Authentication Features in Visual Studio LightSwitch


LightSwitch lets you configure your applications to use authentication.  This allows you to control who is able to access the application and lets your business logic know who the current user is.

Configuring the type of authentication to use

LightSwitch developers can choose what type of authentication to use for their application.  The options are no authentication (the default), Windows, or Forms.  For Windows authentication, the application user’s Windows credentials are used to authenticate their identity.  For Forms authentication, the application user must login with a user name/password combo to be authenticated.

 Access Control tab screenshot
Access Control tab (Beta 1)

Side note:

One interesting feature for a LightSwitch developer allows for the application to be debugged without needing to sign in.  So if the application is configured with Forms authentication, the developer can hit F5 to run the app and not have to worry about signing in.  Otherwise, the sign-in screen would be a major nuisance during iterative development.  Not until an application is deployed will the user be prompted to sign in.  If you have code which checks for the current user, it’ll still work when you are debugging even though you haven’t explicitly registered a user.  A transient test user is used as the currently running user.  Post-beta 1, LightSwitch will actually use your current Windows credential as the currently running user when using Windows authentication. 

Current user API

A LightSwitch developer always has access to determine who the current user is.  When writing code within a Table or a Screen, for example, you have access to the current user through the following code:

Microsoft.LightSwitch.Security.IUser currentUser = this.Application.User;

This provides access to the user’s username, full name, and other important bits of information like permissions and roles.

Managing your users

Users are managed within the running application.  Only users with the built-in SecurityAdministration permission have the ability to manage users.  By default, the administrator account that was specified when the application was published has the SecurityAdministration permission assigned to it.  Those users with this permission will see the Administration navigation group with a Users and Roles screen when they open a LightSwitch application.  (This is the default behavior for a new LightSwitch application.  The developer is free to rename or remove the Administration group, create a new navigation group for the administration screens, or even add custom screens to the Administration group.  This can be done through the Screen Navigation tab of the application properties of the LightSwitch project.)

Administration ScreensAdministration Screens (Beta 1)

You can manage your users in the Users screen:

Users ScreenUsers Screen (Beta 1)

Side note:

When using Windows authentication, the registered users are stored independently of Active Directory.  This means there is no need to administer the domain by adding certain users to a group in order to give them access to a LightSwitch application.  The users are directly managed through the LightSwitch application.  This was an intentional design decision since many LightSwitch apps are going to be departmental apps where the person administrating the app doesn’t have permission to make changes to the company’s Active Directory.

Authentication during application start-up

When a LightSwitch application is configured with Forms authentication, the user is automatically prompted for their user name and password:

Log-in prompt screenshot
Log-in prompt (Beta 1)

When using Windows authentication, the user is automatically authenticated through their Windows credentials when the application is opened so no prompt is shown.

Comments (13)

  1. Sachin says:

    Hi,

       I have enabled Forms authentication for the LightSwitch application, but when I run the application, I don't get the prompt for User Name/Password.

    – Sachin.

  2. mthalman says:

    @Sachin:

    The first Side Note in this blog post describes why that occurs.

  3. Karim says:

    Hi Matt,

    thanks for all the great posts you deliver!

    Is it possible to integrate an existing Membership, Role and Profile Provider (ASP.NET) with an existing db and using those users, memberships, roles etc in the LightSwitch App? I tried once I deployed the lightswitch application to modify the web.config and set the right connectionStrings (similar to my ASP.NET configuration) for the providers with no luck. I tried to log in with an existing asp.net user and it did not work

    maybe i have to dig a little bit deeper…

    Thanks for any help and hints!

  4. adefwebserver says:

    Hmm perhaps I missed it, but if you enable Forms Authentication and you hit F5 (to run in debug mode) you will not see the screen to administer the roles and users.

    What you have to do is check the "Granted For Debug" colum.

  5. mthalman says:

    @adefwebserver:

    That's correct.  Only administrators have the permission to view the built-in administration screens so you'll need to grant the SecurityAdministration permission if you want to see those.

  6. Berliotz says:

    Hi,

    and what if I have forms autentication but I have a public part – so that not autenticated people can see and I don't whant to force the people to autenticate at start up…

  7. Josselin says:

    Hi Matt,

    I have a database with a table "Operators" and a table "Rights"

    Operators have Rights and one of the Operators column is an encrypted password.

    This table is in read-only (operators and rights are managed in an other application and replicated from there).

    Is there a chance for me to implement such login?

    Thanks in advance!

  8. Josselin says:

    Hi Matt,

    in my DB, I have an operator table (with an encrypted password inside) , a group table and a right table.

    Operator are member of one or several group and a group provide one or several right.

    As the user and role concept looks nearly the same (ok, that's not a surprise: there is not 2000 different concept), do I have a chance to use my legacy user management system?

    Thanks in advance

  9. Josselin says:

    Hi Matt,

    Thank you for those post!

    I am just wondering: is there a possibility to "customize" the authentification and the roles?

    I have on my db an operator tables that I would like to use instead of duplicating every thing in the user one…

    How would you handle such situation?

    Thanks a lot for your help!

  10. Josselin says:

    Hi Matt,

    Is it possible to use an existing user table (with its existing password field)?

    I am currently trying to generate application with VSLightswitch on a database which already has an operator table and I would love to use it for autentification….

    Thanks in advance

  11. Josselin says:

    Hi Matt

    Thanks for this article!

    Just a question: is it possible to add a "custom" authentification?

    My database has already an operator table (equivalent to your user table) with something like 8 000 users. So migrating them one by one is not really a possibility and I really would prefer to keep my legacy system as it is….

    Thanks in advance for your answer!

  12. Josselin says:

    @All : Sorry for the spam on the forum: messages were only published the 15th

  13. mthalman says:

    @Josselin:

    LightSwitch doesn't provide a way to customize users and roles beyond what ASP.NET provides.  Using ASP.NET provider APIs, it may be possible for you to create your own providers which map users and roles to your custom operators and rights tables.  LightSwitch makes use of ASP.NET's MembershipProvider and RoleProvider.  To learn how to write your own provider, see msdn.microsoft.com/…/aa478949.aspx and msdn.microsoft.com/…/aa478950.aspx.