Authentication and Authorization in ASP.NET
Last updated
Was this helpful?
Last updated
Was this helpful?
Authentication is the process of verifying the identity of a user.
Authorization is the process of verifying that the user has the necessary permissions to access the resources.
We need to be Authenticated to access Authorization
We can have cookies and session authentication.
At first, we need to configure the file.
In the headers, add the following lines:
This will add the necessary libraries to the file. The Claims
are the authorization details.
Let's say that the Privacy page is only accessible to authenticated users. So, in the class HomeController
, after the Index
method, let's add the [Authorize]
attribute to the Privacy
method.
This will make the page accessible only to authenticated users.
Now, let's add the login method to the HomeController
class as the authentication form and the logic to authenticate the user is needed.
This will take the return URL and send it to the view.
The return URL is the URL to which the user will be redirected after the login.
The view will render the login form and authenticate the user, then redirect the user to the return URL.
Now, let's add the post method for the login. This will take the username and password and return to the return URL.
In this method:
We are checking if the username and password are correct.
If they are, we are creating a list of claims. A claim is an authorization detail. We are adding the username, name, and role to the claims.
Then, we are creating an identity with the claims and the cookie authentication scheme. An identity is the mechanism to be used for authorization. Here, we are using the cookie.
Then, we are creating a principal with the identity. Principal is the one who is authorized.
Finally, we are signing in the principal. This will authenticate the user.
Now, create a Login.cshtml
file in the folder for the authentication form.
Here, the main thing is the action="Login?ReturnUrl=@System.Net.WebUtility.UrlEncode(retUrl)"
.
This will take the return URL and send it to the Login
method.
The UrlEncode
method will encode the URL. This is necessary because the URL may contain special characters that may break the URL.
The form will take the username and password and submit it to the Login
method.
Then, in :
This will add the cookie authentication to the application.
The login path must be /Home/Login
.
The roles are the permissions that the user has. We can add roles to the user and check if the user has the necessary roles to access the resources.
The process of adding roles is similar to adding claims. We need to add the roles to the claims and then add the claims to the identity.
Let's say that we have a role called Student
. We can add this role to the claims. In the Login
method in the HomeController
class, add the role to the claims.
Here, we are adding the role Student
to the claims.
Now, let's say that the Dashboard
page is only accessible to the users with the role Student
. We can add the [Authorize(Roles = "Student")]
attribute to the Dashboard
method in the HomeController
class.
This will make the page accessible only to the users with the role Student
.
This will be the dashboard page that will be accessible only to the users with the role Student
.
Then, create a Dashboard.cshtml
file in the folder.