04 12:41

    Thanks to the answer of @Kaushik Thanki I have implemented some code that fix my problem. I will post here the solution that it works for me, even if it is not the optimus.

    First of all, I have implemented in A a method to make a Post request to B. Inside this method I take the id of the user and I make a hash of it with some other parameter and passwords. Then, I send to B the user id, the hash, and a boolean to choose between login and logout.

    private void SendPostRequest(bool login)
            {
                // Create the combine string
                string data = // userId combined with more stuff
    
                // Create the hash of the combine string
                HashAlgorithm algorithm = MD5.Create();
                byte[] hash = algorithm.ComputeHash(Encoding.UTF8.GetBytes(data));
                StringBuilder sb = new StringBuilder();
                foreach (byte b in hash)
                    sb.Append(b.ToString("X2"));
    
                string encriptedData = sb.ToString();
    
                // Fill the url with the path and the data
                string url = "http://localhost/xxx/yyy/ExternalAuthentication/Login?id=" + _cachedCustomer.Id + "&hash=" + encriptedData + "&login=" + login.ToString();
    
                // Make the Post request
                HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url);
                HttpWebResponse response = (HttpWebResponse)request.GetResponse();
                Stream resStream = response.GetResponseStream();
            }
    

    After it, I have created in B a new class to handle the login logic. I have use a HttpContext.Current.Application variable to store the status of the authentication:

    public class ExternalAuthenticationController : Controller
            {
    
                public ActionResult Index()
                {
                    return View();
                }
    
                public ActionResult Login(string id, string hash, string login)
                {
                   // Create the combine string
                   string data = //user id + same stuff than in A;
    
                   // Create the hash of the combine string
                   HashAlgorithm algorithm = MD5.Create();
                   byte[] hashArray =    algorithm.ComputeHash(Encoding.UTF8.GetBytes(data));
                   StringBuilder sb = new StringBuilder();
                   foreach (byte b in hashArray)
                      sb.Append(b.ToString("X2"));
                   string originalHash = sb.ToString();
    
                   // Compare the two hash. If they are the same, create the variable
                   if (hash.CompareTo(originalHash) == 0)
                   {
    
                   if (System.Web.HttpContext.Current.Application["Auth"] == null)
                   {
                       System.Web.HttpContext.Current.Application["Auth"] = false;
                   }
    
                   if (Convert.ToBoolean(login))
                   {
                       System.Web.HttpContext.Current.Application["Auth"] = true;
                   }
    
                  else
                  {
                      System.Web.HttpContext.Current.Application["Auth"] = false;
                  }
                 }
             }
    

    Probably, the answer provided by @vijay shiyani is better and more generalistic, but from my point of view it requires a lot of time to implement it.

    0 讨论(0)
  • 2021-02-04 12:46

    I assume you cannot communicate between applications A and B using any shared store. (This could allow some shared session implementation).

    The more industry standard way (OpenID Connect) of doing that is like some of the other answers have hinted at. I will try and give more details to get you on the right track.

    Both application A and B should relay the authentication process to a trusted 3rd party (which could be hosted in withe A, B or a different application altogether) - Let's call it C

    When the user arrives at either A or B (no matter that B has weird complicated URLs, she can always bookmark those) his request should contain an authorization token. If it doesn't, she is not authenticated and would be redirected to C and presented with some login mechanism - say user/pass form.

    After successful login, she is redirected back to A/B (depending on where she came from) to complete what ever she was doing with the authentication token. Now, having the authentication token present she is authenticated.

    If she is authenticated with A and then redirected to B, this redirect should contain the token as well, B would know how to trust that token.

    Now, If he just opens opens up a new tab, B would not see any token, and so she would be redirected to C, only to be redirected back (she is already authenticated, remember?) to B with the token, and now all is good.

    What I described is a common flow using OpenID connect, and if using .net, I really suggest using IdentityServer from Thinktecture to do the hard work for you and be your "C".

    Another option, is to pay for such "C" hosted as a SaaS application - check out Auth0

    0 讨论(0)
  • 2021-02-04 12:46

    You can implement OAuth in A Project. You can get more help here: http://www.openauthentication.org/about

    0 讨论(0)
  • 2021-02-04 12:49

    OWIN OAuth 2.0 Authorization Server http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server

    0 讨论(0)
提交回复
热议问题