Use [Authorize] Attribute Without Identity?

Question

I've looked around to try and find an answer to my specific question. I'm basically using an external library to check if a user is authorized within our domain via username and password.

var authenticatedUser = ECNSecurity.SecurityChecker.AuthenticateUser(model.Username, model.Password);

Returns true or false whether the user is or is not. I'd like to be able to use the [Authorize] attribute on some of my controller methods. Is this possible to do this without using Identity? Or would I need to get Identity and create my own user which inherits the Identity UserModel? Then when I mark that user as authenticated, somehow, the [Authorize] attribute will be picked up?

I am watching tutorials and reading but I do have a more specific kind of use case for this that I can't find a direct answer for. Excuse my inexperience in this security/authorize area if I'm asking something too silly. Maybe what I'm failing to realize is that the [Authorize] attribute will only work with Identity users.

Any input would be much appreciated. Thank you.

Answer 1

You do not need ASP.NET Identity if you just want Authorize filter to work.

You just need OWIN Cookie Middleware in ASP.NET MVC. You could also add claims such as username, if you want.

Here are few steps you need -

Startup.cs

Configure OWIN Cookie Middleware at startup.

[assembly: OwinStartup(typeof(YourApplication.Startup))]
namespace YourApplication
{
    public class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = "ApplicationCookie",
                LoginPath = new PathString("/Account/Login")
            });
        }
    }
}

OwinAuthenticationService

public class OwinAuthenticationService : IAuthenticationService
{
    private readonly HttpContextBase _context;
    private const string AuthenticationType = "ApplicationCookie";

    public OwinAuthenticationService(HttpContextBase context)
    {
        _context = context;
    }

    public void SignIn(User user)
    {
        IList<Claim> claims = new List<Claim>
        {
            new Claim(ClaimTypes.Name, user.UserName),
            new Claim(ClaimTypes.GivenName, user.FirstName),
            new Claim(ClaimTypes.Surname, user.LastName),
        };

        ClaimsIdentity identity = new ClaimsIdentity(claims, AuthenticationType);

        IOwinContext context = _context.Request.GetOwinContext();
        IAuthenticationManager authenticationManager = context.Authentication;

        authenticationManager.SignIn(identity);
    }

    public void SignOut()
    {
        IOwinContext context = _context.Request.GetOwinContext();
        IAuthenticationManager authenticationManager = context.Authentication;

        authenticationManager.SignOut(AuthenticationType);
    }
}

You can look at my working sample project at GitHub.

Answer 2

To authorize with cookies in the .net framework versions of mvc, you can simply use the following

FormsAuthentication.SetAuthCookie(UserName, remember);

remember is a boolean that is equivalent to "remember me" option.

Check my answer here for more info in the set up if needed How to hide Login fields from the logged user