DPS907 notes – Thu Nov 20

More RPC Services (aka SOAP XML web services). An introduction to claims. Upgrading the Authorization Server to support claims.

.

Continue studying RPC Services (aka SOAP XML web services)

Questions?

.

Assignment 2 discussion

We can/may discuss.

The new ideas that must be in Assignment 2 are:

  • Security that uses claims for access control
  • Adds a selection of RPC Services (aka SOAP XML web services) to the base project

.

Your professor has reviewed the comments that you provided on the recent survey. Therefore, for your Assignment 2, you can:

  1. Use your idea, and implement a web service
  2. Extend the work you did on Assignment 1, with the new topics
  3. Or anything else that is reasonable

.

An introduction to claims

What is a claim? An often-used definition:

A claim is a a statement that one subject makes about itself or another subject.

Therefore, a statement is descriptive information about a subject.

A subject is a participant in the lifetime of an application. A subject could be a human user, or a corporate body, or a programmable object (e.g. a security provider).

.

Claim examples

What does a claim (statement) look like?

Here are some examples. For these examples, assume that the subject is a user (and your professor), Peter McIntyre.

The user name is pmcintyr.
username = “pmcintyr”

The user’s full (readable) name (e.g. first name, and last name) is Peter McIntyre.
name = “Peter McIntyre”

The user’s birth date is May 15, 1980 (yeah, right).
dateofbirth = “1980-05-15”

The user’s email address is peter.mcintyre@senecacollege.ca.
email = “peter.mcintyre@senecacollege.ca”

The user’s roles are: employee, faculty, coordinator.
role = “employee”
role = “faculty”
role = “coordinator”

Custom claim example:
The user’s driver’s license number is M12345809515.
driverlicense = “M12345809515”

Custom claim example:
Is an administrator of the course outline system.
courseoutlinesystem = “administrator”

etc.

.

Claims management and issuance

While a claim is a statement about a subject, claims are managed and issued by an identity authority (like our Authorization Server app).

Then, a claim can be used by an application to authorize a user to access resources and/or perform tasks.

For our web service apps, claims are packaged in an access token, after a human or programmatic user successfully authenticates. Therefore, the result of a successful authentication is a token that (among other data) includes claims.

Our web service apps must trust the identity authority. (That is done by sharing a cryptographically-strong ‘machine key’ value between among the identity authority and your apps. When you run both apps on localhost, the value is automatically shared. However, if you deploy these to a public host, you may (or will) have to configure this value. Otherwise, authorization actions in your web service app will not work.)

.

Separating your app from the identity authority

In this course, you have learned to use a separate Authorization Server (AS) as an identity authority.

The big benefit of this approach is that we do not need authentication logic in our web service app(s):

  • Authentication is done by an ‘identity authority’
  • The authentication issues an access token to the user
  • The app(s) simply use the claims that are included in the user’s access token

.

Learn more about this topic theme

Wikipedia article on claims-based identity

MSDN article on Claims-Based Identity Term Definitions

ASP.NET Identity: ClaimType Fields

ASP.NET Identity: How to: Create a Custom Claim

.

Editing the Authorization Server to support claims

An updated version of the Authorization Server (AS) has been posted to the GitHub code example repository, and to the My.Seneca/Blackboard “Assignments” area. You can edit your existing AS by following the procedure below, or you can replace your existing AS with the updated version.

.

Overview of the procedure

We need to edit the Account controller’s Register method. After a new user is created, we must add one or more claims.

What claims? Well, you can 1) hard-code the claim, or 2) provide a user interface for someone to enter the claim.

Hard-code the claim:

Easiest.

However, not flexible or scalable.

Provide a user interface:

Requires more thought, planning, and code.

However, flexible enough to meet the needs of many apps.

.

The second procedure will be followed. The new AS has a very simple user interface to enable claims entry. Let’s start there:

.

Edit the Register view, view model, and controller method

register-viewStudy the updated Register view, at the right. (Click to open it full size, in a new window/tab.)

It has four new data-entry fields, two name-related, and two role-related.

As you will remember, making changes requires edits of the view (cshtml), the view model class, and the controller method.

It’s probably easiest to start with the view model class. RegisterViewModel is in the Models > AccountViewModels.cs source code file.

Four new string properties were added:

  • GivenName (required)
  • Surname (required)
  • Role1
  • Role2

Next, edit the view. Register.cshtml is in the Views > Account folder.

Add the new HTML form elements.

At this point in time, the user interface and user-entered data components are done. Edit the Register (POST) method in the AccountController.cs source code file.

After the existing code successfully creates the new user, add some claims, as suggested below:


// ############################################################
// New code added on November 21, 2014

// Add claims
await UserManager.AddClaimAsync(user.Id, new Claim(ClaimTypes.Email, model.Email));
await UserManager.AddClaimAsync(user.Id, new Claim(ClaimTypes.GivenName, model.GivenName));
await UserManager.AddClaimAsync(user.Id, new Claim(ClaimTypes.Surname, model.Surname));
await UserManager.AddClaimAsync(user.Id, new Claim(ClaimTypes.Role, "User"));

if (!string.IsNullOrEmpty(model.Role1))
{
    await UserManager.AddClaimAsync(user.Id, new Claim(ClaimTypes.Role, model.Role1.Trim()));
}

if (!string.IsNullOrEmpty(model.Role2))
{
    await UserManager.AddClaimAsync(user.Id, new Claim(ClaimTypes.Role, model.Role2.Trim()));
}

// ############################################################

.

Other notable changes in version 2 of the AS

How do you create an ‘administrator’ user, as the first user in a newly-deployed AS?

One suggested way is to use the code in the updated Login method (in the account controller). It simply checks whether the user account store is empty, and if it is, it creates a new admin-level user.


// GET: /Account/Login
[AllowAnonymous]
public async Task<ActionResult> Login(string returnUrl)
{
    // ############################################################
    // New code added on November 21, 2014
    // Its purpose is to create a new 'admin' user (with a password of 'Password123!')
    // the first time that the login view/page appears
    // The method's signature was also changed to run asynchronously

    if (UserManager.Users.Count() == 0)
    {
        var user = new ApplicationUser { UserName = "admin@example.com", Email = "admin@example.com" };
        var result = await UserManager.CreateAsync(user, "Password123!");
        // Add claims
        await UserManager.AddClaimAsync(user.Id, new Claim(ClaimTypes.Email, "admin@example.com"));
        await UserManager.AddClaimAsync(user.Id, new Claim(ClaimTypes.Role, "Admin"));
        await UserManager.AddClaimAsync(user.Id, new Claim(ClaimTypes.Name, "Authorization Server Administrator"));
    }

    // End of new code block
    // ############################################################

    ViewBag.ReturnUrl = returnUrl;
    return View();
}

.

The controller’s “Index” method was updated, to display some simply-formatted data about the authenticated user.

A new “Details” method and view was created, to display some of the same data in a different format. Both are shown below; click to view full size in a new window/tab. Study the source code to learn how to work with claims.

.

index-view details-view

.

.

.

.

.

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: