Authentication and Authorization in ASP.NET
Asp.Net Identity
ASP.NET Core provides authentication and authorization concepts and user management tools via Asp.Net Identity.
Configuring Asp.Net Identity in Startup.cs
Before using the Identity Model that .net offers, Microsoft.EntityFrameworkCore and Microsoft.AspNetCore.Identity packages must be installed.
using Microsoft.EntityFrameworkCore;
using Microsoft.AspNetCore.Identity;
After installing packages we need to add the AddIdentity method in ConfigureServices in order to configure services.
We have options about requirements, lockouts, users, stores, tokens etc. For example, you want for your app to accept only unique email log in, this can be configured in configuration phase.
services.AddIdentity<UserApp, IdentityRole>(Opt =>
{
Opt.User.RequireUniqueEmail = true;
Opt.Password.RequireNonAlphanumeric = false;
}).AddEntityFrameworkStores<AppDbContext>().AddDefaultTokenProviders();
Entities in Identity Model
The entities in the ASP.NET Core model are IdentitiyUser, IdentityRole, IdentitiyUserClaim,IdentityRoleClaim,IdentityUserLogin and IdentityUserToken. IdentitiyUser keeps user informations while IdentitiyRole keeps the information about customer’s access limits. IdentityUserLogin represents login from trusted third-party and IdentityUserToken represents acces tokens.
Entities in the code prefixed as Identity while tables in the database prefixed as Asp.Net. For instance, while entity name is IdentitiyUser in database table name is AspNetUser
Json Web Token
JsonWebToken also called Jwt is a standard Token represented by IETF. Jwt contains three different parts in it. First part is the header that keeps the hashing algorithm and token type. Second part is the payload that keeps the data but not user credentials. Data is carried by key and value pairs. Third part is a signature that can be symmetric or asymmetric.
You can use https://jwt.io/ url to decode your jwt token
Access Token
When we want to receive authorized data, we use access tokens. But for security issues access tokens lifetime must be short.
Refresh Token
Refresh tokens used for making access tokens lifetime longer. For example, If you have an access token and its lifetime has ended already, rather than generating a new access token you can use the same one by refreshing via refresh token.
Thanks for reading :)