Skip to main content

🔐 Authentication & Authorization in .NET — Various Approaches


1️⃣ Authentication Methods

1. Cookie-based Authentication (Forms Auth)

  • How it works: User logs in → server sets an encrypted authentication cookie → browser sends cookie on each request.
  • Where used: Traditional web apps (MVC, Razor Pages).
  • Built-in support: services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme) + app.UseAuthentication().
  • Pros: Works well for server-rendered apps.
  • Cons: Not great for APIs; needs CSRF protection.

2. JWT Bearer Authentication

  • How it works: User logs in → server issues JWT token → client sends Authorization: Bearer <token> on each request.
  • Where used: Web APIs, mobile apps, SPAs.
  • Built-in support: AddJwtBearer().
  • Pros: Stateless, cross-platform.
  • Cons: Revocation is tricky; must handle refresh tokens.

3. ASP.NET Core Identity

  • How it works: Full-fledged membership system for handling users, passwords, roles, claims, 2FA, etc.
  • Where used: Web apps, APIs requiring user management.
  • Pros: Provides login, registration, password hashing, security stamp, token providers.
  • Cons: Can be heavy if you need only simple auth.

4. OAuth2 / OpenID Connect (OIDC)

  • How it works: Delegates authentication to external providers (Google, Microsoft, Facebook, GitHub, Azure AD, etc.).
  • Where used: Enterprise apps, apps needing social logins.
  • Libraries: AddAuthentication().AddOpenIdConnect().
  • Pros: Offloads auth to trusted providers. Supports single sign-on (SSO).
  • Cons: More setup; requires secure token validation.

5. API Key Authentication

  • How it works: Client sends a static API key in header or query string. Server validates key.
  • Where used: Service-to-service communication, internal APIs.
  • Pros: Simple, easy for machines.
  • Cons: No user identity, just client identity; must protect keys.

6. Certificate Authentication (Mutual TLS)

  • How it works: Client presents X.509 certificate; server validates against trusted CA.
  • Where used: High-security service-to-service APIs.
  • Pros: Very strong; no password/token exchange.
  • Cons: Certificate management complexity.

7. Windows Authentication / Integrated Security

  • How it works: Uses Active Directory credentials; relies on Windows domain.
  • Where used: Intranet apps in corporate environments.
  • Pros: Seamless for internal users.
  • Cons: Limited to Windows/AD environment.

8. External Identity Providers (Social logins)

  • Examples: Google, Microsoft, Facebook, GitHub.
  • Setup: services.AddAuthentication().AddGoogle()/AddFacebook()/AddMicrosoftAccount().
  • When to use: Consumer-facing apps requiring social login.

2️⃣ Authorization Approaches

1. Role-based Authorization

  • How it works: Assign roles (Admin, User, Manager) to users.
  • Usage: 
    [Authorize(Roles = "Admin")]
public IActionResult AdminOnly() { ... }
  • Pros: Simple and common.
  • Cons: Coarse-grained; not flexible for complex permissions.

2. Claims-based Authorization

  • How it works: Users have claims (email, department, permission). Policies check these claims.
  • Usage: 
    services.AddAuthorization(options =>
{
    options.AddPolicy("HROnly", policy => policy.RequireClaim("department", "HR"));
});

[Authorize(Policy = "HROnly")]
public IActionResult HRPage() { ... }
  • Pros: Fine-grained, flexible.
  • Cons: More setup.

3. Policy-based Authorization

  • How it works: Define reusable authorization policies using requirements + handlers.
  • Usage: 
    services.AddAuthorization(options =>
{
    options.AddPolicy("Over18", policy => policy.Requirements.Add(new MinimumAgeRequirement(18)));
});
  • Pros: Encapsulates logic, testable.
  • Cons: Slightly more complex than roles/claims.

4. Resource-based Authorization

  • How it works: Authorization based on specific resource instance, not just role/claim.
  • Example: Only the owner of a document can edit it.
  • Usage: IAuthorizationService.AuthorizeAsync(user, resource, requirement).
  • Pros: Per-object permissions.
  • Cons: Requires custom code for each resource type.

5. Custom Authorization Handlers

  • How it works: Implement IAuthorizationHandler to enforce complex logic (e.g., check database values).
  • Usage: 
    public class MinimumAgeHandler : AuthorizationHandler<MinimumAgeRequirement>
{
    protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, MinimumAgeRequirement requirement)
    {
        var dob = context.User.FindFirst(c => c.Type == ClaimTypes.DateOfBirth)?.Value;
        if (dob != null && DateTime.Parse(dob).AddYears(requirement.MinimumAge) <= DateTime.Today)
            context.Succeed(requirement);
        return Task.CompletedTask;
    }
}
  • Pros: Ultimate flexibility.
  • Cons: More code to maintain.

3️⃣ Mix & Match Scenarios

  • API with JWT + Role-based auth → Most common for modern REST APIs.
  • Web app with Cookie + Claims-based auth → Good for intranet or server-rendered apps.
  • Enterprise app with OIDC (Azure AD) + Policy-based auth → Standard in corporate environments.
  • Microservices with API Keys or Certificates → Service-to-service communication.

✅ Summary Table

Authentication Method Use Case Built-in Support Common Authorization Style
Cookie Auth MVC / Razor Pages Roles, Claims
JWT Bearer APIs / SPAs / Mobile Roles, Claims, Policies
Identity Full user management Roles, Claims
OAuth2 / OIDC Social login / SSO Claims, Policies
API Key Service-to-service ⚠️ (custom middleware) N/A
Certificate High-security APIs Custom
Windows Auth Intranet (AD) Roles
External IdP Google, Facebook, etc. Claims

Best Practice Recommendation:

  • For APIs: Use JWT (short-lived access tokens + refresh tokens) with policy-based authorization.
  • For web apps: Use Cookie Auth + ASP.NET Identity.
  • For enterprise: Use OpenID Connect / Azure AD with claims/policies.
  • For services: Use API Keys or Mutual TLS.

Comments

Post a Comment

Popular posts from this blog

🏗️ Deep Dive: Understanding Every Concept in Microsoft Entra API Onboarding for .NET Developers

When working with Microsoft Entra (formerly Azure Active Directory), you’ll hear terms like App Registration, Tenant, Client ID, Audience, Scopes, Roles, Tokens, OBO flow , and more. If you’re new, it can feel overwhelming. This guide breaks down every key term and concept , with definitions, examples, and how they connect when you onboard and consume a new API. 🔹 1. Tenant Definition : A tenant in Entra ID is your organization’s dedicated, isolated instance of Microsoft Entra. Think of it like : Your company’s identity directory. Example : contoso.onmicrosoft.com is a tenant for Contoso Ltd. 🔹 2. App Registration Definition : The process of registering an application in Entra to give it an identity and permission to use Microsoft identity platform. Why needed : Without registration, Entra doesn’t know about your app. What it creates : Application (Client) ID – unique identifier for your app Directory (Tenant) ID – your organization’s ID Types of apps : Web ...
Post a Comment
Read more

🗑️ Garbage Collection & Resource Management in .NET (C#) — Beginner Friendly Guide

When you start working with .NET and C#, one of the biggest advantages is that you don’t need to manually manage memory like in C or C++. The Garbage Collector (GC) does most of the work for you. But here’s the catch — not everything is managed automatically. Some resources like files, database connections, sockets, and native memory still need special handling. This blog will help you understand: ✔ How the GC works ✔ What are managed vs unmanaged resources ✔ The difference between Dispose , Finalize , and using ✔ The Dispose pattern with examples ✔ Best practices every C# developer should know 1) How Garbage Collection Works in .NET Managed resources → Normal .NET objects (string, List, etc.). GC frees them automatically. Unmanaged resources → External resources like file handles, database connections, sockets, native memory. GC cannot clean them up — you must do it. 👉 GC uses a Generational Model for performance: Gen 0 : Short-lived objects (local variables, t...
Post a Comment
Read more

☁️ Azure Key vault Short Notes

🟢 What is Azure Key Vault? A cloud service for securely storing and accessing secrets, keys, and certificates . Removes the need to keep secrets (like connection strings, passwords, API keys) inside code or config files. Provides centralized secret management, encryption, and access control . 👉 Think of it like a secure password manager but for your applications. 🟢 Key Features Secrets → store text values (e.g., DB connection string, API key). Keys → store cryptographic keys (RSA, EC) for encryption, signing. Certificates → store/manage SSL/TLS certificates. Access Control → Access Policies (older model). Azure RBAC (modern, preferred). Integration → works with App Service, Functions, AKS, VMs, SQL DB, etc. Logging → audit who accessed secrets via Azure Monitor / Diagnostic Logs. 🟢 Why Use Key Vault? Security → secrets are encrypted with HSM (Hardware Security Modules). Compliance → meet industry standards (PCI-DSS, ISO, GDPR). Automation → aut...
Post a Comment
Read more