Authentication and Authorization in ASP.NET Core

-

One of my goals this year is to get up to speed on authentication and authorization in my applications. A lot of things have changed since the days when you would use forms authentication and have a database with users and groups defined. Today an application can be separated across a number of technologies. You could have a website that works for some pieces, a single page app for others, and then a mobile app for your phone users. Each app could have different requirements for access to resources and use different methods. Building a security system from scratch can work for smaller apps with simple requirements, but for complicated requirements, using a framework can resolve a lot of problems. 

In the next series of posts, I will be doing a deep dive into the Identity 4 framework as well as ASP.NET Core Identity. As of this writing, I am barely a novice using these technologies, but I have been learning a lot about them, and I am experimenting with how to make these work for several projects I am working on. I will be looking at how to use the framework to handle authenticating using the native framework functionality as well as using external mechanisms like Google and Facebook as well as using Windows Authentication which is also considered an external provider. I will be looking at how you secure different resources and how different clients can access the login page. Finally, I will look at Authorization. I will compare the classic role approach to the new claims model, and then I will give examples with various scenarios. 

In this first post, I want to go over the difference between Authentication and Authorization. The difference between the two is pretty straightforward. Authentication is where the application knows who or what you are. It is simply the mechanism used to verify your identity. Authorization is where the application takes your identity and determines what you are allowed to do. In older apps, you would be assigned to a group, and based on that group, you would have access to different areas of an application. In newer apps, you are assigned claims which are properties on your ID. Claims can function like groups, but they can also be much more flexible. For example, a claim might be your location, and an application could say only people in the US can access a certain area so you would have to have a location claim that was set to the US to access the area. 

For a lot of applications, authentication is all that is needed. You just need a login page, so that you know who a user is, and the entire application is available. When writing an application like this you may think that is would be easier to just write your own security, and it may be, but be sure to think how the application will change over time. Will you add a mobile app? Will you want to expose an API? These are questions that you should think about because it is easier to build on a framework up front than to add it in later. That being said, one of the advantages of ASP.NET Core is that it is very modular, so adding an authentication middleware isn't that difficult. 

Authorization is where things get a little trickier. With the claims based approach, you have to design policies based on the claims. These policies are a lot more flexible than the simple roles used in the past, but they also take some work to develop, and it can be a little daunting especially when trying to figure out the entire identity landscape. In my next post, I will go through the installation of Identity Server 4 and Asp.Net Core Identity, and I will discuss the different options available. I don't want to just re-use the quickstarts from the Identity Server website, which has some really good quickstarts. My goal is to build a fully functioning server, with a UI and database backend. Then in future posts, I would like to build on top of that adding additional authentication methods and finally looking at adding claims and using them to design policies. 

The documentation for Identity Server 4 is really good so I would recommend going through the quickstarts if you are interested in implementing a server for your application. The docs can be found here: http://docs.identityserver.io/en/latest/quickstarts/0_overview.html

Have you had any experience using authentication or authorization? Any gotcha's with Identity Server or ASP.NET Core Identity? If so, leave me a note in the comments below.


Comments

Post a Comment

Popular posts from this blog

Asp.Net Core with Extended Identity and Jwt Auth Walkthrough

-
Image
  Quite often I think of an idea for an app where I would have a website and a mobile app that share the same functionality. Every time I start to prototype something like this I get stuck on authentication. When you build a web application in Asp.Net Core, it is really easy to set up the built-in Identity platform to allow users to login, but if you want to allow a mobile app to access APIs on the same site, that takes a lot more work. Of course, you can use a cloud-based authentication system like AzureAd or Firebase authentication, but if you arent housing any sensitive data, that's a lot of extra plumbing that takes away from building your application.  This walkthrough will show you how to create an Asp.Net core site with Asp.Net Core Identity for authentication and authorization. We will be extending the identity to include additional user information and roles. We will also add jwt authentication and authorization, so SPA's and mobile apps can use the API's and share
Read more

File Backups to Dropbox with PowerShell

-
Image
I have had a number of instances where I had a virtual server somewhere, and I wanted to have a backup strategy, but the paid plans were overkill for what I needed. I have all my source code in Github, so everything can be rebuilt. I just need to be able to archive database backups and uploaded files. I decided to use a Dropbox account and set up a scheduled task that calls a PowerShell script that accesses the Dropbox web API. Setting up Dropbox You will need to have a Dropbox subscription set up and then you can go to the developer's section at the following link: {% embed url=" https://www.dropbox.com/developers " %} On the main page, select create apps. On the following page, you will have the option to select the scope of the app. Here you can decide to only access a single folder or give access to all of the Dropbox functions. Either option will work, in my example, I used the full access scope, so I would have the option of putting different file types in different
Read more

Dynamic Expression Builder with EF Core

-
I was recently working on an ASP.NET Core MVC project where the end user wanted to have a search form with several fields with drop down boxes and a couple of free-form text fields. One of the requirements was to be able to put "*" at the front or the end of a search term in the text boxes to indicate a wildcard search. That was the way a previous application worked and they wanted to maintain the same functionality. Since I was working with Entity Framework Core using a generic repository pattern, I wanted to be able to dynamically build the filter expression that I passed to the repository. I created a static Expression builder class with static methods for creating each type of expression needed. public static class ExpressionBuilder { public static Expression GetStringExpression ( string dataModelProperty , string dtoProperty , Expression combinedExpression , ParameterExpression parameterExpression ) { if ( dtoProperty
Read more