Implementing authentication and authorization using the ASP.NET Core Identity framework

ASP.NET Core Identity is the security framework developed by Microsoft and is now contributed to by the open source community. This allows a developer to enable user authentication and authorization in an ASP.NET Core application. It provides the complete system of storing user identities, roles, and claims in a database. It contains certain classes for user identity, roles, and so on, which can be extended further to support more properties, depending on the requirements. It uses Entity Framework Core code for the first model to create the backend database and can be easily integrated with existing data models or the application's specific tables.

In this section, we will create a simple application to add ASP.NET Core Identity from scratch and modify the IdentityUser class to define additional properties and use cookie-based authentication to validate requests and secure ASP.NET MVC controllers.

When creating an ASP.NET Core project, we can change the authentication option to Individual User Account authentication, which scaffolds all the security-specific classes and configures security in your application:

This creates an AccountController and PageModels to register, login, forgot password, and other user management-related pages.

The Startup class also contains some entries related to security. Here is the ConfigureServices method, which adds some code that is specific to security:

public void ConfigureServices(IServiceCollection services) 
{ 
  services.AddDbContext<ApplicationDbContext>(options => 
  options.UseSqlServer(Configuration.GetConnectionString("DefaultConnection"))); 
 
  services.AddIdentity<ApplicationUser, IdentityRole>() 
  .AddEntityFrameworkStores<ApplicationDbContext>() 
  .AddDefaultTokenProviders(); 
 
  services.AddMvc() 
  .AddRazorPagesOptions(options => 
  { 
    options.Conventions.AuthorizeFolder("/Account/Manage"); 
    options.Conventions.AuthorizePage("/Account/Logout"); 
  }); 
 
          
  services.AddSingleton<IEmailSender, EmailSender>(); 
}

AddDbContext uses the SQL server to create Identity tables in the database, as specified in the DefaultConnection key as follows:

  • services.AddIdentity is used to enable Identity in our application. It takes ApplicationUser and IdentityRole and defines ApplicationDbContext to use as the Entity framework, which is used to store the created entities.
  • AddDefaultTokenProviders is defined to generate tokens for reset passwords, changing email, changing telephone number, and two-factor authentication.

In the Configure method, it adds the UseAuthentication middleware, which enables the authentication and protects the pages or controllers that are configured to authorize requests. Here is the Configure method that enables authentication in the pipeline. The middleware which is defined is executed in a sequence. Therefore, the UseAuthentication middleware is defined before the UseMvc middleware so that all of the requests that will be invoking the controllers will be authenticated first:

public void Configure(IApplicationBuilder app, IHostingEnvironment env) 
{ 
  if (env.IsDevelopment()) 
  { 
    app.UseBrowserLink(); 
    app.UseDeveloperExceptionPage(); 
    app.UseDatabaseErrorPage(); 
  } 
  else 
  { 
    app.UseExceptionHandler("/Error"); 
  } 
 
  app.UseStaticFiles(); 
 
  app.UseAuthentication(); 
 
  app.UseMvc(); 
}
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.191.186.190