How do I get started with ASP.NET (Core) Identity

Question

User197122282 posted

I am new to ASP.NET Identity (or Identity Core) and getting started is a steep learning curve.

If we create a new ASP.NET Application using 'Individual User Accounts' authentication, it generates an Account Controller with a bunch of methods and classes. All the boilerplate code is quite complicated and takes a lot of effort to customize. I do understand that the complexity helps secure our applications but it really is complicated in nature.

I am interested in knowing what other developers are using for Authentication in real world MS applications. Are they using ASP.NET Identity as an industry standard or they role out their own authentication mechanism (which obviously can have security holes). In traditional ASP.NET web applications, we could use a few tables to handle our authentication requirements. 

Last but not the least, can someone point me to a good learning resource for ASP.NET Identity. Most demos out there just create the tables and code on the fly without writing a single line of code. I am interested in learning the core Identity concepts step by step.

Thanks in advance.

Answer 1

User-821857111 posted

There are a collection of articles in the official docs that cover Identity: https://docs.microsoft.com/en-us/aspnet/core/security/?view=aspnetcore-2.2.

You don't need to use Identity. You can go for basic cookie authentication for simpler scenarios: https://www.mikesdotnetting.com/article/335/simple-authentication-in-razor-pages-without-a-database

Answer 2

User197122282 posted

As far as I understand, for a simple local scenario, we may roll out a simple authentication setup using basic tables and classes (not underestimating security in any way). However, to go all the way, Identity is essential.

Mike, based on your exeperince, can you shed light on the following:

kashifdotnet

I am interested in knowing what other developers are using for Authentication in real world MS applications. Are they using ASP.NET Identity as an industry standard

I do not doubt the efforts made by MS to secure the applications, but just need to know if there other options/standards to to follow for authentication/authorization. I do understand that rolling out a custom auth. mechanism is not for the average developer.

Answer 3

User475983607 posted

I do not doubt the efforts made by MS to secure the applications, but just need to know if there other options/standards to to follow for authentication/authorization. I do understand that rolling out a custom auth. mechanism is not for the average developer.

You are confusing Identity with security and standards.  Security is a vast subject and generally developers are given security requirements for an organization.  It is up to the developer to come up with a design that meets the security requirements.  

Identity is NOT security.  Identity is an API for managing user account and it plays a part in any security design.  It is up the developer to determine if the feature provided by Identity are a good fit for managing user accounts. 

In a browser based applications, authentication/authorization is handled by the Authentication Cookie API not Identity.  You have to understand that there are other types of clients besides browsers.  These days it is very common to pass JWTs to secured API endpoints.

Answer 4

User753101303 posted

Hi,

IMO if you want to understand the underlying architecture starts at https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity-custom-storage-providers?view=aspnetcore-2.2

The template uses a default EF provider but you could implement whatever you need. The purpose is to "manage users" regardless of the underlying store and how users are authenticated.

If I had to show the feature from scratch I would likely use "Windows authentication" with a provider using "local" or "domain" accounts behind the scene.