Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Identity in ASP.NET Core


Published on

Injecting custom code into authentication and authorization in ASP.NET has always been tedious at best. AspNet.Identity is a new library shipping with MVC 5, built to replace both ASP.NET Membership and Simple Membership. AspNet.Identity makes it much easier to implement custom authentication and authorization without the need to rewrite core components. In this session I will go deep into the abstractions that AspNet.Identity builds atop of, and show how to take advantage of these hook points to implement a custom membership system.

Published in: Software
  • Be the first to comment

Identity in ASP.NET Core

  2. 2. ONDREJ BALAS Microsoft MVP in Visual Studio Writer for Visual Studio Magazine Owner of UseTech Design Building software that drives business WWW.ONDREJBALAS.COM ONDREJ@ONDREJBALAS.COM @ONDREJBALAS
  3. 3. AspNetCore.Identity Access Control (Authentication & Authorization) First released as NuGet packages, compatible with .NET 4.5 and higher MVC 6 ASP.NET Core MVC 1.0 templates use Identity 3 ASP.NET Core Identity 1.0
  4. 4. Use this when you ARE NOT using ASP.NET Core Use this when you ARE using ASP.NET Core
  5. 5. ASP.NET Membership (2005) Tightly coupled to SQL Server (with a specific schema) Even other relational databases like MySQL required a complicated custom provider Roles and passwords were required Custom user profile fields were a PAIN!
  6. 6. Simple Membership (2012) Supports a custom database schema You can choose the ID and username columns There are extensions for OAuth and OpenID Supports account reset token by default Built on top of ASP.NET Membership so there is still a tight coupling to SQL Server Making changes to persistence means rewriting things like password hashing too
  7. 7. AspNet.Identity OAuth & OpenID (Facebook, Google, Microsoft Live, LinkedIn, etc..) Custom Data Stores (even NoSQL!) are easy to implement Roles, Claims, or Both Organizational Accounts Too (Active Directory, Azure AD, Office 365) Happiness
  8. 8. Claims Additional bits of information More granular than roles A KeyValue store that lives with the user Stored in the user’s (encrypted) cookie
  9. 9. Demonstrating Authentication under the hood Bare-bones no-password authentication Adding the Identity bits Managers & Stores Authorization Policies
  10. 10. Not Covering WebForms EntityFramework
  11. 11. Request Response HTTP 200 (OK)
  12. 12. Request
  13. 13. Request[Authorize] public IActionResult ProtectedPage() { // ... }
  14. 14. Request Response HTTP 302 (redirect) to login page
  15. 15. Request Response HTTP 200 (OK)
  16. 16. user=cat&pw=meow Response HTTP 302 (redirect) to protected page POST Request Set-Cookie: login=somelongtoken; path=/
  17. 17. Response HTTP 200 (OK) Request Cookie: login=somelongtoken
  18. 18. Code Samples All code samples are created in Visual Studio 2015 Update 3. The project template is the ASP.NET Core Web Application (.NET Framework) under .NET Framework 4.6.2, and using the MVC template with No Authentication. I chose to use No Authentication because the templates including authentication are coupled with EF, including some implementations sitting in the Microsoft.AspNetCore.Identity.EntityFrameworkCore namespace. This muddies the waters and makes it difficult to see the separation between Identity and the data layer. Let’s code!
  19. 19. Managers UserManager RoleManager SignInManager Stores IUserStore IUserLoginStore IUserClaimStore IUserRoleStore IRoleStore IUserPasswordStore
  20. 20. [Authorize(Policy=“MemberSection”)] SomeRequirement : IAuthorizationRequirement services.AddAuthorization(…) …are used on controllers and actions …and are wired up in Startup.cs …have requirements and handlers Authorization Policies… AnotherHandler : AuthorizationHandler<SomeRequirement>