ASP.Net Identity 2.0

In order to fulfill the variety of business needs and technical and security requirements of different domains like banking, insurance etc. can be a daunting task. In addition to this, we have social networking applications that have millions of users, and it is widely known that any service accessible to the public on the Internet is constantly probed for vulnerabilities. Therefore, it is recommended to build robust security into all of your Web applications and services.

Building a secure Web application is always a challenging task. Although Microsoft back in the old days in ASP.NET 2.0 introduced a powerful provider-based architecture and a membership provider which could be customized; developers have been seeking for something ‘simpler’. In addition to this, modern websites have become more social and now use social identities for authentication and authorization. Clearly a fresh look into the membership system was needed to cope up with the changes and growing demand.

ASP.NET Identity is the new membership system for building ASP.NET web applications, phone, and store applications. ASP.NET Identity can be used with all ASP.NET frameworks, such as ASP.NET Web Forms , MVC, Web Pages, Web API etc.ASP.NET Identity has been developed with some major security features like Two-Factor Authentication, Account Lockout, and Account Confirmation etc.

Two-Factor Authentication provides an extra security layer for an application’s (web site) user account. This is a protection used in case the password of the user gets compromised. This feature uses the mechanism of sending the security code using SMS on the users phone or alternatively a verification email, if the user is not having access to his/her phone.

Account Lockout is another important feature provided by the ASP.NET Identity 2.0.0. This locks out the user’s account if the user enters a wrong password for a specific number of times. This can be specified by configuring maximum failed attempts and lockout time. In addition, you can use it to support multiple storage mechanisms like Relational Databases, SharePoint, Azure, NoSQL etc. It is Unit Testable, supports Social Login providers like FaceBook, Twitter, and Google etc. and even supports Claim-based authentication. It is fully compliant with OWIN and can be downloaded from the NuGet Package Manager.

Here are the packages we need to download for ASP.NET Identity 2.0.0:

Microsoft.AspNet.Identity.EntityFramework Version 2.0.0 – Contains EF implementations for identity types. These types are used to manage information for identity users, roles, claim login etc.

Microsoft.AspNet.Identity.Core Version 2.0.0 – Contains classes and interfaces for managing users and roles in ASP.NET Identity. It contains classes for User validation, User login information etc.

Microsoft.AspNet.Identity.OWIN -Version 2.0.0 – Contains classes used to manage identities associated with OWIN.

Implementing ASP.NET Identity In MVC Application

There is a Sample NuGet package to make it easier to install samples for ASP.NET Identity. This is a sample ASP.NET MVC application. We need to modify the code to suit our application before we deploy this in actual application. We need to install samples in an Empty ASP.NET application.

Following are the features in this samples package

    • Initialize ASP.NET Identity to create an Admin user and Admin role
      • Since ASP.NET Identity is Entity Framework based in this sample, you can use the existing methods of initializing the database as you would have done in EF.
    • Configure user and password validation.
    • Register a user and login using username and password
    • Login using a social account such as Facebook, Twitter, Google, Microsoft account etc.
    • Basic User management – Create, Update, List and Delete Users. Assign a Role to a new user.
    • Basic Role management – Create, Update, List and Delete Roles.
    • Account Confirmation by confirming email.
    • Password Reset
    • Two-Factor authentication
    • Account Lockout
    • Security Stamp (Sign out everywhere)
    • Configure the Db context, UserManager and RoleManager  using IdentityFactory Middleware/ PerOwinContext.
    • The AccountController has been split into Account and Manage controller. This was done to simplify the account management code.

Entity Framework 6.1.0 – ASP.NET Identity 2.0.0 uses Entity Framework 6.1.0 for database operations

Following are the steps to implement ASP.Net Identity 2.0 in MVC application
  1. Open Visual Studio 2013 and create a new MVC application targeting .NET 4.5. Name it as MVC_Identity. Once the project is created, you will find the references for the ASP.NET Identity 2.0.0 (assuming you installed the NuGet package shown in Step 2)
  1. To get the basic infrastructure code ready for Identity 2.0.0, we need to install ASP.NET Identity sample.
  2. After installing the sample, the project will have some additional Controller classes. Based on the Controller classes, new Views will be generated in the Views folder.
  3. Open the IdentityConfig.cs class file in the App_Start folder. This class file contains the following classes:
  • ApplicationUserManager
  • ApplicationRoleManager
  • EmailService
  • SmsService
  • ApplicationDbInitializer
  • SignInHelper

ApplicationUserManager :- ApplicationUserManager actually only provides a handful of very important functions – Adding new Users, Adding Users to Roles, and Removing Users from Roles. However, ApplicationUserManager is derived from the UserManager<ApplicationUser> class, so all the functionality provided by UserManager is also available to ApplicationUserManager. Other than that, there is a static Create() method defined which returns an instance of ApplicationUserManager itself. It is in this method that much of your user configuration settings and default are set up.

ApplicationRoleManager: – ApplicationRoleManager is derived from RoleManager<IdentityRole> and thus brings with it all of the functionality offered by that class as well. Once again, we see a static Create() method returning an instance of the class itself.

Email Service & SMS Service: –  IdentityConfig.cs file are two service classes, EmailService and SmsService. Out of the box, these two classes are basically empty wrappers, providing an abstraction within which you can implement Email and/or SMS services required for two-factor authentication and account validation.

ASP.Net Identity 2.0

Conclusion

As you might have observed, these new features provided in ASP.NET Identity 2.0.0 provides an enhanced mechanism to manage security of precious credential information in our data stores. A developer instead of customizing a provider from scratch can now instead rely on the extensible API set provided with the new identity features for security.

Talk to us
Posted in: