MembershipReboot v5 released
December 20, 2013
After many hours of work, I’m happy to say that I’ve released MembershipReboot v5. This release has some main points:
- Some minor vulnerabilities from v4 were fixed (and thus the implementation is more resilient to attacks)
- The repository and entity design was reworked significantly to allow an easier time with:
- defining custom entity properties/columns
- using a non-GUID primary key
- allowing for all the entity classes to be custom classes
- allowing for use of non-ORM backing store
- Better designed OWIN/Katana support
- There is now support for “password reset secrets”
- Added migrations into the EF project to migrate from v4 to v5
- A few other bug fixes here & there
Here’s the link to the release notes (tho they’re mainly just a wild list of changes). All the NuGets were updated to v5.
If you’re just getting started, then I’d suggest looking at the main sample.
Enjoy.
31 Comments
leave one →
brockallen 
Thanks for doing this, Brock!
Hello Bock, how can we assign roles ?
UserAccountService.AddClaim with ClaimTypes.Role
Another question, I am using Membership reboot with web forms, when I finish I will send you the work done maybe you can add it to the samples.
I successfully initialized the AuthenticationSevices using SamAuthenticationServices, but I was not able to initialize with Owin authentication, either with using Nancy or without.
Can you please help with this. How can I initialize AuthenticationSevices using Owing and without Nany?
Thank you
Did you look at the Owin sample?
Dany did you ever implement this with forms? I was wondering if you could share your implementation with me.
Nope, never had the time. Sorry.
Thanks for doing this and even more for releasing as open source!
I’m evaluating your solution for one of our projects and there is one thing that doesn’t fit with out requirements – using the mobile phone number as username.
The default username validator requires that the username contains at least one letter effectively disallowing the use of phone numbers.
I could certainly work around this by inheriting the UserAccountService and overriding the ValidateUsername method but I’m wondering if there is a good reason behind requiring at least one letter (like guarding against brute force attacks)?
In a future release may I suggest you think about making the validation even more flexible, i.e. allowing us to build our own ‘AggregateValidator’s.
If this is already documented somewhere, please point me in the right direction. Thanks!
This thread is a better place for this conversation: https://github.com/brockallen/BrockAllen.MembershipReboot/issues/188
Many thanks. Your work has helped me massively.
hello,
I am new to identity management, but would like to know if it is possible to exposes the methods of MR as a Rest service so that I can use it from different applications. in fact I am writting a rest service that will be used by different plugin using the rest api, I will also have a asp.net web app that will connect and use this rest service.
regards
Sure, it’s possible. There’s nothing built-in for this, so you’d be building it yourself.
Are there any plans to have MR end up inheriting / be built on top off and extend the new ASP.Net Identity introduced with MVC 5? Or is your idea to be a competitor of sorts with asp.net identity? I’ve been playing with MR and I’m pretty happy with it btw, nice work.
No, MR is its own thing.
I implemented MR with EF6 und MVC. Everything works fine, but when I configure EF with this.Configuration.LazyLoadingEnabled = true; the app stops working. What can I do to enable LazyLoading?
Not sure — can you open an issue on the github issue tracker?
We are needing to allow outside companies the ability to lookup users in our system and authorize them to login to their system. Sort of like how one would use Facebook to login to another web site. Do you have any samples or guidance for using MembershipReboot as a service over the web?
You should deploy a security token service — this issues tokens for your users. Thinktecture IdentityServer does this.
Sorry for the newbie questions but we’re upgrading from ancient methods of a web form calling an action page that runs a sql query. The Thinktecture IndentiyServer looks promising but does it work with or instead of MembershipReboot?
They serve different purposes. MembershipReboot is for managing a database where you have to store users’ passwords and identity data. IdentityServer is for centralizing your identity so your users can have single sign-on across multiple apps. IdentityServer can use MembershipReboot to store users’ identity data.
So just to clarify, I would pass my users to the login page if IS but use pages on MR to do management of the account (password reset, remind, etc.). I can’t use a login page on MR and still create a token. So, to be less confusing to my users, I’ll style the pages the same. Can they live in the same domain but just be different apps in different sub folders?
Your STS issues tokens for signing in. Where you do management of your users is up to you and depends on requirements. If you want self-service, then doing this in the STS can work, or you can create a new app to do this as well (which would share the DB with the STS).
It’s still not clear to me how I can have my cake and eat it too. How do I integrate all the brute force, etc. protections for user login while issuing a security token for SSO? You’ve created a great product, but the documentation is very weak for those of us just entering this world. I would be very grateful for better documentation as this is now looking like more work than writing from scratch.
Sorry the docs are thin — I do this in my free time. I’d love some help if you’re offering :)
As for the use of MR’s features in the STS — if the STS is using MR for validating credentials then you’ll get those protections because those checks are part of MR’s code features.
I’d love to help out with docs for MR. I’m trying to understand it and setup a quick demo with it and it taking me a lot of time. But I finally got something working.
How do I help out with docs?
You can start by organizing, updating and/or beefing up the wiki: https://github.com/brockallen/BrockAllen.MembershipReboot/wiki
Hi Brockallen, we are using your product as login mechanism for a new web site project.
The web app will be hosted in the DMZ, one of the limitations of the environment is that we cannot connect to a database directly from DMZ, so we must expose an interface (WCF service) that will do all the reading and writing in the database. Does MR support this?
Meaning, can we implement / override methods within MR that will call the WCF instead of having MR perform these operations in the database directly? Sorry for not reading the docs on this yet, have that planned after the current backlog (somewhere 2017? lol)
Thanks for the reply.
For support questions, please use the issue tracker on github.