custom authentication handler

Rita Mikusch asked on December 7, 2016 22:39

Hi,

EDIT: using kentico 8.0

The custom authentication handler I'm working on seems to be POSSESSED! I was hoping somebody could give me some idea of what I'm missing here :(.

I've removed 98% of the authentication code, and just reduced the authentication handler to this very basic test case ...

Here is what I THINK the code should do: 1) Visitor enters "UserName1", plus an INCORRECT password, into Kentico's login form. 2) Since visitor entered incorrect password, Kentico authentication FAILS. e.User is therefore null, so the "custom authentication code" is run and e.User is set to "UserName2". 3) Authentication is successful, and the current user is set to UserName2.

BUT not that's NOT what happens ... here's what actually happens: 3) Authentication is successful, and the current user is set to UserName1.

Which is crazy because the visitor entered an incorrect password for UserName1! According to other test cases I've created, the e.User is null, and the if statement is TRUE, so the "custom authentication code" does definitely run. But somehow in the end, the visitor is authenticated and current user is set to UserName1 instead of UserName2.

Any ideas? I must be missing something obvious here!!

[AuthenticationHandler]
public partial class CMSModuleLoader
{
private class AuthenticationHandler : CMSLoaderAttribute
{

    public override void Init()
    {
        SecurityEvents.Authenticate.Execute += OnAuthentication;
    }

    private void OnAuthentication(object sender, AuthenticationEventArgs e)
    {
        // Check if user was authenticated by the default system. Only continues if authentication failed.
        if (e.User == null)
        {
    // custom authentication code -- this runs
            e.User = UserInfoProvider.GetUserInfo("UserName2");
        }
        else
        {
    // this never runs and is just here for testing purposes
            e.User = UserInfoProvider.GetUserInfo("UserName3");
        }
    }
}
}

authentication

Correct Answer

Anton Grekhovodov answered on December 8, 2016 05:30

Hi Rita,

I'm not sure that it's possible to change UserName during authentication process. And I think you have a mistake in your code. If User enters correct username and password, the "else" section of your code will be executed

0 votesVote for this answer Unmark Correct answer

Recent Answers

Rita Mikusch answered on December 8, 2016 09:29

Haha yeah I was confused ... the else section would run if the the user was not null. It's been a long day.

Maybe I also simplified the test case so much that it wasn't useful.

0 votesVote for this answer Mark as a Correct answer

Rita Mikusch answered on December 8, 2016 10:04

I can't change the username??? Okay, that likely explains the odd behaviour of this test example, and also the odd behaviour of my actual real code.

I'm using a third party database to authenticate the user, but using kentico's membership system (roles, permissions, etc) for everything else.

After authenticating the user in the third party database, I create a local kentico copy of that user. And I sync those internal+external users by putting a unique ID in the kentico username field (makes it much easier to find a specific user in the kentico user list). But users actually enter a totally different username for that initial authentication with the third party database.

So I'm basically changing the username of the "current user" after the visitor logs in. Which is causing the odd behaviour I'm getting.

I'll change the code so the username for the internal+external users are the same, and I'll add a custom field for the unique identifier. And now the fact that the username is no longer changing will hopefully solve the issues.

thank you!

0 votesVote for this answer Mark as a Correct answer

Anton Grekhovodov answered on December 8, 2016 10:24

Rita,

Yeah, I use the same approach as you described. It must work)

0 votesVote for this answer Mark as a Correct answer

Brenden Kehren answered on December 8, 2016 16:07

Rita,

You don't want to change the "current user". You want to change the user you're authenticating. The "current user" context will be public user until the user is successfully authenticated. Only after that time can you change/modify the username.

Also performing all those actions within the authentication event handler might not work properly for those actions. Meaning if the authentication handler is running, you are also trying to update a user while that user is authentication and it might not have the proper context loaded which is why you might be getting unexpected results. I'd try to perform the authentication and possibly do a redirect so handle the other pieces you need to do on a different page/webpart.

2 votesVote for this answer Mark as a Correct answer

Rita Mikusch answered on December 8, 2016 18:34

Hi Brenden,

Sorry I was unclear ... What I'm changing is e.User, exactly like in the example I created above.

When I run that example, the user that I set e.User to does not get logged in ... what gets logged in is the user whose USERNAME I entered into the login form.

I just changed my real code, so the username of the person logging in doesn't change ... and now it works properly.

So looks like the key message is, don't change the username!

0 votesVote for this answer Mark as a Correct answer