Welcome Guest | My Membership | Login

Using OWIN Security with MultiValue Data - Part 1


Article

OWIN is the latest framework that .NET developers are using to build ASP.NET applications. OWIN's Identity framework is an evolution of the ASP.NET 2.0 membership system which has been around for several years. It provides better flexibility than the older system, and decouples the Identity framework from IIS.

The intent of OWIN is to create a security framework that can work with ASP.NET applications, even if they aren't running on IIS. This is good news for people developing in Mono for Linux or those creating self-hosting applications.

At its core, OWIN is a middleware model to handle the separation of ASP.NET applications from the actual hosting environment. I will focus mainly on the security and membership side of things but it does much more.

If you are using ASP.NET MVC 6 for your web framework, you will have seen that OWIN is referenced automatically. By default, MVC will assume you are using the traditional ASP.NET identity model, but OWIN's identity model can be extended easily to include access to other identity systems.

When starting a new project, you will see something like the code in Figure 1 the Startup.Auth class. This code is boilerplate, and shows you some of what you can do with the OWIN security. A couple things to point out, the Startup.auth class already includes the built-in providers to handle all the common Social Media logins like Microsoft, Twitter, Facebook and Google. When creating customer-based websites, this is a really nice feature. It also has the code in place to handle Two-Factor logins, so you don't need to build this yourself any more.

Public Sub ConfigureAuth(app As IAppBuilder)
    ' Configure the db context, user manager and signin manager to use a single instance per request
    app.CreatePerOwinContext(AddressOf ApplicationDbContext.Create)
    app.CreatePerOwinContext(Of ApplicationUserManager)(AddressOf ApplicationUserManager.Create)
        app.CreatePerOwinContext(Of ApplicationSignInManager)(AddressOf ApplicationSignInManager.Create)

    ' Enable the application to use a cookie to store information for the signed in user
    ' and to use a cookie to temporarily store inforation about a user logging in with a third party login provider
    ' Configure the sign in cookie
    ' OnValidateIdentity enables the application to validate the security stamp when the user logs in.
    ' This is a security feature which is used when you change a password or add an external login to your account.
    Dim _AuthenticationOption As New CookieAuthenticationOptions()
    _AuthenticationOption.LoginPath = New PathString("/Account/Login")
    _AuthenticationOption.AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie
    _AuthenticationOption.Provider = New CookieAuthenticationProvider

' Place an expiration on the Login
    '_AuthenticationOption.Provider.OnValidateIdentity = SecurityStampValidator.OnValidateIdentity(Of ApplicationUserManager, ApplicationUserStore)(TimeSpan.FromMinutes(30), Function(manager, user)
    '                                                                                                                                                                   user.GenerateUserIdentityAsync(manager)
    '                                                                                                                                                               End Function)

    app.UseCookieAuthentication(_AuthenticationOption)
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie)

    ' Enables the application to temporarily store user information when they are verifying the second factor in the two-factor authentication process.
    app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5))

    ' Enables the application to remember the second login verification factor such as phone or email.
    ' Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from.
    ' This is similar to the RememberMe option when you log in.
    app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie)

    ' Uncomment the following lines to enable logging in with third party login providers
    'app.UseMicrosoftAccountAuthentication(
    '    clientId:="",
    '    clientSecret:="")

    'app.UseTwitterAuthentication(
    '   consumerKey:="",
    '   consumerSecret:="")


    'app.UseFacebookAuthentication(
    '   appId:="",
    '   appSecret:="")

    'app.UseGoogleAuthentication(New GoogleOAuth2AuthenticationOptions() With {
    '   .ClientId = "",
    '   .ClientSecret = ""})

End Sub

Figure 1

Another important thing to note is there are references to ApplicationDbContext, ApplicationUserManager, and ApplicationSignInManager in the Startup.Auth class. These classes are instrumental in making the identity system work. Let's look further into these pieces.

ApplicationDbContext

We'll start with the ApplicationDbContext. All this class does is handle the connections to the database and make the stored-procedure (BASIC subroutine) calls. Each of the MultiValue databases have different ways to do this, so the code you will see in < Figure 2 > is very generic.

End Try

        ' Cleanup the connection
        _Connection.Disconnect()
        _Connection = Nothing

        ' Updates the Call Results
        _Results.CallError.Text = _ErrorItem
        _Results.RequestItem.Text = RequestItem
        _Results.Data.Text = UserItem
        Return _Results
    End Function

    ''' <summary>
    ''' Name of the server we are connecting to.
    ''' </summary>
    Public Property ConnectionName As String

#Region "IDisposable Support"
    Private disposedValue As Boolean ' To detect redundant calls

    Protected Sub CheckIfDisposed()
        If disposedValue Then
            Throw New ObjectDisposedException("SpectrumDBContext")
        End If
    End Sub

    ' IDisposable
    Protected Overridable Sub Dispose(disposing As Boolean)
        If Not disposedValue Then
            If disposing Then
                '  dispose managed state (managed objects).
            End If

            '  free unmanaged resources (unmanaged objects) and override Finalize() below.
            ' set large fields to null.
        End If
        disposedValue = True
    End Sub

    ' This code added by Visual Basic to correctly implement the disposable pattern.
    Public Sub Dispose() Implements IDisposable.Dispose
        ' Do not change this code.  Put cleanup code in Dispose(disposing As Boolean) above.
        Dispose(True)
    End Sub
#End Region
End Class

Figure 2

This will be the hardest part of any of the coding you will see in these examples, mainly because you have to know how to establish a connection to your MultiValue database with the .NET API offered by your database provider. If you need more examples, you can find them at http://www.intl-spectrum.com/resource/category/44/NET.aspx.

Another issue you may run into is the fact that OWIN is based on the .NET ASYNC/WAIT/Tasks model. This can affect how you code the connection to your MultiValue Database, since many of the APIs don't natively support Async/Wait methods.

The good news is that it is really not very hard to wrap synchronous methods and functions into Task-based processes. If you have not gotten involved with Async/Wait coding yet, now is the time to start looking at it. To see an example of creating an Async/Wait-aware function from a synchronous call, take a look at CallSubroutineAsync.

The main purpose of the code in Figure 2 is to call a subroutine with the following arguments in Figure 3.

SUBROUTINE PROG.NAME(APPLICATION.ITEM, REQUEST.ITEM, DATA.ITEM, NONE1, NONE2, ERROR.ITEM)

Figure 3

I will get into this subroutine in a moment. For now, assume the following:

Information about the application calling this subroutine will be provided in APPLICATION.ITEM.

Request for the database and subroutine to process will be passed in using REQUEST.ITEM.

Information will be returned from the subroutine through DATA.ITEM

Any glaring errors should be returned in ERROR.ITEM

The NONE1 and NONE2 arguments are there for future reference if needed.

I would highly recommend that you always use a single subroutine as the only point of contact whenever you are working with your MultiValue data from outside of the Database. This allows you to keep your business logic where it belongs. It also gives you a choke point for turning off all functions during maintenance. And it offers a single point for audit and security.

ApplicationUser

Before you can create the ApplicationUserManager and ApplicationSignInManager, you will need to create the ApplicationUser class. This class is used to hold information about the user for the rest of the OWIN Identity system to use. It will also contain the main methods to use in order to interact with the database.

This class requires you to implement the IUser(Of String) interface [Figure 4]. The interfaces will require you to implement an Id and UserName property. There are several other properties and methods I would recommend creating in this class as well [Figure 5]:

Imports System.ComponentModel.DataAnnotations
Imports System.Security.Claims
Imports System.Threading.Tasks
Imports Microsoft.AspNet.Identity
Imports Microsoft.AspNet.Identity.Owin
Imports mvOpenAPI.api

Public Class SpectrumUser
  Implements IUser(Of String)

  Dim _Id As String = String.Empty
  Dim _UserItem As New mvDynamicArray

  Public ReadOnly Property Id As String Implements IUser(Of String).Id
      Get
        Return _Id
      End Get
  End Property

  Public Property UserName As String Implements IUser(Of String).UserName
      Get
          Return _UserItem.StringValue(1)
      End Get
      Set(value As String)
          _UserItem.StringValue(1) = value
      End Set
  End Property

...

End Class
  Public ReadOnly Property DBContext As SpectrumDBContext
   Get
    If _DBContext Is Nothing Then
        Try
         _DBContext = HttpContext.Current.GetOwinContext.Get(Of SpectrumDBContext)
        Catch ex As Exception
        End Try
        If _DBContext Is Nothing Then
            _DBContext = SpectrumDBContext.Create
        End If
    End If
    Return _DBContext
   End Get
  End Property
Private _DBContext As SpectrumDBContext

Figure 4

Public Class SpectrumUser
    Implements IUser(Of String)

   ....

    Public Async Function LoadAsync() As Task
        Dim _RequestItem As String = "READ.USER"
        _RequestItem = _RequestItem & mvFunctions.AM & _Id

        Dim _DataItem As String = String.Empty
        Dim _Result As SpectrumDBContext.CallSubroutineResults = Await DBContext.CallSubroutineAsync("SPECTRUM.OWIN.USER", _RequestItem, _DataItem)
        If _Result.CallError.BooleanValue(1, 0, 0) Then
            ' Error, can't find the information
        Else
            ' Extract the User Id and User Item
            Update(_Result.Data.Item(0).Text, _Result.Data.Item(1).Text)
        End If
    End Function

    Public Async Function SaveAsync() As Task
        ' Saves the information to the database
        Dim _RequestItem As String = "WRITE.USER"
        _RequestItem = _RequestItem & mvFunctions.AM & _Id

        ' Send the data to the server
        Dim _DataItem As String = String.Empty
        Dim _Result As SpectrumDBContext.CallSubroutineResults = Await DBContext.CallSubroutineAsync("SPECTRUM.OWIN.USER", _RequestItem, _DataItem)
        If _Result.CallError.BooleanValue(1, 0, 0) Then
            ' Error, can't find the information
        Else
            ' Extract the User Id and User Item
            Update(_Result.Data.Item(0).Text, _Result.Data.Item(1).Text)
        End If
    End Function

  ...

End Class




Figure 5



wSaveAsync - Which will also call the subroutine to handle saving any changes made to the ApplicationUser class.

You will notice in the Figure 5 that the LoadAsync creates a variable REQUEST.ITEM (the actual variable name is _RequestItem) and in REQUEST.ITEM<1> it has a value of "READ.USER" and in REQUEST.ITEM<2> it has the Id of the user we need information for.

One of the nice things about OWIN is that you can assign an arbitrary Id (primary key, record Id) to the user instead of having to translate the UserName every time like you used to have to do in ASP.NET 2.0 membership framework. For obvious reason, this makes pulling information from the database much easier.

SPECTRUM.OWIN.USER Subroutine

Let's take a quick look at the subroutine that we are calling. The first thing we need to do is to decide which request it needs to process [Figure 6]. You will notice that the code actually has three request types, or events, that we want it respond to:

SUBROUTINE SPECTRUM.OWIN.USER(APPLICATION.ITEM,REQUEST.ITEM,DATA.ITEM,NONE1,NONE2,ERROR.ITEM)

...

*
ERROR.ITEM = 0
DATA.ITEM  = ""
BEGIN CASE
  CASE REQUEST.ITEM<1> = "FIND.USER"
    GOSUB 1000
  CASE REQUEST.ITEM<1> = "READ.USER"
    GOSUB 2000
  CASE REQUEST.ITEM<1> = "WRITE.USER"
    GOSUB 3000
  CASE 1
    ERROR.ITEM = 2 :AM: REQUEST.ITEM<1> :" not implemented"
END CASE
*
RETURN

...

2000 * Read User Information
*
ID = REQUEST.ITEM<2>

SUBROUTINE SPECTRUM.OWIN.USER(APPLICATION.ITEM,REQUEST.ITEM,DATA.ITEM,NONE1,NONE2,ERROR.ITEM)

...

*
ERROR.ITEM = 0
DATA.ITEM  = ""
BEGIN CASE
  CASE REQUEST.ITEM<1> = "FIND.USER"
    GOSUB 1000
  CASE REQUEST.ITEM<1> = "READ.USER"
    GOSUB 2000
  CASE REQUEST.ITEM<1> = "WRITE.USER"
    GOSUB 3000
  CASE 1
    ERROR.ITEM = 2 :AM: REQUEST.ITEM<1> :" not implemented"
END CASE
*
RETURN

...

2000 * Read User Information
*
ID = REQUEST.ITEM<2>
READ USER.ITEM FROM OWIN.USER.FILE, ID ELSE
  ERROR.ITEM = 1 :@AM: id :" is not a valid user."
  RETURN
END
*
DATA.ITEM<1> = USER.ITEM<1> ;* UserName
DATA.ITEM<2> = USER.ITEM<2> ;* Password
DATA.ITEM<3> = USER.ITEM<3> ;* Email

...

*
RETURN

...

3000 * Write User Information
*
ID = REQUEST.ITEM<3>
READU USER.ITEM FROM OWIN.USER.FILE, ID LOCKED
  ERROR.ITEM = 3 :@AM: "Record is currently locked by another process."
  RETURN
END ELSE
  USER.ITEM = ""
END
*
USER.ITEM<1> = DATA.ITEM<1> ;* UserName
USER.ITEM<2> = DATA.ITEM<2> ;* Password
USER.ITEM<3> = DATA.ITEM<3> ;* Email

...

*
RETURN
READ USER.ITEM FROM OWIN.USER.FILE, ID ELSE
  ERROR.ITEM = 1 :@AM: id :" is not a valid user."
  RETURN
END
*
DATA.ITEM<1> = USER.ITEM<1> ;* UserName
DATA.ITEM<2> = USER.ITEM<2> ;* Password
DATA.ITEM<3> = USER.ITEM<3> ;* Email

...

*
RETURN

...

3000 * Write User Information
*
ID = REQUEST.ITEM<3>
READU USER.ITEM FROM OWIN.USER.FILE, ID LOCKED
  ERROR.ITEM = 3 :@AM: "Record is currently locked by another process."
  RETURN
END ELSE
  USER.ITEM = ""
END
*
USER.ITEM<1> = DATA.ITEM<1> ;* UserName
USER.ITEM<2> = DATA.ITEM<2> ;* Password
USER.ITEM<3> = DATA.ITEM<3> ;* Email

...

*
RETURN
Figure 6

The READ.USER event is to read the OWIN user information from the database, and return it back to the ApplicationUser Class. I have not gone into the full structure of the DATA.ITEM dynamic array yet.

The WRITE.USER event is to take the information from the ApplicationClass and place it back into the database.

The last event is the FIND.USER. This event will be used to find the record to use when someone first logs in.

The DATA.ITEM will have around 20 attributes that will be used by the ApplicationUser class. As you look at the dynamic array definition I just provided, you will see there are references to two-factor authentication, claims, roles, and external providers. I will talk more about these pieces of data in later articles.

DATA.ITEM<1> = User Name
DATA.ITEM<2> = Password
DATA.ITEM<3> = Email
DATA.ITEM<5> = Cell
DATA.ITEM<7> = Security Stamp
DATA.ITEM<8> = TwoFactor Enabled
DATA.ITEM<9> = Lockout
DATA.ITEM<10> = Lockout Offset
DATA.ITEM<11> = Access Failed Count
DATA.ITEM<12> = First Name
DATA.ITEM<13> = Last Name
DATA.ITEM<14> = Company Name
DATA.ITEM<15,l> = External Login Provider
DATA.ITEM<16,l> = External Login Token
DATA.ITEM<17,ccnt> = Claim Field Name
DATA.ITEM<18,ccnt> = Claim Field Value
DATA.ITEM<19,rcnt> = Roles

Conclusion

This may seem like a lot of work, but it is really just building a set of code that can be used over and over again. This first article covered much of the hard part, but there are a few more pieces that you will need to make everything connect together.

I will continue showing those other components and how it all connects together in upcoming articles in the series.

 

# # #          # # #          # # #

 

Related Articles

  • From the Inside January/February 2018

    Company: International Spectrum

    By now, you have probably heard all about the major bugs in Intel, ARM, and AMD processors. Since this vulnerability affects just about all processor types, you will probably need to update your phone, your tablet, your PC, and all of your servers in the coming weeks. Why and how does it affect everything?

  • Spotlight: 4GL

    Company: HDWP

    We're going to kick off a series of spotlight articles on various 4GLs by offering a crash course on why you want a 4GL. Whether your challenge is integrating with new technologies, accelerating development time, embracing RAD, or working with bigger teams, 4GLs can help you build bigger, better, and faster applications.

  • Business Tech: UI/UX Part V

    Company: HDWP

    In the final part of our series on UI/UX, we examine ways to extend the concepts beyond software and into other aspects of your work.

  • Compressing Traffic for UniObjects

    Company: Brian Leach Consulting, ltd

    Modern technology solutions are often a matter of cobbling together bits and pieces that weren't originally designed to fit together. Compression is easy. Data transmission is easy. Making UniVerse's data transmittable as a compressed stream which can be used by some other system, that's easy - or hard - depending on the entire tech stack on each end. The addition of Python to U2 as created new options for completing complex tasks.

  • Using OWIN Security with MultiValue Data - Part 2

    Company: International Spectrum

    Part 2 in our series on OWIN, the latest framework that .NET developers are using to build ASP.NET applications. Integrating your MultiValue data into the OWIN identity framework allows central management of user and customer credentials from within your existing LOB (Line Of Business) application.


Return to top