First Look: Authentication in ASP.NET Core

With the coming changes in ASP.NET Core, our friend and intrepid reporter Seth Juarez sat down with ASP.NET Program Manager Pranav Rastogi to discuss the updates and improvements in the new ASP.NET Core authentication system:

Here are some of the highlights of their discussion and some sample code to get you started:

Pranav gave a quick definition of authentication compared to authorization:  Authentication validates who the user is and authorization validates access to the actions a user wants to perform.

The authentication scenarios in ASP.NET are still the same as in previous versions: OAuth can be enabled with providers available for Facebook, Twitter, Microsoft Account, and Google.  You can still manage a database of your own users with their own passwords on your application.  Additionally, two-factor authentication is easy to add to your application with code samples commented out of the initial ASP.NET Core project templates.

The four authentication options by default in a new web application are:

  • No authentication
  • Individual User Accounts – a security database will be created and you can configure individuals to access your application with a userid and password, an OAuth provider, or two-factor authentication, or any combination of these items.
  • Work and School Accounts – Using Azure Active Directory
  • Windows Authentication

Configuration of your controllers and actions to restrict access to logged on users are very similar to how they behaved before, with the added benefit of being able to configure security policies that define a collection of security claims that a user has been granted.  Claims can even be checked in the server-side code of razor views to determine segments of content to deliver to web visitors.

In the individual user account model, all access of the database goes through Entity Framework models by default.  You can change the connections and structure of the repository used by Entity Framework to meet your needs, and entity framework will generate or connect to your repository appropriately.

If you are using Yeoman generators to start an application, they will allow you to choose templates that will either create an application with security enabled similar to Individual User Accounts OR without authentication.  The secured code generated by Yeoman will use the Entity Framework SQLite provider in order to deliver a cross-platform compatible experience.

The following NuGet packages deliver the features necessary to enable individual user account access:

  • Microsoft.AspNetCore.Authentication.Cookies
  • Microsoft.AspNetCore.Authentication.Facebook
  • Microsoft.AspNetCore.Authentication.Google
  • Microsoft.AspNetCore.Authentication.MicrosoftAccount
  • Microsoft.AspNetCore.Authentication.Twitter
  • Microsoft.AspNetCore.Identity.EntityFramework

The packages for Facebook, Google, MicrosoftAccount, and Twitter are only needed if you are going to enable OAuth authentication from those sources.

Configure the entity framework storage with these two segments in Startup.cs – ConfigureServices method:

The default user model is stored in /Models/ApplicationUser.cs  You can add properties to this class to store those properties with the user identified in your application.  In the default project template, the username will be the same as the user’s email address.  If you add properties to your user model, you will also want to expand the RegisterViewModel appropriately to receive any extra fields that you want your users to submit at registration time.

Default account management and authentication views are stored in the /Views/Account The Controllers/AccountController contains the actions to manage the user.  The AccountController receives and provides a UserManager to manage the data about a user and the SignInManager is used to handle verification of a user’s credentials.

The _LoginPartial.cshtml demonstrates how to inspect the user object and determine if the user is authenticated and how to fetch the username

If you want to allow authentication from a third party provider like Facebook, there are guides on MSDN that will instruct you how to establish an account with that provider and capture your app keys to access that service.  These keys should be retrieved from configuration and stored for configuration using the secret manager.

More documentation can be found at