9 Authentication and authorization

 

This chapter covers

  • Understanding authentication and authorization
  • Getting an overview of ASP.NET Core Identity
  • Implementing authentication via user accounts and JSON Web Tokens
  • Enabling authorization with AuthorizeAttribute and IAuthorizationFilter
  • Understanding the role-based access control (RBAC) authorization strategy

The ASP.NET Core web API that we’ve built throughout the previous chapters has taken solid shape. Before we publish it, however, we must address some major security permissions problems that we intentionally left open. If we take a closer look at our BoardGamesController, DomainsController, and MechanicsController, we can see that they all have some Post and Delete methods that anyone could use to alter our valuable data. We don’t want that, do we?

For that reason, before even thinking about deploying our web API over the internet and making it publicly accessible, we need to find a way to restrict the use of those methods to a limited set of authorized users. In this chapter, we’ll learn how to do that by using ASP.NET Core Identity, a built-in API that can be used to manage users, roles, claims, tokens, policies, authorization-related behaviors, and other features.

9.1 Basic concepts

Before I delve into the code, it’s appropriate to provide a general overview of the concepts of authentication and authorization. Although the two terms are often used in the same context, they have distinct, precise meanings.

9.1.1 Authentication

9.1.2 Authorization

9.2 ASP.NET Core Identity

9.2.1 Installing the NuGet packages

9.2.2 Creating the user entity

9.2.3 Updating the ApplicationDbContext

9.2.4 Adding and applying a new migration

9.2.5 Setting up the services and middleware

9.2.6 Implementing the AccountController

9.3 Authorization settings

9.3.1 Adding the authorization HTTP header