aspnet identity; how to login using a legacy password?

0
votes

i've a site i'm updating to web api with aspnet identity 2.0.

It's a legacy site for which we need to allow the users to use their old passwords; at least during a reasonable migration period

following this article, i've derived a new UserManager from the base UserManager, and set up the PasswordHasher to hash with an old SHA1 algorithm.

My passwordHasher looks like this:

public class SQLPasswordHasher : PasswordHasher
{
    public override string HashPassword(string password)
    {
        string cipherText = EncryptPassword(password);
        return cipherText;
    }

    public override PasswordVerificationResult VerifyHashedPassword(string hashedPassword, string providedPassword)
    {
        string cipherText = EncryptPassword(providedPassword);

        if (cipherText == hashedPassword)
        {
            return PasswordVerificationResult.SuccessRehashNeeded;
        }
        else
        {
            return PasswordVerificationResult.Failed;
        }
    }

    private string EncryptPassword(string plainText)
    {
        return System.Web.Security.FormsAuthentication.HashPasswordForStoringInConfigFile(plainText, "sha1");
    }
}

When i register users with this code, I can see the passwords are being hashed and persisted in the database correctly... for the password 'foobar', the hashed value is fixed and recognizable, since this algorithm did not use a salt.

However, I cannot log in as these users. If i set a breakpoint in the new hasher, it never gets it. Neither can i seem to hit a breakpoint anywhere in the account controller when trying to log in.

thanks in advance

1
asp.net-web-apiasp.net-identity-2
What do you mean by "get the authorization server to hash passwords in the same way the UserManager is"? What is the authorization server? How are you using it?JotaBe
in link (the first article referenced) there is a diagram illustrating the "Local Login Credential Flow". This shows the client passsword being processed by something called the 'Authorization Server'. It's not me that's using it, supposedly the framework is calling it. I guess the essential question is... why can't i login using the old passwords? I can see them being hashed properly going in, yet i can't find anywhere to set a breakpoint to see them being used to allow login.david m chinn
You're completely loss on this. Your question is "How can I use two different autehtnication schemas in the same app?" and explain that you need to keep your old basic authentication, while you add suport for an external identity server. But you don't have to worry at all on how the external authorization server does it job. I.e. you don't mind if the auth server hashes the password, or not, or how it does its job. Your problem ins not that one. Please, rethink and rewrite your question.JotaBe
I just want to let them use their old passwords. There isn't an external identity provider; this was just in the diagram that i saw; perhaps i'm wrong... sorry! what i said was that i wrote a new PasswordHasher, but when i try to log in as a user with one of the old passwords, the password hasher that i wrote is not called, and that user cannot log in.david m chinn
I have edited the original post, to hopefully clarify. thanks for your attention to this.david m chinn

1 Answers

0
votes

I'm answering my own question, in the hopes that someone else may benefit.

The problem was, i couldn't find what in the web api service was being called when logging in. I finally realized that something called /Token was being set up as the url to be called in the app.js javascript.

Searching through the project server side sources and googling led me to this article, which pointed me to the ApplicationOAuthProvider.cs file, in the 'Providers' folder of the template application.

The specific line of interest is where the method GrantResourceOwnerCredentials instantiates it's own user manager, thus:

    public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
    {
        var userManager = context.OwinContext.GetUserManager<ApplicationUserManager>();

From there, all i had to do was add this line:

    userManager.PasswordHasher = new SQLPasswordHasher();

and i could finally log in.