Customizing Claims for Authorization in ASP.NET Core 2.0

There have been some major changes to ASP.NET Identity with the release of Core 2.0, which you can read about here.  One of the major changes is that it does not rely on using middleware anymore to customize it.  Instead dependency injection is used by configuring via services in the ConfigureServices method of StartUp.cs.   There is not much documentation or examples on how to do this so I am going to explore how to customize ASP.NET Identity and publish some examples in this blog.  First I wanted to look at how you would add custom claims to the identity and then use those claims for authorization.

To begin create a new ASP.NET Core Web Application project in Visual Studio 2017.  Be sure to select .NET Core and ASP.NET Core 2.0 in the two drop downs at the top.  Select the template for Web Application (Model-View-Controller) and Change the Authentication to Individual User Accounts.  When the project is created you are ready to add some code.

For this example we are simply restricti…

CodePlex is Dead. Long Live GitHub

I was very sad to hear about the demise of CodePlex.  I had a couple of open source projects on their site and I loved the tools provided to manage a project, especially the tight integration with Visual Studio.  But alas all good things must come to an end.  Always looking for a positive aspect to all situations, I decided that on the plus side this will force me to learn how to use Git for version control.

I have heard for some time all of the buzz around using Git but was quite content with using Team Foundation Version Control (TFVC).  But even Microsoft is embracing Git and has offered it as an option in Visual Studio for some time now and seems to get all of the new functionality when it come to version control.  Each takes a very different approach to version control, with Git being a distributed solution whereas TFVC is a centralized solution.  Microsoft has a good discussion comparing the two and when to use each in this article, Choosing the right version control for your pr…

Recent Updates to SimpleSecurity

The latest bits for SimpleSecurity have been updated to include the Manage controller, which allows users to change their password and their external logons.  This was a major request by readers of this blog.  It will also be the place where users will configure two-factor authentication.  This will be the next feature added to SimpleSecurity and it will support email, SMS, and phone.

So watch these pages for a post on how to add two-factor authentication with ASP.NET Identity that supports email, SMS, and phone.  With all of the cyber security attacks these days you should seriously consider adding two-factor authentication to your web site.

Using External Logins with ASP.NET Identity

A feature request for SimpleSecurity has been the ability to support external logins.  This has been completed and by default it supports login with a Google account.  Google login is enabled because it does not require setup of any accounts on the provider side.  In order to enable other social logins, like Facebook, follow this tutorial for ASP.NET Identity, which will work the same way in SimpleSecurity.

As part of this process I have also upgraded SimpleSecurity to ASP.NET Identity 2.0.  This version of ASP.NET Identity has added missing features that SimpleSecurity already provided, such as email confirmation and password reset.  It has also added some other beneficial features that you can read about here.  Watch for future posts in this blog that will compare how the ASP.NET Identity team implemented email confirmation compared to SimpleSecurity, and I explore some of the other new features.

For those that have not been following the evolution of SimpleSecurity it originally wa…

Performing Authorization In Class Libraries Without Coupling Security in ASP.NET Identity

Most of the time it makes sense to perform authorization at the Controller or Web API level in an ASP.NET MVC application using an AuthorizeAttribute on the controller or action.  This handles at least 95% of the scenarios but occasionally it makes sense to handle authorization down in a class library or it needs to be handled in code for more complex situations. An example might be an application that allows users to create folders and files that have individual permissions.  In this scenario the resource being acted upon must be determined at run-time and therefore we cannot use a static AuthorizeAttribute.

So how do we determine permissions on a dynamic resource without coupling security with our application domain. This is a good time to use a custom ClaimsAuthorizationManager.   A ClaimsAuthorizationManager will allow a class library to loosely couple authorization in our application domain and configure it at deployment.  Here is an example on using the ClaimsAuthorizationManage…

Migrating an Existing Website from SimpleMembership to ASP.NET Identity (Update)

In a previous post I describe how to move the data from a SimpleMembership database to an ASP.NET Identity database.  After some more research I found that the ASP.NET Identity Team has put together a sample solution for migrating from SimpleMembership to ASP.NET Identity that includes some SQL scripts to assist with the migration.  Be sure to check out this solution on CodePlex if you are migrating your SimpleMembership website.

I also realized in my previous post that I did not mention the benefit of using SimpleSecurity in your migration.  SimpleSecurity contains an implementation of ASP.NET Identity that has an API that is a super-set of the WebSecurity class used in SimpleMembership.  This will allow you to plug in ASP.NET Identity into your existing code base with little to no changes. In addition it provides features such as email confirmation during registration and password reset that are not available in the initial release of ASP.NET Identity.

Happy Migrations.

Migrating an Existing Website from SimpleMembership to ASP.NET Identity

ASP.NET Identity is replacing SimpleMembership as the security/membership framework to use when creating ASP.NET applications.  If you are moving to MVC 5 and Visual Studio 2013 the ASP.NET templates generate code that uses ASP.NET Identity.  ASP.NET Identity is much more extensible than SimpleMembership is and it uses the new OWIN architecture available in MVC 5.  I think that ASP.NET Identity is an improvement over SimpleMembership and the old membership provider model that historically was used with ASP.NET applications.  The main problem I have with it is the lack of documentation that is currently available.  One article I was looking for in particular was how to migrate an existing website that uses SimpleMembership to ASP.NET Identity.  You can move to MVC 5 and keep using SimpleMembership as I wrote about here.  But what if you wanted to take advantage of benefits and features of ASP.NET Identity in a legacy website.  Microsoft wrote about Migrating an Existing Website from SQ…