ASP.NET Identity with multiple applications

Question

so our organization is developing some new web apps using asp.net mvc and web api. we decided to not use active directory for authentication/authorization purposes so it loo

Answer 1

Take a look at this tutorial. It shows how to implement ASP.NET Identity using Web API:

http://bitoftech.net/2015/01/21/asp-net-identity-2-with-asp-net-web-api-2-accounts-management/

As for dealing with multiple applications. Two approaches that come to mind are:

1. Append an AppId to all usernames
2. Add an AppId column to AspNetUsers table, derive from UserStore and re-implement the Find based methods so the queries take into account the AppId

For #1 when the application wants to create a new user it would send a request to the WebApi containing the new user information and an AppId. The WebApi would then concatenate the UserName and AppId to create the complete username that will be written to the database. So, if application 1234 wants to create a user with the username myuser, then the WebApi will create a new user with the username myuser_1234. From that point on when querying the database you would first take the UserName and AppId from the request, concatenate them and then query the database.

If another application 9900 wants to create a myuser, then the final username written to the database would be myuser_9900.

You may want to store the application details in the database and for every request validate the AppId to ensure that you recognise the application before processing its request.

I've not thought much of step #2, so its just a suggestion.

If you wanted to share the user credentials across multiple applications, then you could probably ignore the above, go with standard functionality and just have all applications point to the same database therefore allowing all applications to access all users regardless of which application created which user.

UPDATE #1: In this instance bearer tokens could be used and I think (going from memory) the tutorial series mentioned above touches on this and how a single WebApi can provide tokens for multiple applications.