How Do Authentication And Authorization Work In ASP.NET?
Table of Content:
1. Introduction
2. Authentication and Authorization
3. Types of Authentication in Asp.Net
4.2 Policy-Based Authorization
5. Conclusion
Introduction
In times when cases of data theft and cyber attacks are on the rise, it is necessary for everyone to be aware and not fall prey to such cheap tactics on the internet. The same is true for businesses as well. Nowadays, businesses should be wary of such incidents and hence become more vigilant for the security of their website or web application, otherwise, it is hard to protect them from hackers.
They can choose to apply some necessary security measures like data encryption, input validation, using strong passwords, and using authentication as well as authorization to make sure that their website or web applications are safe from trespassers. There are many reasons why businesses choose the .NET framework for their app development project. Authentication and Authorization are two different but interlinked concepts that are largely used for the development of distributed ASP.NET applications. So, if you want to incorporate security integration calls with ASP.NET app development then you need to imply these two concepts.
Authentication and Authorization
Before we get into the details and all, let me be clear that you will get to see four important vocabularies again and again in this article. Now, let us start with defining the terms authentication and Authorization.
Authentication
Authentication is a process of identity verification of a user by getting some kind of credentials because such credentials are used to verify the user’s identity. The authorization process will start next only if the credentials come out to be valid. Hence, the authentication process leads to the Authorization process.
Authorization
In the Authorization process, an authenticated user is allowed to get access to the resources by checking whether the user has the right to get access to the system. Authorization helps you to get control over the access rights by granting or denying special permissions to any authenticated user.
Well, enough of the dictionary terms, let us now discuss them in terms of ASP.NET. The process of validating that the user exists in your database is called authenticating the user identity in ASP.NET. Whereas the Authorization in ASP.NET means to check whether the user has a right to access specific resources on the IIS website. These resources could be anything including an ASp.Net web page, media files like MP4, GIF, JPEG, or more, and compressed files like ZIP, RAR, and so on.
Therefore, it is now crystal clear that in ASP.NET authentication comes in first and then gets followed by authorization. For example, whenever you try to log in, let’s say a social media app like Facebook, you need to enter your user id and password. This will authenticate your identity for whether you are really the person this account belongs to.
After that, let’s say if you are trying to find a post from some other person or a group. If you are a friend to that person or you are included in some group then and only then you are authorized to view, like, share, and comment on their posts otherwise you won’t be able to see them too. And that’s what we call authorization. Here, the posts are taken in the form of resources on the website of asp.net.
I hope by now you have got the clarity on these two concepts. So, now let us discuss further what kind of processes are there in such concepts.
Types of Asp Net Authentication
1. Form Authentication
In ASP.NET, all the settings related to authentication and permissions are stored in cookies. Hence, the authentication is based on cookies. But there is a way to use form authentication without cookies. And to pass the user details, query strings are used in cookie-less form authentication.
No matter what, the basic concept will always be to allow only those users that provide the right credentials and have permission to access specific resources. So, what you need to do here is take their information and cross-check it with what you have stored in your database.
Irrespective of the type of form authentication you use, you have to compare the data you received on the server end with the data that is stored in your database. For example, the username and passwords are stored in web config.file, JSON file, or in a database table.
Forms authentication flow:
- When a user requests a page for the application, ASP.NET checks the session cookie. If the cookie exists and is valid, ASP.NET assumes the user is authenticated and processes the request.
- If session cookies do not exist or are not valid then it redirects to the login form.
- The user will enter the username and password and if they are valid then he will get authenticated and authorized.
2. Windows Authentication
For windows authentication, you need to use local windows users and groups for authentication and authorization of ASP.NET pages. Also, configure your ASP.NET app similarly.
3. Passport authentication
In the process of Passport authentication, Microsoft passport services are used to verify the authenticity of users on your application. If a user has signed up to your app using a passport then the mode of authentication needs to be configured for passport authentication. This will offload all the authentication duties to the passport servers.
To differentiate an authentic user from others, a passport uses an encrypted cookie mechanism. If the user has already signed into their passport before they have visited your website or used an app, consider them authenticated by the ASP.NET. but if they haven’t then they will be redirected to the passport servers to get logged in. and if they become successful in logging in then and only then will they be redirected back to your site or an app.
If you are thinking about using such a sophisticated security process of authentication then you should download a Passport Software Development Kit (SDK). You can find it from the libraries on the official site of Microsoft. The SDK will come with complete guidance on how to execute a passport authentication process on your website or in your application.
4. Custom Authentication process
Multipass
A single sign-on type of authentication is known as Multipass authentication. A single sign-on authentication process enables the user to manage multiple sites using the same credentials provided as authentication details. Here, multipass is offered as an AES encrypted JSON hash as a combination of keys and values.
JWT (JSON Web token)
JWTs always represent a JSON object. It is encoded in the JWS and JWE structure. Such a JSON object is called a JWT Claims Set. The JSON object consists of name and value pairs. The names here are strings and the values are arbitrary JSON values. JSON web tokens use a token-based authentication process where the claims are represented by the JWT.
Authorization in Asp.Net
1. Role-based authorization
Roles are independent of the payment feature services and use a user registry. The role-based authorization will allow you to manage your customers efficiently. But this authorization process could not replace your current model as it is only optional. The final choice would be of customers. They have to pick an implementation that fits best with their business requirements.
Users, groups, and permissions are the primary configuration points. Here, each group consists of a set of permissions, and a user could be defined and assigned to one or more than one group at a time.
In a role-based authorization model, it is the responsibility of a customer to provide their ID, optional attributes and all other essential user attributes that define a user in payment feature services. The customer must define the roles assigned to a user. Every role would match with a group name which will be defined in a payment feature service.
After a user successfully signs in, it is the responsibility of the payment feature services to add the user to the user repository and assign them to groups. When the users are assigned to groups, they are also assigned with a certain set of permissions which are later displayed on a user interface. The reason behind defining the user ID here is that if any user’s information is changed, an update must occur. Also, if the roles of the user need to be changed then simply just remove the old roles and configure them for the new roles.
When the user is authenticated, a new user exit is rendered to them. It inhabits the user definition object, also known as LoginDefinition. The user exit from the HTTP header provides you with the information which was used to inhabit the object.
Also, you can use user to exit to make remote calls to gather other user attributes from the remote repository or you can use default to inhabit fields common across all the users. The process of creating a user and assigning them to various sets of groups or roles is carried out based on the information from the user object.
For role-based authorization, the login user exit property is used to configure the login user exit class. Using a role-based authorization, customers can delete the stale users from the repository. And this is the one and only user administration available for the customers. Any kind of user authentication of the system is not hindered by the presence of users in the repository.
2. Policy-Based Authorization
Now, you can decouple the authorization and application logic using a policy-based framework in the ASP.NET Core. In simple words — a policy is a collection of a set of requirements which are the conditions that a user must meet.
One of the simplest policies is that the user is authenticated. Whereas the most common requirement is that a user is connected to its given role. Another most common request is that the user must have a specific claim or a specific claim with a specific value. If we put it in simple terms then a requirement is a declaration for a user identity trying to access a true method. You can develop a policy object using the code below:
C#
Copy
var policy = new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(“Cookie, Bearer”)
.RequireAuthenticatedUser()
.RequireRole(“Admin”)
.RequireClaim(“editor”, “contents”) .RequireClaim(“level”, “senior”)
.Build();
Using different methods of extension, a builder object gathers all requirements to create a policy instance. As you have seen in the code above, requirements act on the authentication status and schemes, roles, and any combination of claims read by a bearer token or an authentication cookie.
You can always make use of defining a new requirement through your own assertion if none of the predefined extension methods to define the requirements work for you. How can you imply that? Execute the code given below:
C#
Copy
var policy = new AuthorizationPolicyBuilder()
.AddAuthenticationSchemes(“Cookie, Bearer”)
.RequireAuthenticatedUser()
.RequireRole(“Admin”)
.RequireAssertion(ctx =>
{
return ctx.User.HasClaim(“editor”, “contents”) ||
ctx.User.HasClaim(“level”, “senior”);
})
.Build();
The Require Assertion method uses a lambda to accept the HTTP context object and to deliver a Boolean value. Hence, the assertion is just a conditional statement. A user must honor all the roles if you want to concatenate Require Role multiple times. But you can resort back to an assertion if you want to express an OR condition. So, in the given example it is quite clear that the policy only allows users that are either editors of contents or senior users.
Final words
As we saw in this article, in many ways the authentication and authorization methods make sure that the information in the application or on the website is kept secure. Therefore, these methods are used during ASP.NET app development especially when distributed application development is needed.
I hope you have enjoyed reading this article. If you have any further queries or suggestions then please share them with me in the comments section below.
