At the start of this chapter, we introduced the concepts of authentication and authorization, acknowledging the fact that most applications, including ours, do require a mechanism to properly handle authenticated and non-authenticated clients as well as authorized and unauthorized requests.

We took some time to properly understand the similarities and differences between authentication and authorization as well as the pros and cons of handling these tasks using our own internal provider or delegating them to third-party providers such as Google, Facebook, and Twitter. We also found out that, luckily enough, the Microsoft.AspNetCore.Identity framework can be configured to achieve the best of both worlds. To be able to use it, we added the required packages to our project and did what was needed to properly configure them, such as performing some changes in our ApplicationUser and ApplicationDbContext classes and then adding a new EntityFrameworkCore migration to update our database accordingly.

We briefly enumerated the various web-based authentication methods available nowadays: sessions, tokens, signatures, and two-factor strategies of various sorts. After careful consideration, we chose to implement a token-based approach using JSON Web Tokens (JWT), a solid and well-known standard for native web applications.

Implementing JWT within our application took us some time, as we had to take care of a number of steps: writing a dedicated TokenController to generate the tokens; set up and configure the required ASP .Net Core middleware needed to validate them; and finally, moving to our Angular client app, creating a Login form, an AuthService class, and a dedicated HttpInterceptor to handle everything on the client side.

Right after that, we implemented the required client-side and server-side authorization rules to protect some of our application views, routes, and APIs from unauthorized access.

All in all, the hand-made authentication and authorization flow we put together in this chapter is pretty much working. However, it lacks some very important features required for a production-ready environment, the most important ones being token expiration and token refresh. We'll learn how to do that in the upcoming chapter, along with other important stuff.