Difference between revisions of "Compliant Implementation of RP on ASP.NET"
(→Personal Information evaluated for use in the Example) |
(→Issues and Comments) |
||
(16 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
==Full Name and Status== | ==Full Name and Status== | ||
− | Version 2 of the Relying party example is called '''Controls''' as it can fill the function of user data controller, resource controller or just a generic [[Relying Party]]. It is based on Microsoft open source solution ASP.NET core 2.2. | + | Version 2 of the Relying party example is called '''Controls''' as it can fill the function of user data controller, resource controller or just a generic [[Relying Party]]. It is based on Microsoft open source solution ASP.NET core 2.2 and should be able to run on any common server platform. |
Version 1 which was built to the IDEF baseline functional requirements is now archived at [https://wiki.idesg.org/wiki/index.php/Best_Practices_and_Example_for_RP_System#Status this site.] This example is completely new, but still seeks to comply with the IDEF BFR as well as other standards from the Kantara Initiative and the OpenID foundation on interoperability, privacy and security. | Version 1 which was built to the IDEF baseline functional requirements is now archived at [https://wiki.idesg.org/wiki/index.php/Best_Practices_and_Example_for_RP_System#Status this site.] This example is completely new, but still seeks to comply with the IDEF BFR as well as other standards from the Kantara Initiative and the OpenID foundation on interoperability, privacy and security. | ||
Line 6: | Line 6: | ||
This page is designed to assist designers and developers of relying party (RP) web sites, meaning those [[Web Site]]s that rely upon other [[Identifier or Attribute Provider]]s. Technical terms are used to convey the information that they will need to perform their task that may not be familiar to the casual reader. | This page is designed to assist designers and developers of relying party (RP) web sites, meaning those [[Web Site]]s that rely upon other [[Identifier or Attribute Provider]]s. Technical terms are used to convey the information that they will need to perform their task that may not be familiar to the casual reader. | ||
− | For a less technical document that shows | + | For a less technical document that shows the design specifications for this example see the wiki page [[Best Practice and Example Relying Party]]. |
This is still a work in progress. Do not expect full functional code at this time. | This is still a work in progress. Do not expect full functional code at this time. | ||
Line 17: | Line 17: | ||
Currently a working draft of the Relying Party example web site is available [https://controls.azurewebsites.net/ here]. | Currently a working draft of the Relying Party example web site is available [https://controls.azurewebsites.net/ here]. | ||
− | |||
− | |||
− | |||
==Working Notes== | ==Working Notes== | ||
Line 25: | Line 22: | ||
===Building the Example from GitHub=== | ===Building the Example from GitHub=== | ||
− | Note that the core 1.1 version is on Bitbucket. It will be retired after the new version on GitHub with core 2.2 is fully functional. | + | Note that the core 1.1 version is on Bitbucket. It will be retired after [https://github.com/TomCJones/Controls the new version on GitHub] with core 2.2 is fully functional. |
===Building an ASP.NET solution from scratch=== | ===Building an ASP.NET solution from scratch=== | ||
Line 32: | Line 29: | ||
*Take control of the user information by overriding the IdentityUser with a local name, here we use the name UserObject to align with terminology in this wiki. | *Take control of the user information by overriding the IdentityUser with a local name, here we use the name UserObject to align with terminology in this wiki. | ||
**It is common to include UserGroup as well as UserObject in the definition if the admin or other types of user will be included in the same database. | **It is common to include UserGroup as well as UserObject in the definition if the admin or other types of user will be included in the same database. | ||
− | *[https://docs.microsoft.com/en-us/aspnet/core/security/authentication/scaffold-identity?view=aspnetcore-2.2&tabs=visual-studio Scaffold Identity in ASP.NET Core projects]. | + | *[https://docs.microsoft.com/en-us/aspnet/core/security/authentication/scaffold-identity?view=aspnetcore-2.2&tabs=visual-studio Scaffold Identity in ASP.NET Core 2 projects]. |
** for this example choose the instructions labled "Scaffold identity into a Razor project without existing authorization" | ** for this example choose the instructions labled "Scaffold identity into a Razor project without existing authorization" | ||
** In the project right-click select add -> scaffold -> Identity and override all files, type in layout cshtml name, DB name and UserObject | ** In the project right-click select add -> scaffold -> Identity and override all files, type in layout cshtml name, DB name and UserObject | ||
** If you have your own definition of the user before scaffolding, you might wind up with two definitions; delete one. | ** If you have your own definition of the user before scaffolding, you might wind up with two definitions; delete one. | ||
− | ** Make a choice about enabling [[Two factor authentication]]. If enabled put .AddDefaultTokenProivders() in startup and add email | + | ** Make a choice about enabling [[Multi-factor Authentication|Two factor authentication]]. If enabled put .AddDefaultTokenProivders() in startup and add email and/or phone providers. |
+ | ** For ASP.NET Core 2.2 [https://docs.microsoft.com/en-us/aspnet/core/razor-pages/?view=aspnetcore-2.2&tabs=visual-studio the razor page format] includes the view model and controller in the code behind file, not in a separate controller file. | ||
===Next steps=== | ===Next steps=== | ||
Line 54: | Line 52: | ||
Will need to build for best practices: | Will need to build for best practices: | ||
− | * [ | + | * [https://controls.azurewebsites.net/Home/Privacy Privacy policy] (PP) |
* [[Terms of use]] (ToU) | * [[Terms of use]] (ToU) | ||
* Are there specific ToU and PP provisions that demonstrate how the IDEAL RP might deal with [[User Private Information]] in their policies. | * Are there specific ToU and PP provisions that demonstrate how the IDEAL RP might deal with [[User Private Information]] in their policies. | ||
UX Questions Specific to the RP example code | UX Questions Specific to the RP example code | ||
− | # Demo verification of email (or cell phone) address - will be needed | + | # Demo verification of email (or cell phone) address - will be needed to support [[Recovery]] and [[Notification]]. |
# What are the canonical terms for identification? | # What are the canonical terms for identification? | ||
##logon logout register resign | ##logon logout register resign | ||
Line 75: | Line 73: | ||
Other issues to look at: | Other issues to look at: | ||
− | * Some method for creating a strong web site identity, e.g. [[EV Cert]]s | + | * Some method for creating a strong web site identity, e.g. [[EV Cert]]s or the new proposal taking shape at Google Chrome. |
− | |||
* Recording devices that are under the control of the user together with the device capabilities for data capture and display | * Recording devices that are under the control of the user together with the device capabilities for data capture and display | ||
* While all content on this page is covered by the IPR rules, it should be clear that the content on pages linked from this site may have different ownership rights asserted. | * While all content on this page is covered by the IPR rules, it should be clear that the content on pages linked from this site may have different ownership rights asserted. | ||
Line 82: | Line 79: | ||
==References and Coordination== | ==References and Coordination== | ||
− | *The page at [[ | + | *The page at [[Best Practice and Example Relying Party]] gives a more architectural and design approach to creating a compliant RP site. |
*The Microsoft web site has a description of the [https://docs.microsoft.com/en-us/aspnet/core/api/microsoft.aspnet.identity.corecompat Namespaces in ASP.NET Core] that can be used as an alternate identity schema. It was the precursor for the schema used here. | *The Microsoft web site has a description of the [https://docs.microsoft.com/en-us/aspnet/core/api/microsoft.aspnet.identity.corecompat Namespaces in ASP.NET Core] that can be used as an alternate identity schema. It was the precursor for the schema used here. | ||
− | + | *[https://docs.microsoft.com/en-us/visualstudio/debugger/remote-debugging-azure?view=vs-2017 this site] describes how to debug this app if running an Azure. Other scenarios are available near where that link goes. | |
+ | *[https://github.com/AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet/tree/dev/src source code for Microsoft IdentityModel OpenIDConnect] | ||
===Issues and Comments=== | ===Issues and Comments=== | ||
*Any comments, suggestions or issues with the best practices or code can be tracked at [https://github.com/TomCJones/Controls/issues this site]. You must have a sign in method for GitHub. | *Any comments, suggestions or issues with the best practices or code can be tracked at [https://github.com/TomCJones/Controls/issues this site]. You must have a sign in method for GitHub. | ||
*General comments about this web page can be made on the "Discussion" tab at the top of the page. You must be a registered member of this site to make comments here. | *General comments about this web page can be made on the "Discussion" tab at the top of the page. You must be a registered member of this site to make comments here. | ||
+ | *[https://github.com/aspnet/AspNetCore/issues/6069#issuecomment-449461197 Impact of deprecation of Google+] | ||
[[Category:User Experience]] | [[Category:User Experience]] | ||
[[Category:Best Practice]] | [[Category:Best Practice]] | ||
+ | [[Category: ASP.NET]] |
Latest revision as of 10:21, 16 June 2021
Contents
Full Name and Status
Version 2 of the Relying party example is called Controls as it can fill the function of user data controller, resource controller or just a generic Relying Party. It is based on Microsoft open source solution ASP.NET core 2.2 and should be able to run on any common server platform.
Version 1 which was built to the IDEF baseline functional requirements is now archived at this site. This example is completely new, but still seeks to comply with the IDEF BFR as well as other standards from the Kantara Initiative and the OpenID foundation on interoperability, privacy and security.
This page is designed to assist designers and developers of relying party (RP) web sites, meaning those Web Sites that rely upon other Identifier or Attribute Providers. Technical terms are used to convey the information that they will need to perform their task that may not be familiar to the casual reader.
For a less technical document that shows the design specifications for this example see the wiki page Best Practice and Example Relying Party.
This is still a work in progress. Do not expect full functional code at this time.
Context
This example was originally created in Microsoft ASP.NET core version 1.1. It is currently being revised to run on ASP.NET core version 2.2 so there are likely some parts of this wiki page that are not fully converted.
Solution
Access to the Example
Currently a working draft of the Relying Party example web site is available here.
Working Notes
Building the Example from GitHub
Note that the core 1.1 version is on Bitbucket. It will be retired after the new version on GitHub with core 2.2 is fully functional.
Building an ASP.NET solution from scratch
- From Visual Studio add new project with: C#, MVC razor pages, Change Identifier to Individual.
- Take control of the user information by overriding the IdentityUser with a local name, here we use the name UserObject to align with terminology in this wiki.
- It is common to include UserGroup as well as UserObject in the definition if the admin or other types of user will be included in the same database.
- Scaffold Identity in ASP.NET Core 2 projects.
- for this example choose the instructions labled "Scaffold identity into a Razor project without existing authorization"
- In the project right-click select add -> scaffold -> Identity and override all files, type in layout cshtml name, DB name and UserObject
- If you have your own definition of the user before scaffolding, you might wind up with two definitions; delete one.
- Make a choice about enabling Two factor authentication. If enabled put .AddDefaultTokenProivders() in startup and add email and/or phone providers.
- For ASP.NET Core 2.2 the razor page format includes the view model and controller in the code behind file, not in a separate controller file.
Next steps
Set up goals and start to build examples and best practices for all of the roles in an ID ecosystem.
- Now that the IDEF has established a self assessment, work on enabling the ID ecosystem needs enable relying parties and other entities to comply.
- Promote a Trustmark with UX collateral, images of various sizes for web sites.
- The Kantara web site itself should be an example of Guidelines.
- There is an IdP which shows the Guidelines for that industry. (The roles of IdP generates identity tokens. It may consume input from user credentials, but not identity tokens.)
- The UXC work on suggestions for the look and feel of a Guidelines RP.
- Move the example RP into broad adoptions for relying parties.
- Preliminary work on the IdP has begun.
- The best practice protocol for inter op between IAPs and RPs is the OpenID Connect protocol.
Questions and Answers for Designers and Developers
Will need to build for best practices:
- Privacy policy (PP)
- Terms of use (ToU)
- Are there specific ToU and PP provisions that demonstrate how the IDEAL RP might deal with User Private Information in their policies.
UX Questions Specific to the RP example code
- Demo verification of email (or cell phone) address - will be needed to support Recovery and Notification.
- What are the canonical terms for identification?
- logon logout register resign
- login logoff create remove
- signin signout signup signoff
- User roles - how to model - note that one user can have multiple roles
- Join email list (no role)
- Registered as a member (has applied)
- Accepted as a member (partially manual)
- Suspended Member
- member of an organization
- voting member of an organization
- Officers of the site
- Site Admin
Other issues to look at:
- Some method for creating a strong web site identity, e.g. EV Certs or the new proposal taking shape at Google Chrome.
- Recording devices that are under the control of the user together with the device capabilities for data capture and display
- While all content on this page is covered by the IPR rules, it should be clear that the content on pages linked from this site may have different ownership rights asserted.
References and Coordination
- The page at Best Practice and Example Relying Party gives a more architectural and design approach to creating a compliant RP site.
- The Microsoft web site has a description of the Namespaces in ASP.NET Core that can be used as an alternate identity schema. It was the precursor for the schema used here.
- this site describes how to debug this app if running an Azure. Other scenarios are available near where that link goes.
- source code for Microsoft IdentityModel OpenIDConnect
Issues and Comments
- Any comments, suggestions or issues with the best practices or code can be tracked at this site. You must have a sign in method for GitHub.
- General comments about this web page can be made on the "Discussion" tab at the top of the page. You must be a registered member of this site to make comments here.
- Impact of deprecation of Google+