ASP.NET Core

Get a Basic Understanding of Authentication

A brief introduction to a complex subject

Image for post
Image for post
undraw.io

The main audience of this article are those who need a quick overview or recap of how authentication in an ASP.NET Core web application works.

I’ll briefly walk thru the concepts of Authentication Scheme, (Claims)Principal, (Claims)Identity and Claims.

Scheme, Principal, Identity, and Claims collectively form the foundation for authentication

Claims Principal
This the user. Plain and simple. The principal may have multiple identities. We’ll get to that.

Claims Identity
Any identification that the principal owns or has been issued. This may for example be a passport in real life.

In the digital world, a claims principal may have an identity on Google, Facebook, Microsoft, etc — these may also be called Identity Providers.

Claims
In abstract terms, a claim is a statement an entity makes about itself or another entity.

Practically, this means that when you get an identity from e.g. Google or Facebook, the identity also contains a list of claims. A claim may be one such as “name: John Doe” — in this case, “name” is a claim the identity provider has made about the principal. It’s your job to trust whether the value — “John Doe” — is true or not.

Authentication Scheme
Consider a scheme as a resource guard that you’ll need to authenticate users against.

You log users into schemes. When a user is logged into a specific scheme, they will have access to resources (e.g. endpoints) protected with that specific scheme.

It makes sense to use multiple Authentication Schemes if you want different areas of your application to have varying security levels. As an example, you may want to secure admin areas with a scheme that requires a user to authenticate with Two/Multi-Factor authentication.

Demonstrating how Schemes and the [Authorize] attribute are connected

Below you’ll see a list of registered authentication handlers and endpoints protected with different schemes. A protected endpoint will challenge the user against the scheme it’s guarded by.

Image for post
Image for post

Notice that I’m mixing styles of defining the scheme names. You’d want to use constants over raw strings. In the example above, I’m just using strings to show you that you can name schemes whatever you’d like.

IdentityConstants.ApplicationScheme evaluates to “Identity.Application”, and JwtBearerDefaults.AuthenticationScheme is simply “Bearer”.

Image for post
Image for post
Image for post
Image for post

Nicklas Millard works at one of the Big4 Consulting companies in Denmark as a Senior Technology Consultant. He’s primarily taking the role as lead developer and solution architect on client projects.

He’s been developing software for commercial clients and government institutions such as the Ministry of Defence, Ministry of Education, Ministry of Environment and Food of Denmark, The National Police, Danish Agency for Labour Market and Recruitment, and Ørsted.

Connect on LinkedIn

Written by

Tech writer with 621K+ views. Sharing my opinion and what I learn. Danish C# backend engineer in FinTech. Ex Big4 senior tech consultant.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store