ASP.NET Core Authentication & Authorization

This document provides a comprehensive guide to implementing authentication and authorization in ASP.NET Core applications. Learn how to secure your applications and control access to resources.

What is Authentication?

Authentication is the process of verifying the identity of a user. It answers the question: "Who are you?" In ASP.NET Core, this is typically handled by authenticating users against a credential store, such as a database, an external identity provider (like Google or Facebook), or a directory service (like Active Directory).

What is Authorization?

Authorization is the process of determining what an authenticated user is allowed to do. It answers the question: "What can you access?" This involves defining policies and rules that grant or deny access to specific resources or actions based on the user's identity and roles.

Key Concepts and Components

Identity: Represents a user's identity, often including claims (pieces of information about the user).
Authentication Schemes: Different methods for authenticating users (e.g., cookies, JWT Bearer, OAuth).
Authentication Middleware: Processes incoming requests to authenticate the user.
Authorization Policies: Define the requirements that a user must meet to access a resource.
Authorization Middleware: Enforces authorization policies.
Claims-Based Authorization: Authorization based on the claims associated with the authenticated user.
Role-Based Authorization: Authorization based on the roles assigned to the authenticated user.

Common Authentication Providers

ASP.NET Core supports a wide range of authentication providers out-of-the-box, including:

Cookies: The default and most common method for web applications.
JWT Bearer Tokens: Ideal for single-page applications (SPAs) and APIs.
OAuth and OpenID Connect: For integrating with external identity providers like Google, Facebook, Microsoft Account, Azure AD.
Windows Authentication: For intranet scenarios.

Getting Started with Authentication

To enable authentication in your ASP.NET Core application, you typically need to:

Add Authentication Services: Configure the necessary services in Program.cs (or Startup.cs in older versions).
Add Authentication Middleware: Register the authentication middleware in the request pipeline.
Configure Authentication Schemes: Specify which authentication schemes your application will support and how they should be configured.

Example: Cookie Authentication Configuration


// Program.cs (ASP.NET Core 6+)

builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(options =>
    {
        options.LoginPath = "/Account/Login";
        options.LogoutPath = "/Account/Logout";
        options.AccessDeniedPath = "/Account/AccessDenied";
    });

// ...

var app = builder.Build();

// ...

app.UseAuthentication();
app.UseAuthorization();

// ...

app.MapRazorPages(); // or app.MapControllers();

Implementing Authorization

Once a user is authenticated, you can apply authorization to protect your application's endpoints.

Attribute-Based Authorization

Use attributes like [Authorize] and [AllowAnonymous] to protect controllers or individual actions.


// Example Controller
[Authorize(Roles = "Admin")]
public class AdminController : Controller
{
    public IActionResult Index()
    {
        return View();
    }

    [AllowAnonymous]
    public IActionResult PublicInfo()
    {
        return View();
    }
}

Policy-Based Authorization

Define more complex authorization requirements using policies. This offers greater flexibility.


// Program.cs (ASP.NET Core 6+)

builder.Services.AddAuthorization(options =>
{
    options.AddPolicy("RequireElevatedPrivileges", policy =>
        policy.RequireRole("Admin", "SuperUser")
              .RequireClaim("Department", "IT"));
});

// In a controller:
[Authorize(Policy = "RequireElevatedPrivileges")]
public IActionResult SensitiveData()
{
    return View();
}

Best Practice: Prefer policy-based authorization over role-based authorization when possible for more granular control and easier maintenance.

User Management

Managing users, passwords, and profiles is a crucial part of authentication. ASP.NET Core Identity is a robust framework for handling this. It provides:

User and role management APIs.
Password hashing and verification.
Account confirmation and password reset features.
Two-factor authentication support.

MSDN Documentation