ASP.NET Core Documentation

Introduction to Authentication in ASP.NET Core

This tutorial provides an overview of authentication in ASP.NET Core applications. Authentication is the process of verifying the identity of a user or client. ASP.NET Core provides a flexible and extensible authentication system that supports various authentication schemes.

What is Authentication?

In web applications, authentication typically involves:

• Verifying Credentials: The user provides some form of identification, such as a username and password, an API key, or a token.
• Issuing a Principal: If the credentials are valid, the application creates a security principal that represents the authenticated user. This principal contains information about the user's identity and roles.
• Maintaining State: The application then needs to maintain this authenticated state across subsequent requests, often using mechanisms like cookies or tokens.

Authentication Schemes

ASP.NET Core's authentication middleware is highly modular. You can configure multiple authentication schemes to handle different types of authentication. Common schemes include:

• Cookie Authentication: A traditional approach where the server issues a cookie to the browser after successful authentication, which the browser then sends with subsequent requests.
• JWT Bearer Authentication: Often used for APIs, where the client receives a JSON Web Token (JWT) and includes it in the Authorization header of requests.
• OAuth and OpenID Connect: Integration with external identity providers like Google, Facebook, or Microsoft identity.
• Windows Authentication: For enterprise environments using Active Directory.

Key Components

The authentication process in ASP.NET Core relies on several key components:

• Authentication Middleware: The core component that intercepts requests and invokes the configured authentication handlers.
• Authentication Handlers: Implementations that perform the actual authentication logic for a specific scheme (e.g., validating a cookie, verifying a JWT).
• IAuthenticationService: The service responsible for orchestrating authentication.
• HttpContext.User: Once authenticated, this property holds the ClaimsPrincipal representing the current user.

Configuring Authentication

Authentication is typically configured in the Program.cs (or Startup.cs in older versions) file. Here's a simplified example of how you might add cookie authentication:

// In Program.cs (for .NET 6 and later)

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddRazorPages(); // Or AddControllersWithViews()

builder.Services.AddAuthentication("MyAuthScheme") // Explicitly name your scheme
    .AddCookie("MyAuthScheme", options =>
    {
        options.LoginPath = "/Account/Login"; // The path to the login page
        options.LogoutPath = "/Account/Logout";
    });

builder.Services.AddAuthorization(); // Required for authorization

var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();

// IMPORTANT: Authentication middleware must be added before UseAuthorization.
app.UseAuthentication();
app.UseAuthorization();

app.MapRazorPages(); // Or app.MapControllerRoute(...)

app.Run();

Next Steps

Now that you have a foundational understanding of authentication in ASP.NET Core, you can explore specific authentication schemes in more detail:

• Implementing Cookie-Based Authentication
• Securing APIs with JWT Bearer Tokens
• Explore how to implement custom authentication providers.