Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How would authentication and authorization be implemented using RavenDb in an MVC app?

While I'm well used to using the standard ASP.Net Membership Provider for new MVC web applications, I've been getting a kick out of using RavenDb lately but I still don't believe I have a grasp on the best practice for implementing user authentication and role authorisation.

The code I have replaced my Register and Logon methods with in the AccountController looks like the following:

[HttpPost]
public ActionResult Register(RegisterModel model)
{
    if (ModelState.IsValid)
    {
    using (IDocumentSession Session = DataDocumentStore.Instance.OpenSession())
    {
        Session.Store(new AuthenticationUser
        {
            Name = Email,
            Id = String.Format("Raven/Users/{0}", Name),
            AllowedDatabases = new[] { "*" }
        }.SetPassword(Password));
        Session.SaveChanges();
        FormsAuthentication.SetAuthCookie(model.UserName, createPersistentCookie: false);
        // ...etc. etc.


    [HttpPost]
    public JsonResult JsonLogOn(LogOnModel model, string returnUrl)
    {
        if (ModelState.IsValid)
        {
            using (IDocumentSession Session = DataDocumentStore.Instance.OpenSession())
            {
                book Ok = Session.Load<AuthenticationUser>(String.Format("Raven/Users/{0}", Username)).ValidatePassword(Password);
                FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
                // etc...

I've seen the RavenDb Membership Provider code that a number of people have referenced in similar posts or questions, but there also seems to be a number of people who consider this to be over the top and leveraging an inefficient API for a data store that doesn't need most of what's provided within it.

So what is the best architectural / design strategy for RavenDb authentication (not for OAuth, but Forms Authentication) and am I barking up the right tree?

like image 527
Phil.Wheeler Avatar asked Jun 30 '12 12:06

Phil.Wheeler


People also ask

How does authentication and authorization work in asp net?

Authentication is knowing the identity of the user. For example, Alice logs in with her username and password, and the server uses the password to authenticate Alice. Authorization is deciding whether a user is allowed to perform an action. For example, Alice has permission to get a resource but not create a resource.

What is the difference between authentication and authorization in MVC?

In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to.

What is difference between authentication and authorization in asp net core?

Authentication is the process of determining a user's identity. Authorization is the process of determining whether a user has access to a resource. In ASP.NET Core, authentication is handled by the authentication service, IAuthenticationService, which is used by authentication middleware.


1 Answers

I think there are a few parts to this problem. First, from the MVC project's perspective, you really want to use something that will work with the AuthorizationAttribute. This actually does not require using a MembershipProvider per se, but rather stuffing an appropriate IPrincipal into HttpContext.Current.User as that is what those attributes look at to authorize things.

From a HTTP perspective, taking advantage of the existing forms authentication infrastructure also makes a ton of sense -- it solves most of the sticky security issues you really should not solve yourself and it is very flexible in terms of working with what you provide.

From there you get to the gist of the question -- how you want to back your authentication system from a data perspective. I think that is a very tactical call -- some apps it might make sense to just use a MembershipProvider style model. But if I had an app that was very user centric where I was storing lots of user data I would probably consider rolling a custom user store based around my requirements. If you are using the Authentication bundle you could glom onto that to some extent as well. But I don't think there is a hard and fast rule at this point -- do what makes sense for your app.

One thing you should not do is use the AuthenticationUser like above -- that is meant for database system users. In SQL Server terms that would be like making every user in your app a SQL user and then authenticating against that. Which is how some old intranet products used to work but the world has moved past that now.

like image 134
Wyatt Barnett Avatar answered Oct 04 '22 16:10

Wyatt Barnett