At the heart of security for all distributed applications are two closely related concepts - Authorization and Authentication. The process by which a user can access resources is called Authorization. The process of verifying the identity of users by asking them to provide some sort of credentials is called Authentication in .
The fascinating fact about Authentication in is that even if the application allows anonymous users to utilize and browse its resources, it still goes through the authentication process that the user is anonymous. This is followed by Authorization. Hence, Authentication in ASP.NET always comes before Authorization in every scenario.
Authentication in ASP.NET is quite flexible. This authentication in ASP.NET can be done either through code by ourselves or by using a third-party like Microsoft Passport. The flexibility in authentication in ASP.NET is so vast that sometimes a developer might just get lost as to where to start.
Since ASP.NET is not a standalone product but a layer that is at the top of Internet Information Services (IIS), there are two separate authentication layers in authentication in ASP.NET. Before going through ASP.NET, all the requests flow through the IIS. This gives the IIS right to deny access to the authentication in ASP.NET without even prior information to the ASP.NET.
The job of the authentication provider is to verify credentials and accordingly decide whether to give access to a particular request. The authentication in ASP.NET provides an architecture that gives concept and code to these providers. These providers in authentication in ASP.NET are primarily of three types, they are -
- The forms authentication in ASP.NET
- The Windows authentication in ASP.NET
- The passport authentication in ASP.NET
How do we select these authentication providers in ASP.NET? Simply by mentioning the authentication provider on the web.config file of ASP.NET. The syntax is:
<authentication mode="forms">
<authentication mode="Windows">
<authentication mode="passport">
There are ways to provide our custom authentication in ASP.NET providers as well. To do so, we write our custom code and set the authentication mode to none-
<authentication mode=none>
Let us now discuss the types of authentication (providers) in ASP.NET in detail.
Types of Authentication in ASP.NET
The types of authentication in ASP.NET are”
1. Windows Authentication
Windows Authentication in ASP.NET is primarily used when developers create web pages for a very limited number of users who already own a Windows account. In this type of authentication, local users’ credentials of Windows accounts are used to validate a user, and this type of authentication is particularly useful in an intranet environment.
The authentication in ASP.NET in this type of provider is completely handled by the IIS, which takes the user credentials from the domain login, and if the authentication fails, then it alerts the user to re-enter their credentials.
Advantages of Windows Authentication in ASP.NET -
- Users need to create external login and can use their existing Windows account to log in.
- To manage user authentication in ASP.NET, developers need not use long lines of code but get the work done using very little code.
Disadvantages of Windows Authentication in ASP.NET -
- Only the Microsoft Operating system supports the Windows authentication in ASP.NET, and no other operating system supports it.
- It is very hard to control the process of Windows authentication in ASP.NET.
2. Form Authentication
The permission setting and authentication are stored in the cookies in this type of authentication. For a cookie-less form authentication in ASP.NET, we can use the query string to pass user credentials.
In any of the form authentications we use, the end goal is to compare the user data on the server-end with the data stored in the storage provider we use, the database, JSON file, or the web.config file.
The Forms Authentication Flow Is Summarized as Follows -
- As soon as the user sends a request for authentication, the form authentication in ASP.NET checks the session cookie, and if the validity is verified, the request is then processed.
- If the session cookie is found invalid, the user is redirected to the login form with an appropriate message.
- The user then enters their username, password to successfully get verified.
3. Passport Authentication
Microsoft provides this type of authentication in ASP.NET service. This is a single sign-in type of service where Microsoft manages user authentication through the Passport service. In this, encrypted cookies are used to manage the application user authentication.
Working of Passport Authentication in ASP.NET -
- While switching between sites, users need not retype their credentials for sign-in.
- In passport authentication by Microsoft, silent and seamless authentication is enabled by using encrypted cookies in the .net passport servers.
- In a few cases, for first-time viewers to the present site, users will need to type their credentials for signing in and consequent authentication.
- In case the user is logged in, the rest is taken care of automatically; else, they are taken to the passport servers’ login page to get logged in.
- The website successfully returns a token if the login is successful.
4. Custom Authentication:
The custom authentication in ASP.NET includes:
- SAML: Security Assertion Markup Language or SAML is used to enable single sign-on for multi-domain web applications and uses XML frameworks to initiate user authentication in ASP.NET. SAML is developed by the Security Services Technical Committee of "Organization for the Advancement of Structured Information Standards" (OASIS) and has three components - binding, assertions, and protocol.
- Multipass: It is a single sign-on type of application in ASP.NET and is used to enable sign-in to get authentication into multiple sites. In this, the authentication details are shared in multiple sites that we want to get access to without the creation of separate accounts for every site. This type of authentication type uses JSON and has keys and values to get the authentication process done.
- JWT (JSON Web Token): In this type of authentication, the authentication details of users are stored in the “JWT Claim Set” as the following - names as strings and values as arbitrary JSON values. The JWT represents these member claims.
We define the JWT claims to the provider and can store any kind of user information - email, birthdate, name, etc.
Advance your career as a MEAN stack developer with the Full Stack Web Developer - MEAN Stack Master's Program. Enroll now!
Becoming A Full-Stack Web Developer Has Never Been Easier
Authentication in ASP.NET provides security and flexibility to an application. It is widely used and has been adopted by developers and companies to build robust applications and protect users’ data in return. There are three custom and three default types of authentication in ASP.NET. They are roughly categorized by the following - SAML, passport, Windows, forms, JWT, and multipass.
To master and learn more about Authentication in ASP.NET and all its types and their applications properly and get well versed to get into full-stack development, one might consider referring and learning in-depth from various resources, study materials, and course books.
If you are interested in understanding and acquiring knowledge on Authentication in ASP.NET and all its features in order to become a full-stack web and desktop application developer, Simplilearn offers an exclusive full-stack web development certification course to master both backend and frontend with tools, including SpringBoot, AngularMVC, etc. If you are not up to enrolling yourself into the full certification course yet, Simplilearn also offers free online skill-up courses in software development to help you master full-stack web development!
