Requirement

• At the moment, "conditional search" does not exist.
• Also, "paging processing" does not exist either.

Add these processes to the user administration screen.

Requirement

• A user having the role of the system administrator user added by the initial system administrator user should be changed to operate as the system administrator user.
• To do this, must be identify the system administrator with the system administrator role, not the initial system administrator's UserName.
• This problem became clear by fix of #14.

Requirement

The change process of the UserName (e-mail) became required in #17.
Therefore, it is necessary to identify users by GUID (UUID) in the entire system.
For this reason, it is necessary to support OAuth2 scope for adding UserID (GUID) attribute to Userinfo.

Requirement

Location.

From here to there.

Access control

Administration screens

Check if the user can activate the administration screen.
https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Views/Home/Index.cshtml#L62

OAuth 2.0 operation verification screen

Check if it is not locked down (#24).
https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Views/Home/Index.cshtml#L68

Requirement

Merge the bug fixes into the develop branch,
These problem have been found at the testing time on the customize branch.

https://github.com/OpenTouryoProject/MultiPurposeAuthSite/commits/customize_p1

• 41f33b9
  Bug fixes by the testing (1).
  • A problem occurred in the sign-up process due to the specification was changed.
  • Fix to display appropriate error message at redisplay.
• 75e20c9
  Bug fixes by the testing (2).
  • Fixed the problem of culture fallback.
• cfb995c
  Added the customize (6).
  The screen was splitted. And, added two screes.
  Fixed the following problems found at that time.
  • Session is no longer used, so there is no concern about session timeout.
  • When an unknown error occurs, in this case, it transits to the error screen instead of RedirectToAction. Therefore, this unnecessary coverage should be deleted.
• 056dcbc
  Added the customize (7).
  Changed the specification of the PasswordReset screen.
• d343b2e
  Quality improvement by the testing (1).
  Fixed the problem of OAuth2 flow.

Requirement

Implement input validation with default value.

Requirement

There can operate the accounts of other tenants by directly typing the GUID in the administration screen.
Therefore, the process of checking ownership of the object will be added to the administration screen.

Requirement

Add following features related OAuth2 to user attribute edit screen.

Automatic generation feature of ClientID and ClientSecret.

• As a result, the users themself can add an any OAuth2 client to the authentication site.
• Also, if the key leaks out, it is safe as users can update themselves.

Acquisition feature of "bearer token".

• This is one way to achieve resource access in the "Trusted Subsystem Model".
• As a more sophisticated response, it is planned to support of #5.

Requirement

Such as this problem was occurring.

There are the following solutions.

• Controllable with an HTML meta tag (forcing "IE=edge").

<meta http-equiv="X-UA-Compatible" content="IE=edge"/>

• Can support IE8 compatibility by change to 1.x version of the jQuery.

The appropriate countermeasure method is considered to be the former.

Requirement

• Reconsider logging events and methods related to authentication.
• Currently it is biased toward debugging trace and exception log output in user store.
• This will be necessary for introduction to enterprise level projects.

Requirement

I thought it would be better if I could change this behavior with an optional switch.

Consideration

In the current implementation, while the logged-in user is away, you can change the user name and password by operating the edit screen. I think that this is assumed to use inside the building of the enterprise that tends to leave the seat, while the screen is open. But, originally, I think internal crimes are less likely to occur if it is inside the enterprise. On the other hand, when using outside the building, I think that there are many cases where it is self-responsibility. However, if you need to enter a password you are safe even if you leave your seat.

Target

I thought that this processing should be added to such as the following processing that affect more bigger than the password change processing.

Change user name & E-mail address screen

There is a case, suddenly, a user will not be able to use own account due to abuse of user name change by the other user. Especially, in the case of the E-mail address was changed, this state can not be recovered by only the password reset processing without tracking the ID and user name.

Delete account screen

Since deletion specification depends on the specification of each project, this screen does not exist at this time. However, since in case of deleting an account of e-mail format, there are cases that the account cannot be re-created, we think that it is meaningful to defend it with a password when adding an account deletion screen.

Requirement

I think it is important to support this as one of multi-factor authentication.

Reference

マイクロソフト系技術情報 Wiki

• FIDO
  https://techinfoofmicrosofttech.osscons.jp/index.php?FIDO
  • Web Authentication API
    https://techinfoofmicrosofttech.osscons.jp/index.php?Web%20Authentication%20API

Requirement

• Based on the fixes of #20, I judged that it should be better
  that the editable items can be configured by the switch.
• This is also necessary for introduction to enterprise level projects.

Requirement

I think that we should close this specification to specification of OpenID Connect.
In particular, I think we need to pay attention to the following points.

ID Token

This site returns a bearer token similar to the ID token.
Therefore, I think we need to check the specifications of the ID token carefully.

• Final: OpenID Connect Core 1.0 incorporating errata set 1 > 2. ID Token
  http://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html#IDToken

Claims

In RFC 6749 for OAuth 2.0, the endpoint specification for acquiring the user's claim is not determined.
Therefore, I think that it is good to decide the standard specification of this authentication site with reference to OpenID Connect.

• Final: OpenID Connect Core 1.0 incorporating errata set 1 > 5. Claims
  http://openid.net/specs/openid-connect-core-1_0.html#Claims

The method of to include the claim and to get the claim set.

There is a method to specify to add the claim to the ID token and UserInfo response. As well as above, I think that it is good to reference this specification as the standard specification of this authentication site.

• Final: OpenID Connect Core 1.0 incorporating errata set 1
  • 5.3. UserInfo Endpoint
    http://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html#UserInfo
  • 5.4. Requesting Claims using Scope Values
    http://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims
  • 5.5. Requesting Claims using the "claims" Request Parameter
    https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html#ClaimsParameter

Requirement

This will be necessary for introduction to enterprise level projects.

Requirement

This is one way to achieve resource access in the "Trusted Subsystem Model" same as the "#4".

• JWT bearer token authorizationグラント種別 - マイクロソフト系技術情報 Wiki
  https://techinfoofmicrosofttech.osscons.jp/index.php?JWT%20bearer%20token%20authorization%E3%82%B0%E3%83%A9%E3%83%B3%E3%83%88%E7%A8%AE%E5%88%A5

I think that this method is a more secure method.

• Implement by referring the implementation of google that is without client authentication.
• In addition, key exchange is done using XML.
• Develop a CUI tool to generate JWT assertion.

Requirement

• If redirect_uri is not specified,
  • redirect_uri registered by client registration is used.
  • In some cases, it is registered as a specific symbol.
• If redirect_uri is specified,
  • Allow only redirect_uri for implemented on MultiPurposeAuthSite that is allowed for the unspecified client_id.
  • Alternatively, redirect_uri that forward-matches the redirect_uri already registered in the client is permitted.

Requirement

With this, Become to be able to support various requirements.

Requirement

Support the "OpenID Connect".

Method

• I thought of a technique to forcibly support to OpenID Connect,
  • By using ASP.NET MVC custom filter feature.
    https://garafu.blogspot.jp/2013/06/aspnet-mvc_9.html
    https://garafu.blogspot.jp/2013/06/aspnet-mvc.html
  • By using ASP.NET HttpModule.
    • In case of the "code", replace response body.
      http://blog.fne.jp/2010/01/iis.html
    • In case of the "token" "id_token token" or "id_token", replace response header of location.
      http://blog.progfast.jp/labs/index.php/arts/iis-7-httpresponseheader/
    • How to activate HttpModule.
      https://stackoverflow.com/questions/2935383/httpmodules-not-working-on-iis7
• The reason why this is possible is because the difference from OAuth2.0 is only a little.
  • In case of the "code".
    https://www.slideshare.net/kura_lab/openid-connect-id/54
  • In case of the "token" "id_token token" or "id_token".
    https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html#ImplicitFlowAuth
• Check JWT in HttpModule, and add id_token,
  • In case of the "code".
    if "nonce" and "scope=openid" exist.
  • In case of the "token" "id_token token" or "id_token".
    if "nonce" and "scope=openid" exist.

Reference

• OAuth 2.0 の Response Type 全パターン - OAuth.jp
  http://oauth.jp/blog/2015/01/06/oauth2-multiple-response-type/
• OpenID Connect - マイクロソフト系技術情報 Wiki
  https://techinfoofmicrosofttech.osscons.jp/index.php?OpenID%20Connect
  https://techinfoofmicrosofttech.osscons.jp/index.php?OpenID%20Connect#z4c28dbb
• Final: OpenID Connect Core 1.0 incorporating errata set 1
  • 3.1. Authentication using the Authorization Code Flow
    https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html#CodeFlowAuth
  • 3.2. Authentication using the Implicit Flow
    https://openid-foundation-japan.github.io/openid-connect-core-1_0.ja.html#ImplicitFlowAuth

Requirement

This is aimed at reducing the round trip of OAuth2 dance in case of authentication.

Requirement

PKCE (Proof Key for Code Exchange by OAuth Public Clients)

• RFC 7636
  https://tools.ietf.org/html/rfc7636
  • Is it necessary to corresponde for RFC 7636 ?
  • Can the ASP.NET Identity implement RFC 7636 ?

Requirement

• Add lockdown switches of "Authorization Code" and "Implicit".
• Add a special scope for federation of roles (Do not add roles to JWT by default).
• Stop "Implicit" when [setting "scope = auth" option].

Requirement

StretchCount is used for countermeasures against off-line brute force search.
It is intended to degrade the rapidly performance of the hash function.

But, currently, StretchCount is fixed to "1",
Because, this state is assumed that StretchCount will be re-written by the project.

But, I think this is unkindly specification.
Therefor, It should be make StretchCount configurable.
Also, for the above reasons, it is not necessary to use a variable value.

Requirement

二重送信防止機能 - Open 棟梁 Wiki
https://opentouryo.osscons.jp/index.php?%E4%BA%8C%E9%87%8D%E9%80%81%E4%BF%A1%E9%98%B2%E6%AD%A2%E6%A9%9F%E8%83%BD

In the ASP.NET MVC,
https://github.com/OpenTouryoProject/OpenTouryo/blob/develop/root/programs/C%23/Samples/WebApp_sample/MVC_Sample/MVC_Sample/Views/Crud1/Index.cshtml#L40

Requirement

There are the following two problems.

• It does not support to Twitter, there is needs to implement processing of ID federation with Twitter.
• Facebook library of 3.0.1 seems to stop working, It is necessary to update to 3.1.0.
  http://stackoverflow.com/questions/22364442/asp-net-mvc5-owin-facebook-authentication-suddenly-not-working

Requirement

Such as this specification was requested.
I also think that there are many opportunities to use this config.

Looking at the information around the following,

• ASP.NET-Identity-Cookie-Authentication-Timeouts · James Sturtevant
  http://www.jamessturtevant.com/posts/ASPNET-Identity-Cookie-Authentication-Timeouts/
• ASP.NET IdentityでCookieの有効期間を設定する - blog.beaglesoft.net
  http://blog.beaglesoft.net/entry/2016/03/05/143313

It seems to be able to respond by fixing the following.

• https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Models/ASPNETIdentity/StartupAuth.cs#L118

Requirement

"Agreement" is not displayed when the account is a user name instead of E-mail.

Requirement

About the "revoke access", the following article is helpful.

• Twitter の認証を解除する方法ってAPIからはできないみたい？ « ウップス!!なかわけ~
  http://nakawake.net/?p=1594
  • Twitter / 設定
    https://twitter.com/settings/applications

No Test password Flow and not Test ClientCredentials Flow?

Overview

ApplicationOAuthBearerTokenProvider.cs
https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Models/ASPNETIdentity/TokenProviders/ApplicationOAuthBearerTokenProvider.cs

Even when ClientID and ClientSecret is not specified, basic authentication passes.

• In this case, redirect will not be success with authorization code grant and implicit grant. therefore, this problem is small.
• But, resource owner credentials grant and client credentials grant passes authentication, this is problem.

Requirement

Currently it supports only SQL Server.

Respond to Oracle and PostgreSQL.
Use ODP.NET Managed Driver and Npgsql.

Requirement

The additional fix of #44.
This seems feasible on the DbCommand with the MiniProfiler.

• neue cc - Http, SQL, Redisのロギングと分析・可視化について
  http://neue.cc/2013/07/30_420.html
• Stack Exchangeから提供されたMVCミニプロファイラ
  https://www.infoq.com/jp/news/2011/06/Mini-Profiler

NuGet Gallery

• MiniProfiler 3.2.0.157
  https://www.nuget.org/packages/MiniProfiler/
• Unity bootstrapper for ASP.NET MVC 4.0.1
  https://www.nuget.org/packages/Unity.Mvc/

Requirement

For external login by user name, since user name is not unique, it is necessary to match email addresses.

Requirement

This will be necessary for introduction to enterprise level projects.

Overview

I did incorrect understanding of the life cycle of IHttpModule.
Initialization of the instance member variable was necessary.

See

47ce0b8#diff-1b7379603dfebc8c347a80be79a0a059R241

Requirement

I did not confirm the specification match with the OpenTouryo template and ASP.NET Identity template.
Check the layout when the screen size is reduced, and correct this as necessary.

layout system

• In the template of ASP.NET Identity, "col-md-**" is used.
• In the master page part of OpenTouryo's template, "*col-xs-**" and "col-sm-**" are used.
  • https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Views/Shared/_Layout.cshtml#L46
  • https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Views/Shared/_Layout.cshtml#L61
  • https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Views/Shared/_Layout.cshtml#L99

Grid systems do not interfere if they are nested.
Therefore,

• "sm" is the threshold of the menu area,
• and "md" is the threshold of the content area.

And, these act effectively.

Media Queries

• In the ASP.NET Identity template, navbar is not used.
• In the master page part of OpenTouryo's template, Media Queries is used.
  • https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Content/touryo/Style.css#L208

There was a problem in some selectors.

Component

navbar

• In the ASP.NET Identity template, navbar is not used.
• In the master page part of OpenTouryo's template, navbar is used.
  • https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Views/Shared/_Layout.cshtml#L52
  • https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Views/Shared/_Layout.cshtml#L69

These navis were irrelevant to responsive design.

Requirement

Currently, "E-mail confirmation" is integrated into "sign-up process".

• Send E-mail
  Https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Controllers/AccountController.cs#L325

• Code verification
  Https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Controllers/AccountController.cs#L436

So,

Save the E-mail address to be updated to the temporary area,
And, if the result of ConfirmEmailAsync method is result.Succeeded,
I will try to update both the UserName and Email attributes for this.

What I care about is whether E-mail sending + code verification at the timing
when the E-mail address is not reflected in UserStore correctly functions on ASP.NET Identity.

This will be implemented in the following places as Investigation.
https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Controllers/ManageController.cs#L314

Requirement

Simply, there is a need to output trace logs even
in provisioning environments and production environments.

Requirement

The following exception occurred in a production environment.

• Windows 2008 Server ＋ ASP.NETでp12ファイルを読みこむとエラー - ゆれくるコール開発日誌
  http://rcsc.hatenablog.com/entry/2013/10/22/184108
• C#: Error Creating X509Certificate2 from a PFX or P12 File in Production | Valery's Mlog
  http://vdachev.net/2012/03/07/c-sharp-error-creating-x509certificate2-from-a-pfx-or-p12-file-in-production/
• Eight tips for working with X.509 certificates in .NET - Paul Stovell
  http://paulstovell.com/blog/x509certificate2

Therefore, it is necessary to modify the library so that it can set the X509KeyStorageFlags from the application.

Requirement

Add a switch and lock down the following client side processes.

Redirect endpoint

https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Controllers/AccountController.cs#L1242

• AccountController.OAuthAuthorizationCodeGrantClient
• AccountController.OAuthImplicitGrantClient

Menu to launch

https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Views/Home/Index.cshtml#L68

Requirement

• To add the editing process of UnstructuredData as a template by default.
• It is possible to support the case that it is required to add attributes in a hurry with this.
• This is also necessary for introduction to enterprise level projects.

Requirement

As a result of reconsideration, it was decided on the following specifications.

Resending confirmation mail

Describing behaviors when sign-up is repeated again, mainly because the confirmation mail has been lost. In this case, the record of the user exists. Therefore, delete the initial user name & password that is not activated, send confirmation mail after registering with a new user name & password.

User records that are accumulated like garbage and not activated

I think that it is necessary to delete user records that are accumulated like garbage and not activated. However, to execute this process, a time stamp is required. At the present time, such a field does not exist. Therefore, there is a need to add the date of generation to the user record.

Im using ASP.NET Identity for my User Management and its works fine but ConfirmEmailAsync() does not update EmailConfirmationDate (date of confirmation). any idea?
here is my code:
var result = await UserManager.ConfirmEmailAsync(user.Id, code);

Thanks

Requirement

Such as this specification was requested.
I also think that there are many opportunities to use this config.

Looking at the information around the following,

• asp.net - Email Token Expiring After 15 mins - Asp Identity 2.0 API - Stack Overflow
  https://stackoverflow.com/questions/27152612/email-token-expiring-after-15-mins-asp-identity-2-0-api
• Account Confirmation and Password Recovery with ASP.NET Identity (C#) | Microsoft Docs
  https://docs.microsoft.com/en-us/aspnet/identity/overview/features-api/account-confirmation-and-password-recovery-with-aspnet-identity
• IdentityConfig.cs - ASP.NET MVC 5 Security And Creating User Role
  https://code.msdn.microsoft.com/vstudio/ASPNET-MVC-5-Security-And-44cbdb97/sourcecode?fileId=147300&pathId=2020013451
• ASP.NET Identityを使ったメール認証でのtokenの有効期限の変更方法 - tonkunの備忘録
  http://tonkun-no.hatenablog.com/entry/2016/09/15/212145

It seems to be able to respond by fixing the following.

• https://github.com/OpenTouryoProject/MultiPurposeAuthSite/blob/develop/root/programs/MultiPurposeAuthSite/MultiPurposeAuthSite/Models/ASPNETIdentity/Manager/ApplicationUserManager.cs#L166

Requirement

If "RequireUniqueEmail" is false, the field of the administrator user create and edit screen needs to be displayed the UserName field. But, at the present time the E-mail field is displayed.

Requirement

Assume a use case of the MultiPurposeAuthSite that is connected to an existing user store.
In this case, there are needs need to lock down the sign up and management functions.

Requirement

In case of the screen size becomes smaller, then I will respond by increasing the number of columns assigned to the menu. (As follows, use the currently using the grid system of bootstrap.)

<div id="body-bk">
    <div id="body" class="row">
        <div class="nav-side-menu col-sm-3 col-md-2">
            略
        </div>
        <div id="contents" class="col-sm-9 col-md-10">
            略
        </div>
    </div>
</div>

Requirement

• Even if it exists in different tenants, can not add roles with the same name.
  This is a specification of ASP.NET Identity, but there is a need to consider countermeasures.

• Tenant administrator can not list the tenant users belonging to the global role.

  • Because the tenant administrator does not have ownership of the global role.
  • This fix could be responded by releasing authority.

Requirement

The feature to change or add the E-mail address.

This feature is using customized confirmation of E-mail address.

• Change storage from session to DB.
• Add the create date field.
• And, check the expired with EmailConfirmationTokenLifespanFromHours.

"Authorization code" feature .

Add the create date field.

"Refresh token" feature .

• Add the create date field.
• And for the refresh token, to implement switch of Enable / Disable.

Requirement

There is a needs to fix the following problems.

• You can give another account the role that is higher authority than the role to which you belong.
• There is a problem with "parented" of the object that is created by "User who can create objects by granting privileges". Due to this problem, objects are not added to the same tenant.
• Role should be also performed "conditional search" in the same way as #2 issue.