ASP.NET Core Authentication - MSDN Documentation

Introduction to ASP.NET Core Authentication

ASP.NET Core provides a flexible and extensible authentication middleware pipeline that allows you to secure your web applications and APIs. Authentication is the process of verifying the identity of a user or client. ASP.NET Core supports a wide range of authentication schemes, from simple cookie-based authentication to complex OAuth 2.0 and OpenID Connect flows.

The core of ASP.NET Core authentication is the Microsoft.AspNetCore.Authentication package, which provides the necessary abstractions and implementations for various authentication scenarios. By leveraging this package, you can integrate authentication seamlessly into your applications.

Authentication Schemes

ASP.NET Core uses the concept of authentication schemes to handle different ways a user can authenticate. A scheme defines how to challenge for authentication and how to authenticate a user. Common schemes include:

Cookie Authentication: A widely used scheme for web applications where the user's identity is stored in an encrypted cookie after successful login.
Bearer Token Authentication: Commonly used for APIs, where clients send an authentication token (e.g., JWT) in the Authorization header.
OpenID Connect (OIDC) and OAuth 2.0: Protocols that enable users to log in using external identity providers like Google, Facebook, or Microsoft.
Windows Authentication: For environments integrated with Windows Active Directory.

You can configure multiple authentication schemes in your application to support different authentication methods.

Configuring Authentication

Authentication is configured in the Program.cs (or Startup.cs in older versions) file using the AddAuthentication and UseAuthentication extension methods.

Example: Cookie Authentication

To configure cookie authentication:


// Program.cs (or Startup.cs)

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddRazorPages();

builder.Services.AddAuthentication(options =>
{
    options.DefaultScheme = CookieAuthenticationDefaults.AuthenticationScheme;
})
.AddCookie(options =>
{
    options.LoginPath = "/Account/Login"; // The page where users are redirected to log in
    options.LogoutPath = "/Account/Logout"; // The page for logging out
});

builder.Services.AddAuthorization(); // Required for authorization

var app = builder.Build();

// Configure the HTTP request pipeline.
if (!app.Environment.IsDevelopment())
{
    app.UseExceptionHandler("/Error");
    app.UseHsts();
}

app.UseHttpsRedirection();
app.UseStaticFiles();

app.UseRouting();

// Add the authentication middleware to the pipeline
app.UseAuthentication();
app.UseAuthorization();

app.MapRazorPages();

app.Run();

The UseAuthentication middleware is crucial as it enables the authentication handlers to process incoming requests. The UseAuthorization middleware then uses the authenticated identity to enforce access policies.

ASP.NET Core Identity

For applications that require user management, including registration, login, password reset, and profile management, ASP.NET Core Identity is the recommended solution. It provides a robust framework built on top of the authentication and authorization mechanisms.

Key features of ASP.NET Core Identity include:

User and role management.
Password hashing and management.
Account lockout and Two-Factor Authentication (2FA).
Integration with OAuth 2.0 and OpenID Connect providers.

To use Identity, you typically add it via services:

builder.Services.AddIdentity<IdentityUser, IdentityRole>()
    .AddEntityFrameworkStores<ApplicationDbContext>()
    .AddDefaultTokenProviders();

And then configure it in the request pipeline:

app.UseAuthentication();
app.UseAuthorization();

Identity also comes with pre-built UI components (Razor Pages or MVC) that you can scaffold into your project.

Custom Authentication

While ASP.NET Core offers many built-in authentication schemes, you might need to implement a custom authentication mechanism. This involves creating a custom authentication handler that implements IAuthenticationHandler.

Note: Custom authentication is an advanced topic. It's recommended to use existing schemes whenever possible.

A custom handler typically:

Inspects the incoming request to find authentication credentials.
Validates these credentials against a data store or service.
Creates a ClaimsPrincipal representing the authenticated user if validation is successful.
Returns a AuthenticateResult.

OAuth 2.0 & OpenID Connect

ASP.NET Core integrates seamlessly with OAuth 2.0 and OpenID Connect providers, allowing users to log in with external services. This is often achieved using the Microsoft.AspNetCore.Authentication.OAuth and Microsoft.AspNetCore.Authentication.OpenIdConnect packages.

Configuring an external provider typically involves:

Registering your application with the external provider to obtain client secrets and IDs.
Adding the appropriate authentication service to your application (e.g., AddGoogle, AddFacebook, AddOpenIdConnect).
Configuring the client ID, client secret, and redirect URIs.

Example: Google Authentication

builder.Services.AddAuthentication()
    .AddGoogle(googleOptions =>
    {
        googleOptions.ClientId = builder.Configuration["Authentication:Google:ClientId"];
        googleOptions.ClientSecret = builder.Configuration["Authentication:Google:ClientSecret"];
    });

Users can then be redirected to the external provider for authentication, and upon successful login, they are redirected back to your application with their identity information.

JWT Bearer Tokens

For securing APIs, especially in stateless architectures, JWT (JSON Web Token) bearer authentication is a common choice. ASP.NET Core provides the Microsoft.AspNetCore.Authentication.JwtBearer package to handle this.

When using JWT bearer tokens, the client sends a token in the Authorization header of each request, typically in the format Bearer <token>.

Configuration involves specifying the token validation parameters, such as the issuer, audience, and signing key.

Example: JWT Bearer Authentication

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
    .AddJwtBearer(options =>
    {
        options.TokenValidationParameters = new TokenValidationParameters
        {
            ValidateIssuer = true,
            ValidateAudience = true,
            ValidateLifetime = true,
            ValidateIssuerSigningKey = true,

            ValidIssuer = builder.Configuration["Jwt:Issuer"],
            ValidAudience = builder.Configuration["Jwt:Audience"],
            IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"]))
        };
    });

This scheme is ideal for microservices and mobile applications where session state is not maintained.

This documentation provides a foundational understanding of ASP.NET Core authentication. Explore the relevant Microsoft Learn documentation for in-depth examples and advanced scenarios.