{"id":6273,"date":"2016-03-11T15:52:36","date_gmt":"2016-03-11T15:52:36","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/webdev\/?p=6273"},"modified":"2016-03-11T15:52:36","modified_gmt":"2016-03-11T15:52:36","slug":"first-look-authentication-in-asp-net-core","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/dotnet\/first-look-authentication-in-asp-net-core\/","title":{"rendered":"First Look: Authentication in ASP.NET Core"},"content":{"rendered":"<p>With the coming changes in ASP.NET Core, our friend and intrepid reporter <a href=\"https:\/\/twitter.com\/sethjuarez\" target=\"_blank\" rel=\"noopener\">Seth Juarez<\/a> sat down with ASP.NET Program Manager <a href=\"https:\/\/twitter.com\/rustd\" target=\"_blank\" rel=\"noopener\">Pranav Rastogi<\/a> to discuss the updates and improvements in the new ASP.NET Core authentication system: Here are some of the highlights of their discussion and some sample code to get you started: Pranav gave a quick definition of authentication compared to authorization:\u00a0 Authentication validates who the user is and authorization validates access to the actions a user wants to perform. The authentication scenarios in ASP.NET are still the same as in previous versions: OAuth can be enabled with providers available for Facebook, Twitter, Microsoft Account, and Google.\u00a0 You can still manage a database of your own users with their own passwords on your application.\u00a0 Additionally, two-factor authentication is easy to add to your application with code samples commented out of the initial ASP.NET Core project templates. The four authentication options by default in a new web application are:<\/p>\n<ul>\n<li>No authentication<\/li>\n<li>Individual User Accounts &#8211; a security database will be created and you can configure individuals to access your application with a\nuserid and password, an OAuth provider, or two-factor authentication,\nor any combination of these items.<\/li>\n<li>Work and School Accounts &#8211; Using Azure Active Directory<\/li>\n<li>Windows Authentication<\/li>\n<\/ul>\n<p>Configuration of your controllers and actions to restrict access to logged on users are very similar to how they behaved before, with the added benefit of being able to configure security policies that define a collection of security claims that a user has been granted.\u00a0 Claims can even be checked in the server-side code of razor views to determine segments of content to deliver to web visitors. In the individual user account model, all access of the database goes through Entity Framework models by default.\u00a0 You can change the connections and structure of the repository used by Entity Framework to meet your needs, and entity framework will generate or connect to your repository appropriately.<\/p>\n<p>If you are using Yeoman generators to start an application, they will allow you to choose templates that will either create an application with security enabled similar to Individual User Accounts OR without authentication.\u00a0 The secured code generated by Yeoman will use the Entity Framework SQLite provider in order to deliver a cross-platform compatible experience. The following NuGet packages deliver the features necessary to enable individual user account access:<\/p>\n<ul>\n<li>Microsoft.AspNetCore.Authentication.Cookies<\/li>\n<li>Microsoft.AspNetCore.Authentication.Facebook<\/li>\n<li>Microsoft.AspNetCore.Authentication.Google<\/li>\n<li>Microsoft.AspNetCore.Authentication.MicrosoftAccount<\/li>\n<li>Microsoft.AspNetCore.Authentication.Twitter<\/li>\n<li>Microsoft.AspNetCore.Identity.EntityFramework <\/li>\n<\/ul>\n<p>The packages for Facebook, Google, MicrosoftAccount, and Twitter are only needed if you are going to enable OAuth authentication from those sources. Configure the entity framework storage with these two segments in Startup.cs &#8211; ConfigureServices method: The default user model is stored in \/Models\/ApplicationUser.cs\u00a0 You can add properties to this class to store those properties with the user identified in your application.\u00a0 In the default project template, the username will be the same as the user&#8217;s email address.\u00a0 If you add properties to your user model, you will also want to expand the RegisterViewModel appropriately to receive any extra fields that you want your users to submit at registration time.<\/p>\n<p>Default account management and authentication views are stored in the \/Views\/Account The Controllers\/AccountController contains the actions to manage the user.\u00a0 The AccountController receives and provides a UserManager to manage the data about a user and the SignInManager is used to handle verification of a user&#8217;s credentials. The _LoginPartial.cshtml demonstrates how to inspect the user object and determine if the user is authenticated and how to fetch the username If you want to allow authentication from a third party provider like Facebook, there are <a href=\"https:\/\/azure.microsoft.com\/en-us\/documentation\/articles\/mobile-services-how-to-register-facebook-authentication\/\" target=\"_blank\" rel=\"noopener\">guides on MSDN <\/a>that will instruct you how to establish an account with that provider and capture your app keys to access that service.\u00a0 These keys should be retrieved from configuration and stored for configuration using the secret manager.<\/p>\n<p>More documentation can be found at <a href=\"http:\/\/docs.asp.net\" target=\"_blank\" rel=\"noopener\">docs.asp.net<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>With the coming changes in ASP.NET Core, our friend and intrepid reporter Seth Juarez sat down with ASP.NET Program Manager Pranav Rastogi to discuss the updates and improvements in the new ASP.NET Core authentication system: Here are some of the highlights of their discussion and some sample code to get you started: Pranav gave a [&hellip;]<\/p>\n","protected":false},"author":405,"featured_media":58792,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[197,7509],"tags":[123],"class_list":["post-6273","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-aspnet","category-aspnetcore","tag-security"],"acf":[],"blog_post_summary":"<p>With the coming changes in ASP.NET Core, our friend and intrepid reporter Seth Juarez sat down with ASP.NET Program Manager Pranav Rastogi to discuss the updates and improvements in the new ASP.NET Core authentication system: Here are some of the highlights of their discussion and some sample code to get you started: Pranav gave a [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/6273","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/users\/405"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/comments?post=6273"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/posts\/6273\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media\/58792"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/media?parent=6273"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/categories?post=6273"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/dotnet\/wp-json\/wp\/v2\/tags?post=6273"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}