Setting up authentication

Copy to clipboard

Once you integrate Xperience membership into your live site project, you can implement actions that allow visitors to sign in and out of the website with Xperience user accounts.

Use the following approach to develop sign-in actions:

Tip: To view the full code of a functional example, you can inspect and download the LearningKit project on GitHub. You can also run the LearningKit website by connecting the project to an Xperience database.

  1. Create a new controller class in your MVC project or edit an existing one.

  2. Prepare a property that gets an instance of the Kentico.Membership.KenticoSignInManager class for the current request – call HttpContext.GetOwinContext().Get<KenticoSignInManager>().

  3. Implement two sign-in actions – one basic GET action to display the sign-in form and a second POST action to handle the authentication when the form is submitted.

  4. Call the PasswordSignInAsync method of the KenticoSignInManager instance to authenticate users against the Xperience database (within the code of the POST action).

    using System;
using System.Web;
using System.Web.Mvc;
using System.Threading.Tasks;

using Microsoft.AspNet.Identity;
using Microsoft.AspNet.Identity.Owin;
using Microsoft.Owin.Security;

using Kentico.Membership;

using CMS.Core;
using CMS.Base.UploadExtensions;
using CMS.Membership;
using CMS.SiteProvider;
    Sign-in actions example
    /// <summary>
/// Provides access to the Kentico.Membership.KenticoSignInManager instance.
/// </summary>
public KenticoSignInManager KenticoSignInManager
{
    get
    {
        return HttpContext.GetOwinContext().Get<KenticoSignInManager>();
    }
}

/// <summary>
/// Basic action that displays the sign-in form.
/// </summary>
public ActionResult SignIn()
{
    return View();
}

/// <summary>
/// Handles authentication when the sign-in form is submitted. Accepts parameters posted from the sign-in form via the SignInViewModel.
/// </summary>
[HttpPost]
[ValidateAntiForgeryToken]
[ValidateInput(false)]
public async Task<ActionResult> SignIn(SignInViewModel model, string returnUrl)
{
    // Validates the received user credentials based on the view model
    if (!ModelState.IsValid)
    {
        // Displays the sign-in form if the user credentials are invalid
        return View();
    }

    // Attempts to authenticate the user against the Xperience database
    SignInStatus signInResult = SignInStatus.Failure;
    try
    {
        signInResult = await KenticoSignInManager.PasswordSignInAsync(model.UserName, model.Password, model.SignInIsPersistent, false);
    }
    catch (Exception ex)
    {
        // Logs an error into the Xperience event log if the authentication fails
        eventLogService.LogException("MvcApplication", "SignIn", ex);
    }

    // If the authentication was successful, redirects to the return URL when possible or to a different default action
    if (signInResult == SignInStatus.Success)
    {
        string decodedReturnUrl = Server.UrlDecode(returnUrl);
        if (!string.IsNullOrEmpty(decodedReturnUrl) && Url.IsLocalUrl(decodedReturnUrl))
        {
            return Redirect(decodedReturnUrl);
        }
        return RedirectToAction("Index", "Home");
    }

    // If the 'Registration requires administrator's approval' setting is enabled and the user account
    // is pending activation, displays an appropriate message
    if (signInResult == SignInStatus.LockedOut)
    {
        // If the 'Registration requires administrator's approval' setting is enabled and the user account
        // is pending activation, displays an appropriate message
        User user = await KenticoUserManager.FindByNameAsync(model.UserName);
        if (user.WaitingForApproval)
        {
            ModelState.AddModelError(String.Empty, "You account is pending administrator approval.");
        }

        return View();
    }

    // If the authentication was not successful, displays the sign-in form with an "Authentication failed" message
    ModelState.AddModelError(String.Empty, "Authentication failed");
    return View();
}

  5. We recommend creating a view model for your sign-in action (SignInViewModel in the example above). The view model allows you to:

    • Pass parameters from the sign-in form (username, password, and sign-in persistence status).
    • Use data annotations to define validation and formatting rules for the sign-in parameters. See System.ComponentModel.DataAnnotations for more information about the available data annotation attributes.

To allow users to sign out on your website, extend your sign-in controller class:

  1. Prepare a property that provides access to the authentication middleware functionality (Microsoft.Owin.Security.IAuthenticationManager instance) – use the HttpContext.GetOwinContext().Authentication property.

  2. Add another action to handle sign-out requests.

  3. Call the SignOut(DefaultAuthenticationTypes.ApplicationCookie) method of the authentication manager to sign out the current user.

    Sign-out action example
    /// <summary>
/// Provides access to the Microsoft.Owin.Security.IAuthenticationManager instance.
/// </summary>
public IAuthenticationManager AuthenticationManager
{
    get
    {
        return HttpContext.GetOwinContext().Authentication;
    }
}

/// <summary>
/// Action for signing out users. The Authorize attribute allows the action only for users who are already signed in.
/// </summary>
[Authorize]
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult SignOut()
{
    // Signs out the current user
    AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie);

    // Redirects to a different action after the sign-out
    return RedirectToAction("Index", "Home");
}

Finally, you need to design a user interface for the authentication logic:

  • Create a view for the SignIn action and display an appropriate sign-in form for your website. We recommend using a strongly typed view based on your sign-in view model.
  • Add a sign in button or link that targets the SignIn action (for example within your site’s main layout page).
  • Add a sign out button or link that targets the SignOut action.

Visitors can now sign in to your site with Xperience user accounts from the connected database. If you wish to allow users to register new accounts, see Enabling user registration.

Tip: When writing additional code or views for your website, you can access information about the currently authenticated user via the standard User.Identity object. For example, User.Identity.Name returns the username of the currently signed in user.

Ensuring the correct password format

If your administration application uses custom salt values when generating password hashes, you also need to set the same values for the MVC application. Authentication will always fail if the password hashes are not identical for both applications.

Check the appSettings section of your administration application’s web.config for the CMSPasswordSalt key. If the key is present, copy it to the web.config file of your MVC project.

See also: Setting the user password format