ASP.NET Authentication: A Practical Guide

ASP.NET, also known as Active Server Pages Network Enabled Technologies, is an open-source and server-side web-application framework. It’s designed for web development to build dynamic web sites, applications and services. Let’s learn more about ASP.Net Authentication in detail.

What Is ASP.NET Authentication?

ASP.NET is an open source framework by Microsoft for building modern web applications, services, and sites using .NET. It runs on Windows, Docker, Linux, and macOS. ASP.NET authentication is based on an authentication service called IAuthenticationService. Registered authentication handlers enable the service to authenticate users in ASP.NET applications.

ASP.NET Authentication Concepts

Authentication Schemes

An authentication scheme determines the authentication handler responsible for creating the right set of claims. Authentication schemes are names corresponding to an authentication handler and specific configuration options for the handler’s instance. You can use schemes to refer to the authentication and challenge or prohibit the associated handler’s current behavior.

Authentication Handler

Authentication handlers implement an authentication scheme’s behavior. You can derive handlers from AuthenticationHandler<TOptions> or IAuthenticationHandler. Their primary purpose is to authenticate users. Depending on the configuration of the associated authentication scheme and the context of incoming requests, the authentication handler may respond in different ways. 

If the authentication succeeds, the handler constructs an AuthenticationTicket object representing a user’s identity. If the authentication does not succeed, it returns a ‘failure’ or ‘no result.’ The handler provides methods to prohibit or challenge actions attempted by a user. An unauthenticated user will receive a challenge, while an unauthorized user will be denied access. 

Authentication Challenge

Authentication challenges are an extra measure invoked by the authorization system when unauthenticated users request access to a resource requiring authentication. For example, the IAuthenticationService may issue a challenge if an anonymous user clicks on a login link or requests access to a restricted resource. The authorization system uses a default authentication scheme (or a specified scheme if one exists) to invoke a challenge.

Related: Authentication vs. Authorization

Forbid Action

The authorization system calls the ‘forbid’ action for authentication schemes if authenticated users try to access resources without the necessary permissions. Forbid actions let users know they are authenticated but do not have permission to access the requested resource.
For example, the system may prohibit access by using any of the following methods:

  • A cookie authentication scheme redirects a user to a page that indicates access is forbidden.
  • A JWT bearer scheme returns a 403 (forbidden) error.
  • An authentication scheme redirects to a page that allows users to request access to a protected resource.

ASP.NET Core Identity

Core Identity is an API supporting UI login functionality. It allows you to manage various user data elements, including user profiles, passwords, roles, tokens, and claims. Users can use the login data from ASP.NET Core Identity to create accounts. Alternatively, they can create accounts using a supported external login provider—i.e., Google, Facebook, Twitter, and Microsoft accounts.

Usually, you configure Identity using a SQL Server database that stores usernames, profile data, and passwords. You can also use an alternative persistent store such as Azure Table Storage.

Related: Token Based Authentication

Multi-Factor Authentication in ASP.NET

Multi-factor authentication (MFA) prompts a user for more than one form of identification during a sign-in event. Typically the first identification factor is a password, and the second factor can be a verification code sent to the user’s phone, a FIDO2 key, or a fingerprint scan. Making MFA mandatory for an application makes authentication significantly more secure.

2FA (2 factor authentication) is natively supported when using ASP.NET Core Identity. To enable or disable 2FA for a specific user, set the IdentityUser<TKey>.TwoFactorEnabled property.cMFA with the Time-based One-Time Password (TOTP) algorithm is also natively supported when using ASP.NET Core Identity. This method can be used with compatible authenticator applications such as Microsoft Authenticator and the Google Authenticator.

You can make MFA mandatory for users visiting sensitive pages in an ASP.NET Core Identity application. This is useful for applications that have different levels of access for different identities. For example, users can log in with their password to view profile data, but administrators must use MFA to access admin pages.

Tutorial: Facebook External Login Setup in ASP.NET

This tutorial will help you learn how to use a sample ASP.NET Core project to enable users to sign in with their Facebook accounts. You must create a new ASP.NET Core project in Visual Studio to follow this tutorial. Here is how to create the project:

  1. Choose the ASP.NET Core Web App template and select OK.
  2. Go to the Authentication type input, and choose Individual User Accounts.

Create the App in Facebook

  1. Add this NuGet package to your project—Microsoft.AspNetCore.Authentication.Facebook.
  1. Go to the Facebook Developers app page and sign in to an existing account. If you do not have a Facebook account, you can choose the Sign up for Facebook option to create a new account.
  1. Use your new or existing Facebook account to follow the instructions and register as a Facebook Developer.
  1. Go to the My Apps menu, and choose the Create App option. A Create an app form should appear.

Image Source: Microsoft

  1. Choose the suitable app type for your project.
  1. Fill out the form and choose the Create App option.
  1. Go to the Add Products to Your App page, and choose the Set Up on the Facebook Login card.

Image Source: Microsoft

  1. Once the Quickstart wizard launches, it displays a Choose a Platform page. Bypass the wizard by choosing the FaceBook Login Settings option in the lower-left menu. Next, you should see the Client OAuth Settings page:

Image Source: Microsoft

  1. Enter your development uniform resource identifier (URI). Be sure to append /signin-facebook into the Valid OAuth Redirect URIs field. Next, choose Save Changes.
  1. Go to the left navigation Settings menu and choose the Basic link option. Safely note your App ID and App Secret—you will add them to the ASP.NET Core application later.
  1. You can deploy your site by revisiting the Facebook Login page and registering a new public URI.

Configure Facebook Authentication

In this step, you need to add an Authentication service to the program. Here is the sample:

Here is how this works:

  • The AddAuthentication(IServiceCollection, String) overload—defines the DefaultScheme property. 
  • The  AddAuthentication(IServiceCollection, Action<AuthenticationOptions>)overload—enables you to configure authentication options for setting up default authentication schemes for varied purposes.

Sign in with Facebook

  1. Run your application and choose Log In.
  1. Go to Use another service to log in, and choose Facebook. You should be redirected to Facebook for authentication.
  1. When prompted, enter your Facebook credentials. You should be redirected to your site, where you can configure your email.

You should now be logged in using your Facebook credentials.

ASP.NET User Management with Frontegg

Frontegg is an end-to-end user management platform that’s helping eliminate cumbersome maintenance tasks and focus on what really matters – innovation. Strong authentication flows, billing options, passwordless features, and even frontend needs like login boxes are covered – all with just a few lines of code.

Yes, the ASP.NET base is covered by the SDKs we are offering.