Adding token-based authentication to ASP.NET Core Identity is to introduce the Identity API endpoints. Basically, this is an API version of the actions that you can perform with ASP.NET Core Identity through the classic web UI. Once you enable the Identity API endpoints, you will get endpoints like /register
, /login
, /forgotPassword
, confirmEmail
, etc.
The Identity API endpoints address two common issues:
-
You have the flexibility to create a custom user authentication and account management interface while keeping the consistent look and feel of your application's overall user interface.
-
Instead of using cookies, your application can obtain access tokens after authentication. This makes it a better fit for Single Page Applications (SPAs) and native applications.
It's important to note that the Identity API endpoints don't include OpenID Connect (OIDC). Their purpose is to expose the usual features of ASP.NET Core Identity UI through a specialized API. These endpoints are designed for first-party authentication.
To integrate the Identity API endpoints into an ASP.NET Core application, you'll use two new methods:
-
AddIdentityApiEndpoints(): This method sets up token-based authentication using the bearer token handler, alongside cookie authentication. It also includes a set of identity services.
-
MapIdentityApi(): This method is responsible for adding the Identity endpoints to your application.
Here's an example of what the code in your Program.cs file might look like:
using System.Security.Claims;
using Microsoft.AspNetCore.Identity;
using Microsoft.AspNetCore.Identity.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore;
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddAuthorization();
builder.Services.AddDbContext<ApplicationDbContext>(
options => options.UseSqlite(builder.Configuration["ConnectionString"]));
builder.Services.AddIdentityApiEndpoints<IdentityUser>()
.AddEntityFrameworkStores<ApplicationDbContext>();
var app = builder.Build();
app.MapIdentityApi<IdentityUser>();
app.MapGet("/user", (ClaimsPrincipal user) =>
{
return Results.Ok($"Welcome {user.Identity.Name}!");
})
.RequireAuthorization();
app.Run();
Your client can utilize the Identity API endpoints to register a user via the /register endpoint, authenticate the user through the /login endpoint, and perform other relevant actions.
Despite addressing common issues with classic ASP.NET Core Identity, using Identity API endpoints in a production environment raises concerns, particularly regarding security and scalability. It's essential to thoroughly evaluate these aspects before deploying the solution to ensure a robust and reliable system.
Blazor Identity UI
A practical example of how to use the Identity API endpoints is provided by the Blazor project template. You can create a new .NET 8 Blazor application with identity support by running the following command:
dotnet new blazor -au Individual
When you create a new Blazor application with user management, it gives you everything required to handle users and logins on your own computer. It uses a SQLite database to store user info by default. If you use Visual Studio to set up the app, it might use a SQL Server database instead. Plus, you get ready-to-use pages for users to sign up, log in, and manage their accounts.
The image below displays the default login page of a Blazor application:
The user authentication and management pages that implement the Blazor Identity UI are not Razor pages as it happens with the classic ASP.NET Core Identity. Instead, they are Razor components, and the user authentication and management is performed by using the Identity API endpoints. The template provides you with the source code for all of the UI components in the Pages/Account
folder of the project. This allows you to customize them according to your application design.
Conclusion
This article discusses adding token-based authentication to ASP.NET Core Identity through Identity API endpoints. These endpoints offer customizable user authentication and management interfaces, addressing concerns like cookie usage and providing access tokens for SPAs.
Key points:
- Identity API endpoints allow flexible UI design and token-based authentication.
- They don't include OpenID Connect and are for first-party authentication.
- Integration involves AddIdentityApiEndpoints() and MapIdentityApi() methods.
- Security and scalability considerations are crucial for production deployment.
- The Blazor project template offers a practical example for .NET 8 Blazor applications.
In Blazor Identity UI, authentication pages are implemented as Razor components, customizable using provided source code.