ASP.NET Identity is the membership system for authentication and authorization of the users by building an ASP.NET application. The ASP.NET Identity is a fresh look at what the membership system should be when you are building modern applications for the web, phone or tablet.
ASP.NET Identity allows you to add customized login/logout functionality and customized profile features that make it easy to customize the data about the logged-in user. Today there is a much broader array of data storage (which is increasing very quickly) options for web application and most of the developers want to enable their websites to use the social identity providers for Authentication and Authorization. Now what do the two terms Authentication and Authorization mean?
Authentication is used by the server to determine who is accessing their information or website. In authentication, the user or customer must prove their identity on a web server by log-in using email and word or using various social providers.
Authorization is a process by which a server determines if the client has permission to use a resource or access a file after the successful authentication.
Presently, users will login by entering their username and word for a website of which they have registered as in a traditional way of logging into a website. Now the web has become more social where users are interacting with each other in real time using social channel providers such as Facebook, Twitter, Google Account, Microsoft Account and many more. Developers as well as users want to be able to login using tese social channel identities to have a rich and dynamic experience on web sites, that must enable log-in based redirection using such providers.
The ASP.NET Identity can be used with all the frameworks such as ASP.NET MVC, Web Forms, Web Pages. By default the ASP.NET Identity will store the information of users in a database. Which is now also possible to store information on various storage providers based on the requirements of the application. The various data providers can be SharePoint, Azure table services and so on.
The Role based authorization also plays an important role in ASP.NET Identity. Now we can easily create roles such as "Admin", "Customer" and so on that allows us to add users to this role that also helps us to restrict the users to all the parts of the application.
Figure: Flow of identities and the conceptual configuration of a three-tier, ASP.NET Internal zone.
The ASP.NET Identifier is a game changer by bringing more security to your web application by introducing Two-Factor Authentication. Now what does Two-Factor Authentication mean?
Features of ASP.NET Identity 2.0
- Two-Factor Authentication: The Two-Factor Authentication adds one more level of security to your web application. Earlier we were using only single-factor authentication by simply entering a username and word to the web application that makes our account less secure because the hackers can hack your word and can steal your private data. The two-factor authentication needs your username and word along with a One-Time word (OTP). The One-Time word can be a hardware token or your mobile phone or can be a PIN. Whenever the user logs into his/her account they need to go through 2FA, first your username and word and another is a hardware token that generates one-time words for the second stage of the login process. Every time the word generated by the token will be unique and changes for each short duration of time. The Two-Factor Authentication makes our website much stronger compared with single-factor authentication. You can use ASP.NET Identity to secure Web Apps as well as Web APIs.
- Account Lockout: If the user enters the word and two factor codes incorrectly after the specific number of invalid attempts that can be configured by the developer his or her account will be locked for a specific period of time. The developers can also disable this feature.
- Account Confirmation: ASP.NET Identity allows us to confirm the account by confirming the email of the user. This feature is used by most of the websites to confirm their email before accessing their accounts and services. It also prevents fictitious accounts from being created.
- word Reset: This feature enables users to reset their word if they have forgotten their word.
- Support IQueryable on Users and Roles: IQueryable on UsersStore and RolesStore helps to easily get the list of Users and Roles.
- Delete User account: You could not delete a user using UserManager in earlier versions of ASP.NET Identity 1.0 but in ASP.NET 2.0 we can easily delete the user using UserManager.
- Enhanced word Validator: In earlier versions of ASP.NET Identifier the word validator was only validating the minimum length of the word but now the word validator gives you more control over the complexity of the word.
ASP.NET Identity is intended to replace the traditional membership system of ASP.NET with much more security and an authentication system. ASP.NET is an Open Web Interface for .NET (OWIN) based library. Visual Studio 2013 allows us to secure the web application using ASP.NET Identity. The following figure will demonstrate the project template dialog of Visual Studio 2013.
Now let us create a MVC application and we will be able to see the Change Authentication button at the right hand side and by clicking on this we will be able to see the various modes of authentication as shown below.
As we can see, there are four modes of authentication named No Authentication, Individual User Accounts, Organizational Accounts and Windows Authentication. Let us see now what these terms really mean.
- No Authentication: This authentication mode doesn't require any user authentication for applications.
- Individual User Accounts: This type of application is configured to use ASP.NET Identity for user authentication that was already known as ASP.NET Membership in early days. ASP.NET Identify enables a user to register for an account either by creating an account on the website itself by creating a username and word or by signing in through social providers such as Twitter, Facebook, Microsoft Account or Google.
- Organizational Accounts: This type of authentication mode will be configured to use Windows Identity Foundation (WIF) based on user accounts in Active Directory, Microsoft Azure Active Directory, or Office 365.
- Windows Authentication: This mode of authentication will support Windows Identity IIS module for authentication. IIS stands for Internet Information Services that acts as a web server for .NET application specially designed for Windows Operating Systems. This authentication is intended for Intranet Applications.
The default selection of MVC application will be the "Individual User Account" that indicates that user account information will be stored in the application database which means that there will be no external based logins. By creating the MVC project with default selection we will find that the project will include AccountController and associated views for registering new users as well as for authenticating users and will also find a few references of OWIN assemblies along with an OWIN startup class. So to avoid difficulty we will be starting with an empty MVC project from startup.
Before proceeding further let's become familiarized with the parts of ASP.NET Identity. There are the following six important pieces of the ASP.NET Identity system:
- User
- Role
- User Manager
- Role Manager
- Authentication Manager
- Entity Framework DBContext
User
A user of the system is represented by the user object where a user object contains the basic authentication of a user by a user ID and word. The basic authentication is captured by IdentityUser class. The IdentityUser class can be inherited from custom class that can be used to capture profile information.
Role
A Role object represents a user role where the IdentityRole class provides this basic role. To add more of a description to the role, create a custom class that should be inherited from the IdentityRole class.
User Manager
A User Manager is a class that allows you to manage users. Several tasks can be done using the User Manager class such as creating or removing a user account, changing words, or adding and removing users to a role and for this purposes ASP.NET Identity comes with the UserManager class.
Role Manager
A Role Manager is a class that allows us to manage roles. The role manager is responsible for creating or removing a role and checking whether a role exists in the system. This can be done using a role manager and for this purpose the RoleManager class is used.
Authentication Manager
All the classes stated above deal with users and roles respectively and they don't do any authentication by themselves. Signing in and signing out is the responsibility of the Authentication Manager. Similar to Forms Authentication, the local user account uses cookie-based authentication. The authentication manager is represented by the IAuthenticationManager interface.
Entity Framework DBContext
The database table schema is not rigidly fixed as in the case of the ASP.NET membership system in ASP.NET Identity. Based on the user and role objects the Entity Framework Code first approach is used to generate the table schema which means a separate column is created in the database for each piece of user profile. In the App_Data folder all the preceding tables are created by default in a separate database but we can also use our own database for storing this information by specifying the database. To accomplish this you can create a custom DbContext class that inherits from the IdentityDbContext base class.