Setting up authentication
Once you integrate Xperience membership into your live site project, you can implement actions that allow visitors to sign in and out of the website with Xperience user accounts.
Use the following approach to develop sign-in actions:
Tip: To view the full code of a functional example, you can inspect and download the LearningKit project on GitHub. You can also run the LearningKit website by connecting the project to an Xperience database.
Create a new controller class in your MVC project or edit an existing one.
Prepare a property that gets an instance of the Kentico.Membership.KenticoSignInManager class for the current request – call HttpContext.GetOwinContext().Get<KenticoSignInManager>().
Implement two sign-in actions – one basic GET action to display the sign-in form and a second POST action to handle the authentication when the form is submitted.
Call the PasswordSignInAsync method of the KenticoSignInManager instance to authenticate users against the Xperience database (within the code of the POST action).
using System; using System.Web; using System.Web.Mvc; using System.Threading.Tasks; using Microsoft.AspNet.Identity; using Microsoft.AspNet.Identity.Owin; using Microsoft.Owin.Security; using Kentico.Membership; using CMS.Core; using CMS.Base.UploadExtensions; using CMS.Membership; using CMS.SiteProvider;
Sign-in actions example/// <summary> /// Provides access to the Kentico.Membership.KenticoSignInManager instance. /// </summary> public KenticoSignInManager KenticoSignInManager { get { return HttpContext.GetOwinContext().Get<KenticoSignInManager>(); } } /// <summary> /// Basic action that displays the sign-in form. /// </summary> public ActionResult SignIn() { return View(); } /// <summary> /// Handles authentication when the sign-in form is submitted. Accepts parameters posted from the sign-in form via the SignInViewModel. /// </summary> [HttpPost] [ValidateAntiForgeryToken] [ValidateInput(false)] public async Task<ActionResult> SignIn(SignInViewModel model, string returnUrl) { // Validates the received user credentials based on the view model if (!ModelState.IsValid) { // Displays the sign-in form if the user credentials are invalid return View(); } // Attempts to authenticate the user against the Xperience database SignInStatus signInResult = SignInStatus.Failure; try { signInResult = await KenticoSignInManager.PasswordSignInAsync(model.UserName, model.Password, model.SignInIsPersistent, false); } catch (Exception ex) { // Logs an error into the Xperience event log if the authentication fails eventLogService.LogException("MvcApplication", "SignIn", ex); } // If the authentication was successful, redirects to the return URL when possible or to a different default action if (signInResult == SignInStatus.Success) { string decodedReturnUrl = Server.UrlDecode(returnUrl); if (!string.IsNullOrEmpty(decodedReturnUrl) && Url.IsLocalUrl(decodedReturnUrl)) { return Redirect(decodedReturnUrl); } return RedirectToAction("Index", "Home"); } // If the 'Registration requires administrator's approval' setting is enabled and the user account // is pending activation, displays an appropriate message if (signInResult == SignInStatus.LockedOut) { // If the 'Registration requires administrator's approval' setting is enabled and the user account // is pending activation, displays an appropriate message User user = await KenticoUserManager.FindByNameAsync(model.UserName); if (user.WaitingForApproval) { ModelState.AddModelError(String.Empty, "You account is pending administrator approval."); } return View(); } // If the authentication was not successful, displays the sign-in form with an "Authentication failed" message ModelState.AddModelError(String.Empty, "Authentication failed"); return View(); }
We recommend creating a view model for your sign-in action (SignInViewModel in the example above). The view model allows you to:
- Pass parameters from the sign-in form (username, password, and sign-in persistence status).
- Use data annotations to define validation and formatting rules for the sign-in parameters. See System.ComponentModel.DataAnnotations for more information about the available data annotation attributes.
To allow users to sign out on your website, extend your sign-in controller class:
Prepare a property that provides access to the authentication middleware functionality (Microsoft.Owin.Security.IAuthenticationManager instance) – use the HttpContext.GetOwinContext().Authentication property.
Add another action to handle sign-out requests.
Call the SignOut(DefaultAuthenticationTypes.ApplicationCookie) method of the authentication manager to sign out the current user.
Sign-out action example/// <summary> /// Provides access to the Microsoft.Owin.Security.IAuthenticationManager instance. /// </summary> public IAuthenticationManager AuthenticationManager { get { return HttpContext.GetOwinContext().Authentication; } } /// <summary> /// Action for signing out users. The Authorize attribute allows the action only for users who are already signed in. /// </summary> [Authorize] [HttpPost] [ValidateAntiForgeryToken] public ActionResult SignOut() { // Signs out the current user AuthenticationManager.SignOut(DefaultAuthenticationTypes.ApplicationCookie); // Redirects to a different action after the sign-out return RedirectToAction("Index", "Home"); }
Finally, you need to design a user interface for the authentication logic:
- Create a view for the SignIn action and display an appropriate sign-in form for your website. We recommend using a strongly typed view based on your sign-in view model.
- Add a sign in button or link that targets the SignIn action (for example within your site’s main layout page).
- Add a sign out button or link that targets the SignOut action.
Visitors can now sign in to your site with Xperience user accounts from the connected database. If you wish to allow users to register new accounts, see Enabling user registration.
Tip: When writing additional code or views for your website, you can access information about the currently authenticated user via the standard User.Identity object. For example, User.Identity.Name returns the username of the currently signed in user.
Ensuring the correct password format
If your administration application uses custom salt values when generating password hashes, you also need to set the same values for the MVC application. Authentication will always fail if the password hashes are not identical for both applications.
Check the appSettings section of your administration application’s web.config for the CMSPasswordSalt key. If the key is present, copy it to the web.config file of your MVC project.
See also: Setting the user password format
Once you integrate Xperience ASP.NET Core Identity into your project, you can implement actions that allow visitors to sign in and out of the website with Xperience user accounts.
Tip: To view the full code of a functional example, you can inspect and download the LearningKit project on GitHub. You can also run the LearningKit website by connecting the project to an Xperience database.
Use the following approach to develop sign-in actions (this example uses the MVC development approach):
Create a new controller class in your project or edit an existing one.
Provide an instance of the Microsoft.AspNetCore.Identity.SignInManager<ApplicationUser> class using dependency injection.
Implement two sign-in actions – one basic GET action to display the sign-in form and a second POST action to handle the authentication when the form is submitted.
Call the PasswordSignInAsync method of the SignInManager instance to authenticate users against the Xperience database.
using System; using System.Net; using System.Threading.Tasks; using Microsoft.AspNetCore.Mvc; using Microsoft.AspNetCore.Http; using Microsoft.AspNetCore.Authorization; using Microsoft.AspNetCore.Identity; using CMS.Base; using CMS.Core; using CMS.Membership; using CMS.Base.UploadExtensions; using Kentico.Membership; using LearningKitCore.Models.Users.Account;
Sign-in actions example/// <summary> /// Basic action that displays the sign-in form. /// </summary> public IActionResult SignIn() { return View(); } /// <summary> /// Handles authentication when the sign-in form is submitted. Accepts parameters posted from the sign-in form via the SignInViewModel. /// </summary> [HttpPost] [ValidateAntiForgeryToken] public async Task<IActionResult> SignIn(SignInViewModel model, string returnUrl) { // Validates the received user credentials based on the view model if (!ModelState.IsValid) { // Displays the sign-in form if the user credentials are invalid return View(); } // Attempts to authenticate the user against the Xperience database var signInResult = Microsoft.AspNetCore.Identity.SignInResult.Failed; try { signInResult = await signInManager.PasswordSignInAsync(model.UserName, model.Password, model.RememberMe, false); } catch (Exception ex) { // Logs an error into the Xperience event log if the authentication fails eventLogService.LogException("MvcApplication", "AUTHENTICATION", ex); } // If the authentication was successful, redirects to the return URL when possible or to a different default action if (signInResult.Succeeded) { string decodedReturnUrl = WebUtility.UrlDecode(returnUrl); if (!string.IsNullOrEmpty(decodedReturnUrl) && Url.IsLocalUrl(decodedReturnUrl)) { return Redirect(decodedReturnUrl); } // Redirects the user to the homepage return RedirectToAction(nameof(HomeController.Users), "Home"); } if(signInResult.IsNotAllowed) { // If the 'Registration requires administrator's approval' setting is enabled and the user account // is pending activation, displays an appropriate message ApplicationUser user = await userManager.FindByNameAsync(model.UserName); if (user != null && user.WaitingForApproval) { ModelState.AddModelError(String.Empty, "You account is pending administrator approval."); return RedirectToAction(nameof(WaitingForApproval)); } // The other setting that causes 'IsNotAllowed' is 'Require email confirmation' ModelState.AddModelError(String.Empty, "Please confirm your email."); return View(); } // If the authentication was not successful due to any other reason, displays the sign-in form with an "Authentication failed" message ModelState.AddModelError(String.Empty, "Authentication failed, please verify that you entered the correct authentication credentials."); return View(); } public IActionResult WaitingForApproval() { return View(); }
We recommend creating a view model for your sign-in action (SignInViewModel in the example above). The view model allows you to:
- Pass parameters from the sign-in form (username, password, and sign-in persistence status).
- Use data annotations to define validation and formatting rules for the sign-in parameters. See System.ComponentModel.DataAnnotations for more information about the available data annotation attributes.
To allow users to sign out on your website, extend your sign-in controller class:
Add another action to handle sign-out requests.
Call the SignOutAsync method of the sign-in manager to sign out the current user.
Sign-out action example/// <summary> /// Action for signing out users. The Authorize attribute allows the action only for users who are already signed in. /// </summary> [Authorize] [HttpPost] [ValidateAntiForgeryToken] public IActionResult SignOut() { // Signs out the current user signInManager.SignOutAsync(); // Redirects to a different action after the sign-out return RedirectToAction(nameof(HomeController.Index), "Home"); }
Finally, you need to design a user interface for the authentication logic:
- Create a view for the sign-in action and display an appropriate sign-in form for your website. We recommend using a strongly typed view based on your sign-in view model.
- Add a sign in button or link that targets the sign-in action (for example within your site’s main layout page).
- Add a sign out button or link that targets the sign-out action.
Visitors can now sign in to your site with Xperience user accounts from the connected database. If you wish to allow users to register new accounts, see Enabling user registration.
Tip: When writing additional code or views for your website, you can access information about the currently authenticated user via the User property. For example, User.Identity.Name returns the username of the currently signed-in user.
Ensuring the correct password format
If your administration application uses a custom salt value when generating password hashes, you also need to set the same value for the Core application. Authentication will always fail if the password hashes are not identical for both applications.
Check the appSettings section of your administration application’s web.config for the CMSPasswordSalt key. If the key is present, copy it to the application configuration file of your Core project (appsettings.json by default).
See also: Setting the user password format