Open in app

Sign in

Write

Sign in

Authentication and Authorization in ASP.NET

yaagmurrss
2 min readDec 21, 2022

--

Asp.Net Identity

ASP.NET Core provides authentication and authorization concepts and user management tools via Asp.Net Identity.

Configuring Asp.Net Identity in Startup.cs

Before using the Identity Model that .net offers, Microsoft.EntityFrameworkCore and Microsoft.AspNetCore.Identity packages must be installed.

using Microsoft.EntityFrameworkCore;
using Microsoft.AspNetCore.Identity;

After installing packages we need to add the AddIdentity method in ConfigureServices in order to configure services.

We have options about requirements, lockouts, users, stores, tokens etc. For example, you want for your app to accept only unique email log in, this can be configured in configuration phase.

services.AddIdentity<UserApp, IdentityRole>(Opt =>
{
Opt.User.RequireUniqueEmail = true;
Opt.Password.RequireNonAlphanumeric = false;
}).AddEntityFrameworkStores<AppDbContext>().AddDefaultTokenProviders();

Entities in Identity Model

The entities in the ASP.NET Core model are IdentitiyUser, IdentityRole, IdentitiyUserClaim,IdentityRoleClaim,IdentityUserLogin and IdentityUserToken. IdentitiyUser keeps user informations while IdentitiyRole keeps the information about customer’s access limits. IdentityUserLogin represents login from trusted third-party and IdentityUserToken represents acces tokens.

Entities in the code prefixed as Identity while tables in the database prefixed as Asp.Net. For instance, while entity name is IdentitiyUser in database table name is AspNetUser

Json Web Token

JsonWebToken also called Jwt is a standard Token represented by IETF. Jwt contains three different parts in it. First part is the header that keeps the hashing algorithm and token type. Second part is the payload that keeps the data but not user credentials. Data is carried by key and value pairs. Third part is a signature that can be symmetric or asymmetric.

screen capture from https://jwt.io/

You can use https://jwt.io/ url to decode your jwt token

Access Token

When we want to receive authorized data, we use access tokens. But for security issues access tokens lifetime must be short.

Refresh Token

Refresh tokens used for making access tokens lifetime longer. For example, If you have an access token and its lifetime has ended already, rather than generating a new access token you can use the same one by refreshing via refresh token.

Thanks for reading :)

--

--

yaagmurrss

Written by yaagmurrss

7 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams