1

I have my own tables for Authentication:
Users
Roles
UserRoles

I am am trying to figure out what the best way to implement custom authentication with ASP.NET Core MVC would be. I do not want to use the built in UserManager, RoleManager, etc. I prefer creating my own. Can I somehow still tap into the cookie based authentication and use all of the ASP.NET Authorization helper tags without using asp.net identity?

Correct me if I am wrong, but I believe I want something like this: https://learn.microsoft.com/en-us/aspnet/core/security/authentication/cookie

Improve this question
4
  • How do you plan to hash and store password? Commented Jul 19, 2017 at 19:39
  • @Win I am going to use blowflish encryption with salt. Commented Jul 19, 2017 at 20:16
  • 1
    @Win because I have been trying to figure out ASP.NET Identity for years and I am sick of not understanding every single part of it. I would rather implement my own auth just like the good old days. It is most likely my problem for not being able to read the documentation and pick up on it, but I cant stand Entity Framework / ASP.NET Identity. I am aware that ASP.NET Identity can be used without EF but just seems like a pain. Plus my ultimate goal would be to use IdentityServer at some point to auth my client apps and apps. Just not ready for that yet. Commented Jul 19, 2017 at 20:24
  • @Win I feel like this stuff isn't rocket science. I prefer understanding 100% of what I build so I try to limit as much third party use as possible. Commented Jul 19, 2017 at 20:26

1 Answer 1

Reset to default
2

I have been trying to figure out ASP.NET Identity for years and I am sick of not understanding every single part of it. I would rather implement my own auth just like the good old days. It is most likely my problem for not being able to read the documentation and pick up on it, but I cant stand Entity Framework / ASP.NET Identity. I am aware that ASP.NET Identity can be used without EF but just seems like a pain.

Well, if you decided to go that route, you can use Cookie Authentication Middleware.

There are too many moving pieces, so I created a sample project in GitHub.

You can replace this LDAP Authentication with your own Authentication mechanism. Here is actual implementation.

The main reason I did not use ASP.NET Identity in some of my projects is we already have Active Directory in our organization.

Startup.cs

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
   Events = new CookieAuthenticationEvents
   {
      OnRedirectToAccessDenied = context =>
      {
         context.Response.StatusCode = (int) HttpStatusCode.Forbidden;
         return TaskCache.CompletedTask;
      }
   },
   ExpireTimeSpan = TimeSpan.FromMinutes(Int32.Parse(Configuration.GetSection(
       "AppSettings:CookieAuthentication:ExpireMinutes").Value)),
   AuthenticationScheme = Constants.AuthenticationScheme,
   LoginPath = new PathString("/Account/Login"),
   AccessDeniedPath = new PathString("/Common/AccessDenied"),
   AutomaticAuthenticate = true,
   AutomaticChallenge = true
});
Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

thanks for this great response. I actually got it somewhat working for now but your post is going to help me fill in the blanks. So far I have it to the point where I am creating a cookie when a user logs in and I am able to access actions in controllers that have [Authorize] attribute on them. The next thing I am going to look into is how to set all of the UserRoles as Claims in the principal so they are stored in the cookie. Then I will be able to use those attributes too.
Now that the cookie is being stored in the browser do you know how I can access information from the cookie? For example, current logged in user etc. Typically I know I would get this information from the Identity Managers, but I am going to have to do it manually using HttpContext aren't I?
In ASP.NET Core, we should use policy instead of role base. Here is how I convert role claims to policy.
Here is a wrapper class for HttpContext so that I can unit test controllers, and here is how it is injected to view.
Since most of us have role table, so we store authorized role as claims. Claims are then converted to policy. We then use authorize attribute to restrict access.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.