Authentication and Authorization in dotnet core

I have created a asp.net core empty web application using asp.net core 5.0 version.

Here we will learn very simple way of authentication and authorization.

Authentication means "who are you?" and authorization means "are you allowed?"

So before we ask anyone "are you allowed?", we have to ask "who are you?".

For ex:- If 10 persons standing outside of the main gate of college, and 8 of them showed their college id card (authentication) and entered the college as the college is configured in such a way that it will allow anyone who has the college id card, i.e 8 persons are authorized to enter the college.

2 of them showed their driving license, but since the college is not configured in such a way that it will allow a person with driving license, they will not be authorized to enter the college.

Similarly we have to configure our system to allow or deny the user on the basis of some identity.

if you run your application now it will display "Hello World!" on the web page, as it empty web application.

Lets create a folder "Controller" and add a controller inside this folder named "HomeController.cs"

Add three methods Index(), Restricted() and Authenticate() in the controller and add their respective views and ddd [Authorize] attribute on the Restricted() method.

Currently the code in "HomeController.cs" will be like this.

HomeController.cs

using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Mvc;

namespace Simple.Controllers
{
    public class HomeController : Controller
    {
        public IActionResult Index()
        {
            return View();
        }

        [Authorize]
        public IActionResult Restricted() 
        {
            return View();
        }
        public IActionResult Authenticate() 
        {
            return View();
        }
    }
}

Lets modify the code of the startup.cs class, modified code in the startup.cs will be.

Startup.cs

using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;

namespace Simple
{
    public class Startup
    {
        public void ConfigureServices(IServiceCollection services)
        {
            services.AddControllersWithViews();
        }

        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseRouting();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapDefaultControllerRoute();
            });
        }
    }
}

We can clearly see that we have removed "Hello World" code and added code required to show view with controller.

Now if we run the code and try to access Home/Restricted it will give an error.

Its simple right, we haven't configured our pipeline for checking authorization so need to add this method app.UseAuthorization() in configure method.

Lets add this code and run the application again.

But again we get an error.

Lets understand this error, we haven't defined any policy to check, i.e system is asking "Are you allowed?" but it doesn't know "Who are you?"

so we need to configure our system for validating the user first.

Lets add authentication scheme in "ConfigureServices" method of "Startup" class.

Startup.cs

        public void ConfigureServices(IServiceCollection services)
        {
            services.AddControllersWithViews();
            services.AddAuthentication("College-Id")
                .AddCookie("College-Id", configureOptions =>
                {
                    configureOptions.Cookie.Name = "College-Id.Cookie";
                });
        }

Now we have configured our system to look for the college-Id.Cookie, if it found then the user is authenticated.

Lets run the code now.

This time we did not get any error, but check the url now. We are trying to access the Restricted() method of the HomeController and system throws us default page Account/Login to first authenticate our self then we will be able to access the Restricted() method of the HomeController.

Lets write some code in the Authenticate Method of the HomeController.

public IActionResult Authenticate() 
        {
            var claims = new List<Claim>
            {
                new Claim(ClaimTypes.Name,"authenticatedUser"),
                new Claim("College-Id","YES")
            };

            var identity = new ClaimsIdentity(claims,"College Identity");

            var userPrincipal = new ClaimsPrincipal(new [] { identity });

            HttpContext.SignInAsync(userPrincipal);

            return View();
        }

Here we will define claims, identity and user principal.

Claims are basically, what the user is claiming, for instance the college id card.

Identity means, college authority is trusting the person having the college id card.

On the basis of the identity we have created user principal and signed in the user.

Now run this code you will see index page,but try to access "Home/Restricted" you will not be able to access this, as you are not authenticated.

Now lets go to route Home/Authenticate in the url, cookie will be generated.

Now try to access Home/Restricted in the url, you will be able to access the page, as you are not authenticated and authorized to access this page.

Comments

[Bhavesh Ramburn]

Interesting but you could have expanded a bit more on the topic