Authentication Authorization
Authentication Authorization
• There are 5 verbs (commands or behaviors) that are invoked by the auth
system, and are not necessarily called in order.
• These are all independent actions that do not communicate among
themselves, however, when used together allow users to sign in and access
pages otherwise denied.
Authenticate
• Gets the user’s information if any exists (e.g. decoding the user’s cookie,
if one exists)
Challenge
• Requests authentication by the user (e.g. showing a login page)
CONTD…
SignIn
• Persists the user’s information somewhere (e.g. writes a cookies)
SignOut
• Removes the user’s persisted information (e.g. deletes the cookies)
Forbid
• Denies access to a resource for unauthenticated users or authenticated
but unauthorized users (e.g. displaying a “not authorized” page)
Authentication Handlers
• If the action is decorated with [Authorize], the auth filter checks if the user
was authenticated.
• If the user was not, the auth filter calls Challenge, redirecting to the
appropriate signin authority.
• Once the signin authority directs the user back to the app, the auth filter
checks if the user is authorized to view the page.
• If the user is authorized, it displays the page, otherwise it calls Forbid,
which displays a 'not authorized' page.
Startup Class
if (lookupUser?.Password != user.Password) {
return BadRequest(badUserNameOrPasswordMessage);
}
var identity = new ClaimsIdentity(CookieAuthenticationDefaults.AuthenticationScheme);
identity.AddClaim(new Claim(ClaimTypes.Name, lookupUser.UserName));
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new
ClaimsPrincipal(identity));
if(returnUrl == null) {
returnUrl = TempData["returnUrl"]?.ToString();
}
if(returnUrl != null) {
return Redirect(returnUrl);
}