ASP.NET Core 2.0 Identity

Problem

How to use ASP.NET Core Identity to authenticate users and manage their accounts.

Solution

In a previous post I showed how to use cookie authentication middleware to protect your web application. ASP.NET Core also provides a richer set of services, called Identity, to work with user authentication and management scenarios. For instance, in addition to authentication and password hashing, it provides features for registering new users, creating forgot & reset password tokens and their validation, two-factor authentication and authentication using external providers.

In this post I will discuss the following:

  • Setting up Identity to provide authentication, including setting up database to store user details.
  • Registering new user accounts, including how to confirm user email address before allowing them access to the application.
  • Forgot and reset password feature.

Setup Identity

Create classes to represent role, user and database context by inheriting from framework classes IdentityRole, IdentityUser and IdentityDbContext:

Note: the advantage of inheriting from framework classes is that you can add your own custom properties (e.g. Age in my case) to user entity. Also by inheriting database context you could modify the database schema, if required.

Configure services for Identity in Startup class, including configuration of cookie middleware:

Note: setting up cookie authentication middleware was discussed in a previous post, where cookie middleware was used directly rather than via Identity services.

Add appsettings.json file with a DB_CONN setting, which will point to the connection string of database where you want to store tables used by Identity. Learn more about configuration here.

Create a controller for Login/Logout actions:

Here we are using the built-in SignInManager class to authenticate the user and also to sign them out. Framework is taking care of going to the database and validating password hashes.

We’re ready to run EF database migrations to create identity database. To utilise EF migrations, add NuGet package to ASP.NET Core Web Application project: Microsoft.EntityFrameworkCore.Design

Add CLI tools by editing .csproj file:

Now run following commands:

Note: you could learn more about EF and migrations here and here.

You could see the tables in your database now:

We’re done setting up Identity but we can’t login yet, we have no users. Let’s add registration of new users next.

Registering Users

Inject an instance of UserManager into the constructor, which is a built-in class that provides features to manage user accounts:

Create a class to act as view model for the registration view:

Next add action methods for registration:

Here we are first instantiating a new user and then using UserManager adding it to the database. If the database update is successful, we are creating a new token to send to user so that they can confirm their email address by clicking on the link. Finally we’re sending the email to the user. In the sample application I am not sending an actual email but rather just logging it to the console.

Next we’ll create the action method required to confirm the email:

Here we first try to find the user, if it exists we update the database indicating that the user has confirmed their email address.

Forgot and Reset Password

We’ve created functionality to register new users and authenticate them. Now what happens when a user forgets their password? This feature has two parts to it, first we send them an email with a link (containing token) and then once they click on the link we present them with a view to enter new password.

First we’ll implement a simple view with an email input box and action methods:

Highlighted lines are worth noting, we first find a user based on email and then generate a token to send via link. Also note that if the user isn’t found, we still give user a success message and do not disclose the fact that database does not contain the email.

Next we’ll add action methods that users will reach once they click the link:

Again highlighted lines are worth noting, when displaying the reset password view we send the token received by user to the view via a view model. When the user posts a new password we use UserManager to save the new password.

Note: I’ve not copied code for view here, they all have simple fields that map to respective view models. You could explore these in the source code.

Summary

With relatively simple and few lines of code we’ve added registration, login, logout, forgot and reset password features to our application. We’re not dealing with password hashes, validating tokens, finding users etc. ASP.NET Core Identity takes care of all this for us. Most of the code in the sample is for views and models but the two classes of interest are UserManager and SigninManager and are doing all the heavy lifting for us. There are even more features provided by identity, for instance, two-factor authentication and authenticating via external identity providers. I’ll demonstrate these in future posts, stay tuned.

Source Code

GitHub: https://github.com/TahirNaushad/Fiver.Security.AspIdentity

One comment

Leave a Reply