Use REST API to verify user password

Paul Turner asked on November 30, 2022 17:43

Is there a REST API in Kentico for validating user passwords?

Background: We are looking to move to single sign-on (SSO), using a separate identity provider (IDP) for logins via OIDC. We'd prefer that users continue to use their existing usernames and passwords when logging into the IDP. We can't just copy existing user passwords from Kentico to the IDP because they are all hashed. However, the IDP offers the ability to validate a user's password when they login. They do this in the following way:

  1. User enters username and password into IDP
  2. If IDP finds that username and password do not exist in its database, it makes a REST call to external system (Kentico) validating that the username and password are correct
  3. If the external system validates that the username and password are correct, the IDP creates a new user account in its database using the username and password.

I'm asking to see if Kentico has a REST API that supports step #2 above. We are using Kentico 12.1.

Thank you,

Paul

Correct Answer

Juraj Ondrus answered on December 1, 2022 07:12

The REST API is not returning the UserPassword hash. So, I would say it is not supported. But, I would maybe create a custom WebAPI endpoint. Then, in your IDP use the same hashing/encryption algorithm and pass the calculated hash to WebAPI and then compare it with the hash in Kentico - if match, the password is OK and authenticate the user.

0 votesVote for this answer Unmark Correct answer

Recent Answers

Dmitry Bastron answered on December 1, 2022 08:58

Hi Paul,

As Juraj mentioned already, it's better to create your own API for it. If you are using MVC development model, I'd rather do it in an MVC project as a simple controller. You can use Kentico User API to validate the user credentials and return true/false.

0 votesVote for this answer Mark as a Correct answer

Paul Turner answered on December 1, 2022 18:00

Thank you both for your response! I'll pursue the custom API solution.

0 votesVote for this answer Mark as a Correct answer

   Please, sign in to be able to submit a new answer.