Aspnetcore.docs: update "Migrating Authentication and Identity"

closed #1476

@Rick-Anderson is this still up-for-grabs

@scottaddie is this issue still open? If so, it's up for grabs.

This is still up for grabs. We should probably use something like "NewCoreMvcProject" for the namespace.

@scottaddie @Rick-Anderson since it seems like the whole migration section needs a reconfigure, maybe we add another doc to list provided by @danroth27 in #4237 and close this issue. New Doc would be regarding moving from ASP.NET Identity to new Context Providers. Thoughts?

@isaac2004 Let's keep this issue open for now.

@danroth27 Thoughts on the new doc proposed by Isaac above?

Looks like my list in #4237 was missing a migration topic for migrating from ASP.NET Identity to ASP.NET Core Identity. I've now added that. @isaac2004 does that cover the topic you wanted added, or were you thinking of something else? I'm not sure what you meant by the "new Context Providers".

@danroth27 I think the issue people are having is on the data side. For instance they have some app using Membership and they want to migrate the database to Core Identity. There is that doc to go from Membership to ASP.NET Identity and I wonder if another migration doc from ASP.NET to ASP.NET would suffice, or a straight Membership to ASP.NET Core would be more beneficial. This doesn't even take into account 1.x vs 2.x on the Core side. Regardless I can put it together, just want to make sure the right things are being targeted

@danroth27 please advise

@blowdart should probably weigh in on what he'd like to see here, but I think having a doc for migrating directly from Membership to ASP.NET Core is probably what we want.

pinging @blowdart for guidance

Agreeing with @danroth27. Damn, that hurts.

@blowdart @danroth27 So in agreement that a migration doc from ASP.NET Membership to ASP.NET Core 2.0 Identity is needed for this. This doc would show the code changes needed, the changes needed to the DB schema, and some SQL script to migrate the data from the Membership Schema to Core Identity Schema. Would that suffice?

Membership isn't MVC5 and 6, that's just older identity stuff. @HaoK shouldn't that be done with migrations?

Correct me if I am wrong, but isn't that the ask, getting from the really old Membership DB to Core Identity? Apologies if I misunderstood something

Oh? In that case, yea, that'll be painful, but fun. And no-ones password will work any more :)

Oh that is an interesting point, is the Hashing mechanism for PW between ASP.NET Identity and Core Identity different? There is a Membership to ASP.NET Identity doc out there, so I assumed that the Membership to Core Identity process would be somewhat similar

Very different. Honestly I'd just blank the passwords. The membership scheme is just really too old now to be safe. You could wire up a customer hasher again, but putting my security hat on I'd rather that didn't happen.

Well you are probably going to have to review the doc, so I might as well make your life easier. :) Is there a recommended approach to force the user to reset password (or will they force since it is blank in DB)?

I don't believe you can force it unfortunately. Set it to a random value and then document "All your users need to be emailed to say they must reset their password as part of the migration to improve security. Please don't use Hunter2" :)

Thanks Barry I will start putting together the skeleton for this based on the Membership to Identity Doc, same format mostly, different steps

Enjoy, I appreciate you doing this, it's a horrible task.

Hey @blowdart odd question for you. I am going through building this doc and ran across something that may need to be looked at.

Using the default Identity template, the login screen is requesting the email address. This works fine for situations where the username and email are the same, but if they are different, it fails login. The reason for this is that SignInManager doesn't actually check the email, it checks UserName. So in the following scenario

UserName: Isaac
Email: [email protected]

I will never be able to log into the app, since the service will never find a user with the username as the email address. The MVC template forces you to use email in this case, but it should really be username. Again in normal cases, this is fine since by default they are the same. But if they aren't the user may get confused.

Oh god please document that. We have an outstanding bug to fix it, but it won't be in 2.1 in all probability.

https://github.com/aspnet/Identity/issues/1721
https://github.com/aspnet/Identity/issues/1688
https://github.com/aspnet/Identity/issues/1675

@blowdart i added it to that doc on membership migration but probably should be put somewhere in the Identity docs no?