Search code examples
asp.net-corefederated-identity

What is the Alternative to Federated Authentication in ASP.Net Core?

I have a Web API (.Net 4.6) which authenticates my users using the FederatedAuthentication (System.IdentityModel.Services), and now I am trying to port it to ASP.Net Core 2.2 Web API.

Here is my existing code to generate the FedAuth token cookie:

1. AuthController.cs

//... Create new Identity and Claims Principal.
ClaimsIdentity claimsIdentity = new ClaimsIdentity(User.Identity);
ClaimsPrincipal claimsPrincipal = new ClaimsPrincipal(claimsIdentity);

claimsIdentity.AddClaims(__getClaims());
claimsPrincipal.AddIdentity(claimsIdentity);

//... Create a new Session Security Token. 
  var token = FederatedAuthentication.SessionAuthenticationModule.CreateSessionSecurityToken(
claimsPrincipal, "MyAPP", DateTime.UtcNow, DateTime.UtcNow.AddMinutes(expirationTime), false);

//... Write a cookie.
FederatedAuthentication.SessionAuthenticationModule.
AuthenticateSessionSecurityToken(token, true);


And in the Web.config: 

<configSections>
    <!--WIF 4.5 sections -->
    <section name="system.identityModel" type="System.IdentityModel.Configuration.SystemIdentityModelSection, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
    <section name="system.identityModel.services" type="System.IdentityModel.Services.Configuration.SystemIdentityModelServicesSection, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=B77A5C561934E089" />
</configSections>

<modules>
  <add name="SessionAuthenticationModule" type="System.IdentityModel.Services.SessionAuthenticationModule, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
</modules>

<system.identityModel>
    <identityConfiguration>
      <securityTokenHandlers>
        <remove type="System.IdentityModel.Tokens.SessionSecurityTokenHandler, System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
        <add type="System.IdentityModel.Services.Tokens.MachineKeySessionSecurityTokenHandler, System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" />
      </securityTokenHandlers>
    </identityConfiguration>
  </system.identityModel>

Since Claims Identity and Claims Principal is used by all of my relying applications, I want to continue using the same in ASP.net core too.

So, my question here is that, what is the way to create a session security token (cookie) with claims Identity in ASP.net core web API?

Thanks a lot!!

Solution

  • I believe I got what I was looking for; Here are the two good articles I found out to start with:

    1. https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie?view=aspnetcore-2.2

    2. https://jonhilton.net/2017/10/11/secure-your-asp.net-core-2.0-api-part-1-issuing-a-jwt/

    EDIT: The second link was updated by their author that resulted in 404 error. I found the working link and updated back here.

    NOTE: The reason I have posted only links here to answer my own question is that they are long articles and has to be read in length to understand the subject.