If you create an application which will host sensitive data, you need to make sure that you authenticate the users before they have access to it. To do so, there are different default methods that come with .NET Framework and third party apps that you can use.
- [Instructor] To create a new MVC application, go to file, new, project. From the menu on the left, make sure that you select the web section. And then on the middle column, select the asp.net web application .NET Framework. On the window that you get, specify a project name and a solution name.
You can also change the location of the files, but it's important to select a .NET version which is greater than 4.5 because asp.net MVC 5 requires a greater version. Then next, click the OK button. When creating a MVC application, you see that get different authentication options if you click the change authentication button. As the name already indicates, if you select the no authentication option, no authentication-related code or UI will be generated.
You will have to basically create everything from scratch, on your own. The other option is the individual user account. And if you select this option, the sample application will be configured to use asp.net identity for user authentication. Asp.net identity enables a user to register an account by creating a username and password on the site or by signing in with social providers, such as Facebook, Google, Microsoft account, or Twitter, which will be the focus of this chapter.
If you choose the third option, which is work or school accounts, the sample application will be configured to use the Windows authentication IIS module for authentication. The application will display the domain and the user ID of the active directory, or local machine account that is logged into Windows, but won't include user registration or login UI. This option is intended for intranet websites. For an intranet site, as an alternative, you can choose Windows authentication instead of this option.
For the Windows authentication option, you don't have to provide a metadata document URL, however, Windows authentication does not give you the ability to control application access in active directory or to query directory data. But all the methods mentioned above require the user to create their own profiles. But creating different accounts for each application that we use online is time-consuming and sometimes even irritating. So why not use an account that we already have to login to different apps? And nowadays, with the social media on the rise, there are billions of users that already have accounts.
So this is what we are going to learn on this chapter. We will learn how to build an asp.net MVC 5 web application that enables users to login using OAuth 2.0 with credentials from an external authentication provider such as Facebook, Twitter, LinkedIn, Microsoft, or Google. OAuth 2.0 is the industry standard protocol for authorization. It focuses on providing specific authorization flows for web applications, desktop applications, et cetera.
- Identity management
- Authentication vs. authorization
- Authentication via Facebook, Google, Microsoft, and more
- Email confirmation
- Two-step authentication
- Simple, role-based, and view-based authorization
- Defending against vulnerabilities