Authentication in ASP.Net MVC

Hi Friends,

In today’s discussion, we’ll be discussing more about authentication. However,authentication which is not new here, it is basically the same what we have been using with other .net legacy systems, but it’s a good idea to discuss the same here as well. So, let’s get started. So, in a nutshell authentication is basically verifying the users, you don’t want UN-authenticated users to come in and access your portal.
There are 3 ways to do the same with ASP.Net:-
1) Forms Authentication:- so, with this website basically provides a page where in user can enter their user names and passwords and same will get authenticated in the system and then user can land in the portal. we’ll see the same in more detail how to work with the same. Forms authentication relies on cookies by default. so, once user signed in app, asp.net will store cookie in the client’s machine browser. so,user don’t need to sign in again during the same browsing session.

2) OpenID/OAuth:- Another technique is that open ID and Open authentication, these are open standards for authentication and authorization respectively and using these means your users don’t need to get himself registered with my membership db, rather same will be taken care by 3rd party provider, 3rd party could be anything like gmail, Facebook,yahoo etc.

3) Windows Authentication:- This is the same approach what we have used earlier. So,am not going to discuss the same in detail.Basically, windows application are being used in Intranet application,where in authentication is taken care by Active Directory. However, in order to get the feel of windows authentication, what you can do is instead of selecting internet application, you can select intranet application, it will give by default all the settings for windows.

Forms Authentication:- So, let’s discuss the same in the MVC perspective. so,when your are creating the any internet application, the project directories will have everything in place which users would be needing to get themselves registered and use all the basics of Forms authentication.so, it also gives us the capability to override any scenario @ any level. so, all these basic setting provided by accounts folder as shown below.

so, basically when you see inside the authentication code,you will see that Microsoft is using websecurity class to implement the Forms Authentication. so,it’s this class’s responsibility to validate the user’s password. Websecurity in return talks to simpleMembershipProvider. so, in a nutshell membership provider is storing all the user’s credentials to database. However, we could go ahead and take the ownership of membership controller.we could easily override the same as well. so,basically inside the filters folders, there is a file called “InitializeSimpleMembershipAttribute” as shown below:-

so, if you open up this file and see the same in detail, you will find that, this is written in a generic way, and you won’t need everything in here.the one which really interests you is the below section which initializes the database connection.

so, it takes couple of things, like connection name is DefaultConnection, UserProfile is the name of the table which contains the user information with UserId as in primary key, it also contains that gives username as well. we could override this behavior as well, we could have as many columns as we want, but we atleast need these two columns to store a user and retrieve the same as well.

However, since i already know that am using Forms authentication so, i’ll take this piece of code and run the same from global.asax during application start event.

Now, since i have taken the code here itself i won’t be needing that initialize membership file any more in the filters folder,so i could go ahead and delete the same. However, one more thing is that i would also like to override the UserProfile Table, by having certain more specific column pertaining to my site itself.

so, above is the default implementation of AccountModel file, where i would like to control the behavior of UserProfile table. so, for that to happen i need the same thing to be controlled by our dbContext, not by the EF default dbcontext. so, i can go ahead and delete the same dbcontext. however, we do need UserProfile table and since, this is the one which is my custom code,so i also cut the same from here and create a new class with the name UserProfile as shown below:

Now, inorder to use the same with my dbcontext i need to add the dbset property in my declaration as shown below.

Now, since we have done the change in model class so, we need to do the migartion. Now, when i build the same, it will give couple of errors,1st will be for [initializeMembership], since we have moved this section, so,we could simply delete this section. And the other would be where it is expecting UsersDb initialization, so i would change the same for my dbcontext as shown below:-

now, since i have built the solution. so,now i can go ahead and do the migrations as shown below:-

Now, let’s do some demo with the same. Let’s try to register myself and then login and check, how it is behaving.

Now, once i have registered my self, i will then be redirected to Home page as shown below, with my user name flagging on the top.

however, i could go ahead and do the following things like changing my passwords, logging off from the portal as shown below.

Now, let’s see some other details like table structure and all and where it is getting stored.

so, we can see that User Profile table has been added. there are other tables as well which is pertaining to websecurity. One good way to identify these tables are, these all tables have prefix “webpages_”. Now, if we see the below table,we can see the new column which we have added in the table.

Now, if i open this table and see the record,i could see my name in there.

Now, since i have not supplied any movie while registering the same, hence it didn’t get stored. However, we could also go ahead and force user to authenticate before they reach specific section of the page as shown below. So, for doing the same we will be using one Action Filter [Authorize] as shown below:

Now, as soon as user will invoke Create action, he needs to get authenticated 1st. so, Authorize could be done @ action level or @ the controller level as well. so,it entirely depends upon you, where and how do you want to put the checkpoint.

so, once i logged in, same will get created. Now,next thing what i could do here, i can associate roles and groups for the user. So, for doing the same i could use, SimpleMembership Provider API. So, i could go ahead and seed membership data just to push sample values in there in the membership table. Below is the code which i need to inject in the Configuration file under the Migrations folder.

Now, i could go ahead and run the powershell command to update the db.

and upon running the same,it gave me below error

so, the problem in this case is explicit configuration that needs to be enabled in the web.config file.

so, just with the above changes in place in the config file,i could run the powershell command successfully. Now,let’s go ahead and apply the authorize attribute in the create Movie section with the user having admin role only.

However, i need to change my view a bit, i need to display the Create Link when the user is Admin as shown below

Now, let’s try the same

so, since i didn’t logged in, so i cannot see create link, however, in the below screen shot,when i logged in, i can see the create Link.

Now, let’s see open ID and OAuth are things where in we are no managing passwords, these are basically delegated to 3rd party vendor to do authenticate the user. so, this is very beneficial, as it saves lot time while doing registration again.so,if am a gmail user, i can get authenticated my self @ gmail server, and once done, i will get redirected to the portal am on. there could so many other options like Gmail sucha as yahoo, Twitter, LinkedIn, Facebook etc. For using them, we need to get app id and secretkey for the same. so, basically, we need to register our app on their site and get the app key. I’ll be using Gmail here as it is open to use. This doesn’t need any secret key.

so, AuthConfig file resides in App_Start folder, here we just need to supply the appId and secret key, but i just used the Google Account to demo the same. so, with the above change in place, i could go ahead and build the app and then refresh the page, i can see the change.