23 Feb 2024

Securing .NET Applications: Authentication and Authorization

Securing .NET Applications: Authentication and Authorization

One feature that a lot of web applications will need to include is the to ability to restrict access to certain resources within the application to authorized users only. To do this, we need to be able to authenticate users by letting them register and log in. Once authenticated, the server will be able to determine which resources the user should have access to.

In this blog, we will go through the steps needed to add authentication and authorization using ASP.NET Core Identity, ASP.NET Core's built-in membership system. We will be working with a web application using ASP.NET Core MVC.

Authentication means being able to recognize the user that is trying to log into the site, whereas Authorization means being able to manage the permissions that a user has to access certain resources.

We will implement user authentication and authorization using ASP.NET Core Identity, ASP.NET Core's built-in membership system, which supports SQL Server. These will be the pages that allow users to register and log into the site.

 

Below is a step-by-step guide to implementing authentication and authorization in ASP.NET Core:

1. Create an ASP.NET Core Project

First create an ASP.NET Core project in system.

 

2. Configure Authentication

Ensure that the necessary authentication packages are installed:

  • Microsoft.AspNetCore.Identity.EntityFrameworkCore package
  • Microsoft.AspNetCore.Identity.UI
     

3. Set DbContext to inherit from IdentityDbContext<IdentityUser>

        You will have to set your application to use the EntityFrameworkCore. Once you have done so, you will need to update your AppDbContext class to inherit from IdentityDbContext in IdentityUser, the base class for the Entity Framework Core used with Identity.

public class AppDbContext : IdentityDbContext<IdentityUser>

{

    public AppDbContext(DbContextOptions<AppDbContext> options)

        : base(options)

    {

    }

}

4. Add authentication middleware:

        Add the UseAuthentication middleware after UseRouting in the Configure method in the Startup file. This will enable us to authenticate using ASP.NET Core Identity.

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)

{

    // Other middleware...

    app.UseAuthentication();

    app.UseAuthorization();

    // Other middleware...

}

With all of this in place, the application is all set to start using Identity. Let's see how to use it.

 

5. Implement User Authentication

Create a User Model: User model, that represents users in your application.
public class User

{

    public string Username { get; set; }

    // Other properties of user…..

}

Implement a Login Controller: Controller for user authentication, and implement actions for login and logout.
public class AccountController : Controller

{

    [HttpGet]

    public IActionResult Login()

    {

        return View();

    }

    [HttpPost]

    public IActionResult Login(User user)

    {

        // Validate user credentials and sign in the user

        // Example: Check credentials against a database

        var claims = new List<Claim>

        {

            new Claim(ClaimTypes.Name, user.Username),

            // Add other claims as needed

        };

        var claimsIdentity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);

        var authProperties = new AuthenticationProperties

        {

            // Configure additional authentication properties if needed

        };

        HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme,

            new ClaimsPrincipal(claimsIdentity), authProperties);

        return RedirectToAction("Index", "Home");

    }

    [HttpGet]

    public IActionResult Logout()

    {

        HttpContext.SignOutAsync(CookieAuthenticationDefaults.AuthenticationScheme);

        return RedirectToAction("Index", "Home");

    }

}

6. Enabling Authorisation:

Authorize Actions in Controllers:
Although we are now allowed to authenticate (they can register and log in), we still need to add support for authorization. We can easily restrict access to certain resources in our application by placing the Authorize attribute on a controller or an action.

[Authorize]

public class RestrictedController : Controller

{

    // Actions requiring authentication

}

Role-Based Authorization
Implement role-based authorization by assigning roles to users and checking for those roles in controllers:

[Authorize(Roles = "Admin")]

public class AdminController : Controller

{

    // Actions for admin only

}

By following these steps, you can implement user authentication and authorization in your ASP.NET Core application. Once we have allowed users to authenticate, adding authorization to our application is very simple using the Authorize attribute.

Share this blog

facebook twitter linkedin