ASP.NET Identity is a membership system for modern .NET applications that allows the system to authenticate and authorize users. When it comes to building a modern desktop and mobile application, ASP.NET Identity brings all the features that an ideal membership system should have. For instance, you can customize the information of the logged-in user through ASP.NET Identity customizable login functionality.
Authentication and Authorization in ASP.NET
Today’s web applications have a far greater range of data storage providers and .NET developers want to make use of the most effective solution to keep the system secure and this security is achieved through both authentication and authorization. But what do these terms mean, exactly? We describe both below:
- Authentication: Authentication is the process through which a user proves his identity by logging into the system with an email and password. Using authentication, the system (or server) determines who is accessing its data or website.
- Authorization: After the successful authentication, the system (or server) determines if the client has the authority to use or access a specific resource.
With this introduction to the basics of the membership system, let us come to know more about the ASP.NET Identity library.
What is the ASP.NET Membership System?
Before the advent of ASP.NET Identity, .NET used a form authentication system to validate the information. The system used cookies to store credential information. When a user logged into the system, their credentials were verified with the information fetched from the data store. The form authentication system issued a cookie in which the user credentials were embedded. All the subsequent requests coming to the system had to contain that cookie. If the received cookie was found valid, then only the request would be granted, otherwise the user would be redirected to the login page where they would be asked to enter their credentials.
The following list summarizes the evolution of the membership system in .NET:
- Form Authentication System: ASP.NET 1.0
- Membership Provider: ASP.NET 2.0
- Simple Membership:: ASP.NET 4.0
- Universal Membership Provider: ASP.NET 4.0 and 4.5
- ASP.NET Identity: ASP.NET 4.5
What is ASP.NET Identity?
So, what is ASP.NET Identity? In a web application, it is a membership system that takes care of authentication and authorization. Microsoft has introduced its user management library called ASP.NET Identity. The library provides various features, such as user storage, password validation, claim control, and so on. .NET Programmers can also utilize built-in user-interfaces for security enhancement provided by the library.
ASP.NET Identity can be used in all types of .NET projects, like web forms, MVC web applications, Web APIs, and so forth – basically any application that requires authorization and validation. ASP.NET Identity can support data storage and validation on a variety of data storage providers, including Azure table storage and SharePoint.
ASP.NET Identity makes the job of .NET developers easier by providing the features of role management. Coders can simply define roles like admin, employee, manager, and so on, and assign these roles to users to limit their privileges access.
Furthermore, the concept of Two-factor Authentication (2FA) takes this membership system to a whole new level. We will learn more about Two-factor authentication in the following section.
Read: Debugging Tools for C#
What are the Features of ASP.NET Identity?
Below is a list of some of the features of ASP.NET Identity.
ASP.NET Identity comes with built-in APIs for creating, deleting, or modifying user details. Programmers can easily utilize these APIs for those purposes.
Two-factor authentication is a security mechanism in which the user is authenticated by a combination of two methods. For instance, the first method could be authentication with a password and the second one can be sending a security code to the user’s registered email or mobile. In this way, Two-factor authentication adds another layer of security to the system.
The account lockout feature disables the user’s account if they enter an incorrect password for a specific number of times. The feature locks the account for a short period.
Roles are stored in a separate table. You can add, edit, and delete roles according to your specific needs.
A claim in a membership system is the information of the user. This can be the user’s id, name, or email address that can identify the user on an application level. In the older membership system, the user‘s information was limited to its username and password. But with ASP.NET Identity, apart from the email and password, .NET developers are now able to add further information about the user.
ASP.NET Identity is no longer a part of the .NET framework. ASPNET identity can be easily downloaded from the NuGet package manager. All the improvements and updates of the Identity no longer remain dependent on the .NET framework.
External Identity Providers
Users can now easily log-in with their social media accounts, including platforms like Facebook, Gmail, Twitter, etc. Azure Active directory can also be used for logging into the system as well. What’s more, if none of the above identity providers suits your requirement, you can roll out your own identity provider and use it for identification.
What are the Components of ASP.NET Identity?
Below is a highlight of the components of ASP.NET Identity.
A User is an entity in the system, such as a person in an application. ASP.NET Identity has an important class for dealing with the person’s basic authentication information called IdentityUser. The class holds the important information of the user, such as User Id and password.
Additionally, developers can create a custom class and derive it from IdentityUser to add more descriptive details to a user.
ASP.NET Identity has an important class for managing user accounts called UserManager. The class can be used for managing user accounts and can perform a variety of operations including:
- Creating or removing a user account.
- Modifying passwords.
- Assigning or removing the user from a role.
ASP.NET Identity provides basic information about a role. You can add more descriptions to a specified role. To do so, programmers can create a custom class and derive it from the class RoleManager and add the additional details there.
We have a class for managing roles called RoleManager. The class takes the responsibility of adding, removing, and confirming the existence of a specified role.
All of the classes we have discussed so far deal with user and role but they do not deal with the authentication. The authentication in ASP.NET Identity is handled by the AuthenticationManager class. This class takes care of signing the user in and out. The IAuthenticationManager interface holds all the necessary information regarding the authentication process.
Entity Framework DbContext
The database schema in ASP.NET Identity is created with the Entity Framework’s Code-first approach. The Entity Framework makes sure that there is a distinct column in the database for each user’s information. By default, all of the tables are created in a specific database. But developers can customize the database configuration settings and store the database information in a database. To do so, create a DbContext class that derives from the IdentityDbContext class and store the database information as per your needs.
Final Thoughts on ASP.NET Identity
ASP.NET Identity is superior to the traditional membership system in terms of enhanced security. All you need is to configure your application as per ASP.NET Identity and enjoy a more reliable authentication system in your applications.