User and password login without database

Question

User373134933 posted

I'm starting an ASP.NET Core project (on .NET Framework 4.6) that requires user login with user name and password. I know how to manage a session and login state in PHP but have never done that in ASP.NET. Now I've read about ASP.NET Core Identity but that requires Entity Framework and a local database for the credentials. I can't use that because there will be no database where the web application runs. Instead, there is a custom network connection to a backend server that does the authentication. (Think of it like a web mail interface with IMAP server authentication. The web app just passes the login data through.)

What is the suggested procedure to implement such user login on ASP.NET Core without the default database or external providers?

Can I use Identity at all for this task or should I revert to fully manual session and login management like in PHP 4?

If Identity can/should be used for this, where can I find documentation about it? The docs.asp.net site only covers the standard case with local database but fails to explain what I need to change to leave out the database. It even pulled in an EntityFramework NuGet package which I haven't requested. I'd also like to know then how Identity works technically. Does it use Session, or cookies, or something else?

Answer 1

User-491950272 posted

You can manually create a user Identity in ASP.NET Core for authenticated users as:

const string Issuer = "https://contoso.com";
    var claims = new List<Claim>();
    claims.Add(new Claim(ClaimTypes.Name, "barry", ClaimValueTypes.String, Issuer));
    var userIdentity = new ClaimsIdentity("SuperSecureLogin");
    userIdentity.AddClaims(claims);
    var userPrincipal = new ClaimsPrincipal(userIdentity);

    await HttpContext.Authentication.SignInAsync("Cookie", userPrincipal,
        new AuthenticationProperties
        {
            ExpiresUtc = DateTime.UtcNow.AddMinutes(20),
            IsPersistent = false,
            AllowRefresh = false
        });

    return RedirectToLocal(returnUrl);

In the required action.

Answer 2

User373134933 posted

I still don't know where to put this code snippet. I found that I can install the package Microsoft.AspNetCore.Identity instead of Microsoft.AspNetCore.Identity.EntityFrameworkCore which does not pull in EF. But I still need to provide a "user" and a "role" class. Looking for further information about these concepts.

Answer 3

User36583972 posted

Hi  ygoe,

The following links/examples for your reference.

Using Cookie Middleware without ASP.NET Core Identity:

https://docs.asp.net/en/latest/security/authentication/cookie.html

Simple Asp.net Identity Core Without Entity Framework:

https://code.msdn.microsoft.com/Simple-Aspnet-Identiy-Core-7475a961

An example of how to use the new ASP.NET Identity authentication without a database:

https://github.com/leeenglestone/ASP.NET-Identity-Without-a-Database

Best Regards,

Yohann Lu

Answer 4

User373134933 posted

Thank you! Here's one more article I've found to be useful:

https://brockallen.com/2013/10/24/a-primer-on-owin-cookie-authentication-middleware-for-the-asp-net-developer/

It seems I'm not using "Identity" but rather just some "cookie authentication middleware" that still does a lot of what I need. It still works here if I remove the app.UseIdentity() call and just keep the app.UseCookieAuthentication(). The Identity NuGet package is still required though.