Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authentication in a multi layer architecture

Tags:

c#

.net

architecture

asp.net-mvc

asp.net-membership

I am designing an N-Layer system in .NET that will consist of

  • SQL Server 2008
  • EF 4
  • Repository Layer
  • Service Layer(Business Logic)

On top of this I will have:

  • ASP.NET MVC website
  • external API to be consumed by other clients(built with WCF or ServceStack.NET)

I would like to implement the typical username/password auth within the MVC app as well as OpenID/twitter/facebook login options

The api will need similar forms of authentication.

Where in the architecture is the best place to implement the authentication and are any samples available of how to implement something like this with a .NET Stack?

Is a custom Membership provider an option for this?

I realize that there are libraries available to implement the openID portion so that is not a concern at the moment but I would like to leave things open to add this in the future.

Suggestions?

like image 551
stephen776 Avatar asked Nov 21 '25 00:11

stephen776

1 Answers

Authentication should be done at the user facing point: MVC website and the WCF service.

In each point, use the appropriate authentication/authorization mechanism.

MVC website: forms authentication (or windows authentication etc.)

WCF service: (what method will you be taking, API key, user/name password on every request, secure key, auth cookie etc.)

For each point, call the service layer with the credentials used by the requestor (user) and validate it against your database (in the service layer).

The service layer should return valid/invalid for the credentials given to it.

If it's invalid, have your website or webservice reject any further actions from the user and inform them that it's not valid.

If it's valid, have your MVC website create the auth cookie (FormsAuthentication.SetAuthCookie) and your WCF service do the appropriate action for the authentication mechanism you chose.

Keep your service layer agnostic of the authentication. It should only respond with whether or not a set of credentials is valid and your front-facing layers should take care of setting the authentication tickets.

For Open ID/Twitter/Facebook logins, all the information needed is on the web app (via the login source cookies), so use that to setup your website's auth cookie.

like image 99
Omar Avatar answered Nov 22 '25 16:11

Omar
Sign in to Comment

Related questions

How to end process after closing whole application in C#.NET?
Continuous Integration has always to come together with Test Driven Development? [closed]
C#: What is the value added by commanding?
detect duplicate insert
How can I initialize a new string array from the values contained in a char array?
How can I generate this XML page dynamically in C# / ASP.NET MVC?
Best way to retrieve accurate date?
How can I match a list of .NET type for null in a F# record type?
Configuration is empty
Error in conversion from binary value to double in c#
Dynamic Data Display : Change X-Axis date time format for graph
why does params byte[] argument doesnt work?
LiveCharts - plotting x&y from lists
Generating a unique Hash based on DateTime and String parameter
Missing Mobile Status Bar

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!