Last post Jun 05, 2020 09:22 AM by Erik1988
Jun 04, 2020 08:20 AM|Erik1988|LINK
Hello, I'm new around here.
I'm looking at making a NET CORE web app for my workplace. The idea is that the users have to be authorized by our organizational Azure Active Directory (AD) single sign-on.
I did a quick test by making an app that has "Work or School Account" authentication and it worked surprisingly well. When running the app it requires the login and all that.
However, I also would like to have roles inside the app, and these roles are stored in the app, not in AD. I also want to be able to see when a specific user has logged in etc. The function of these roles is to different access among the users, such as Admin,
Manager etc. So there will be pages that are only accessed by certain roles. So I need to know how the current user is and then compare it to a table that holds their email and permission group. Perhaps fetching this when the user logs in and store it in a
variable for faster access.
I was thinking of making a system that takes the email from the currently logged in user and looks up the email in a table that holds the roles. But then I would also need to build a system to check if a user has this access on every page. So maybe there is
a simpler way of doing this, or maybe even a build-in framework that I can use to do these things. I'm trying to find an easy way to do this, it does not need too many features beyond this.
So in short AD is used to authenticate the users (only users from our org will be able to access), but the app will hold some additional information on this user, such as permission.
I also wonder how the best way to get the user email from a logged-in user is, I noticed that using @User.Identity.Name shows an email, but is it reliable?
As a test, I tried creating a static method to fetch this information, but it seems to be very slow and sometimes it shows up empty.
public static string getEmail()
Does anyone have any ideas on how the best way to proceed?
Jun 04, 2020 01:52 PM|PatriceSc|LINK
UserPrincipal.Current.EmailAddress is querying your local AD. Also this is the account under which your code runs which is not always the same than the currently connected user (it's common to see a developer for which it works as VS runs under your account
and then it fails once deployed on a real web server running the code under an application pool acocunt).
Do you have an "Individual User Account" template? Try this one and have a look at the underlying code. According to https://docs.microsoft.com/en-us/aspnet/core/security/authentication/social/?view=aspnetcore-3.1&tabs=visual-studio it
seems to match what we had in VS 2013 or later.
It's more complex but with this one, Azure AD authentication is done in "passive mode" and this authentication information is then linked by the app to its own local https://docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/introduction-to-aspnet-identity#aspnet-identity system
(ie a "user profile" loaded from a local database and that could handle authentication as well). It could also allow to use multiple identity providers and still being recognized as the same user.
Seems you could use that or something in between. I saw that with ASP.NET 4.x but still have to look if similar in ASP.NET Core.
Edit: hummm both interesting and harder. It seems to match what we had but at the same time it is harder to understand because it seems to rely on a UI library provided by ASP.NET Core coming from https://github.com/aspnet/Identity/blob/master/src/UI/Areas/Identity/Pages/V4/Account/ExternalLogin.cshtml.cs
OnGetCallbackAsync should be where Azure AD is directing the user. This is where the app will lookup the user in its local db to sign him in. From this point authentication was done by Azure AD but the whole "user profile" is loaded from the db.
Jun 04, 2020 02:21 PM|Erik1988|LINK
Thank you for the clarification on UserPrincipal, this could have caused me some headaches. Is there a way that will always provide the email address of the current user? @user.identity.name currently gives me the email, but I'm not sure if that is
always going to be the case, or if its a better way of doing that.
I have been testing out the template that I get from selecting "Work or School Account" authentication from the wizard. I like this one since it only took a few minutes to get it to work, and does not create lots of classes that I don't need. If I
have a reliable way of reading the email of the current user then I think I can work with that to look up and match with a separate list of emails and permissions. It may not be that elegant, but if it works then that would do.
Thank you for the links I will read up on those.
Jun 05, 2020 09:22 AM|Erik1988|LINK
I ended up adding the individual identity option with the support to login with Azure AD, then I removed the UI for registering manually.