MSDN Documentation

Microsoft Developer Network
Home > Documentation > .NET > Guides > ASP.NET > Authentication & Authorization

ASP.NET Authentication and Authorization

This section provides comprehensive guidance on implementing authentication and authorization in your ASP.NET applications. Secure your web applications by understanding and applying the principles of verifying user identity and controlling access to resources.

Introduction

Authentication is the process of verifying the identity of a user or device trying to access a system. Authorization, on the other hand, is the process of granting or denying specific permissions to authenticated users. ASP.NET offers robust features and flexible options to implement both securely and efficiently.

Authentication Concepts

Key concepts in authentication include:

  • Credentials: Information provided by a user to prove their identity (e.g., username and password, API key).
  • Authentication Schemes: Different methods for verifying identity, such as Forms Authentication, Cookie Authentication, OAuth, JWT, etc.
  • Identity: A representation of the authenticated user, typically containing user claims and roles.
  • Principals: An object that represents the security context of the current user, including their identity and roles.

Authorization Concepts

Key concepts in authorization include:

  • Permissions: Specific rights granted to a user or role to perform an action or access a resource.
  • Roles: Groups of users with similar access rights (e.g., "Administrator", "Editor", "Guest").
  • Access Control Lists (ACLs): Lists that define permissions for specific resources.
  • Policy-Based Authorization: A more advanced approach that defines authorization policies based on multiple requirements.
Important Note: ASP.NET Core has introduced significant changes and improvements over ASP.NET (framework). This guide focuses on general principles applicable to both, but for modern development, refer to ASP.NET Core specific documentation.

Forms Authentication

Forms Authentication is a popular method where users submit a login form with credentials. ASP.NET handles the authentication and sets an authentication cookie, allowing subsequent requests to be authenticated without re-prompting.

To implement Forms Authentication:

  1. Configure web.config to enable forms authentication.
  2. Create a login page with a form.
  3. Handle the form submission, validate credentials against a user store.
  4. On successful validation, use FormsAuthentication.SetAuthCookie(username, createPersistentCookie).
  5. Protect sensitive pages by denying access to unauthenticated users.

<system.web>
  <authentication mode="Forms">
    <forms loginUrl="~/Account/Login" defaultUrl="~/Account/Welcome" slidingExpiration="true" timeout="2880"/>
  </authentication>
  <authorization>
    <deny users="?"/>
  </authorization>
</system.web>

Windows Authentication

Windows Authentication leverages the credentials of the currently logged-in Windows user. This is often used in intranet environments where users are already authenticated against a Windows domain.

Configuration involves setting the authentication mode to Windows in web.config:


<system.web>
  <authentication mode="Windows" />
  <authorization>
    <allow authenticated="true"/>
    <deny users="?"/>
  </authorization>
</system.web>

Roles and Permissions

ASP.NET supports role-based access control. You can assign users to roles and then grant access to resources based on these roles.

Authorizing by Role:

  • Declarative Authorization: Using [Authorize(Roles = "Admin, Editor")] attribute on controllers or actions.
  • Programmatic Authorization: Checking roles in code using User.IsInRole("RoleName").

Custom Providers

For advanced scenarios, you can implement custom providers for authentication and role management to integrate with diverse data sources like databases, LDAP, or external identity providers.

OAuth and OpenID Connect

Modern applications often integrate with external identity providers like Google, Facebook, or Microsoft Account using protocols like OAuth 2.0 and OpenID Connect. ASP.NET provides libraries and middleware to facilitate these integrations.

Best Practices

  • Always use HTTPS to protect credentials and session cookies.
  • Avoid storing passwords in plain text; use strong hashing algorithms (e.g., BCrypt).
  • Implement robust input validation to prevent injection attacks.
  • Grant the least privilege necessary to users.
  • Regularly review and update security configurations.
  • Handle exceptions gracefully to avoid revealing sensitive information.

API References

Explore the following API references for detailed information on classes and methods: