Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.
Understanding ASP.NET Identity and OWIN5:27 with James Churchill
Now let's take a look at the authentication process again, this time with ASP.NET Identity specifically in mind.
Microsoft's Azure Cloud Computing Platform
For more information about Microsoft's Azure cloud computing platform, see the official website at https://azure.microsoft.com/.
Here's a list of the features included in each of the major releases of the ASP.NET Identity authentication system.
- One ASP.NET Identity system
- Compatible with MVC and Web API (and Web Forms, Web Pages, and SignalR)
- Easy to customize the user and profile data schemas
- Easy to customize the persistence of user and profile data
- Works well with EF
- Supports unit testing
- Support for user roles
- Support claims-based authentication
- Allows you to be more descriptive than simple roles provide
- Support for social logins
- Support for Azure Active Directory
- OWIN integration
- Identity works with any OWIN compliant host
- Identity does not have a dependency on System.Web
- Delivered using NuGet packages
- Ability to delete users and roles
- Security Token Provider
- Account confirmation
- Password reset
- Two-factor auth
- Account lockout
- VS templates updated to use two-factor auth
- Bug fixes and performance improvements
What is Katana?
Katana is the Microsoft developed implementation of the OWIN specification. For more information, see this article:
ASP.NET Core and OWIN
ASP.NET Core fully embraces the ideas introduced in OWIN: everything in ASP.NET Core is implemented as middleware. Even existing OWIN components can be used as ASP.NET Core middleware. For more information about using OWIN with ASP.NET Core, see this article:
Main Identity Classes
Here are the main Identity classes that we'll be working with in this course:
Now that we've combined key based authentication and HTTP cookies to
implement user authentication, let's take a look at the authentication
process one more time, this time with ASP.NET Indentity specifically in mind.
ASP.NET Identity sits between your web app and the client, the user's browser.
This allows identity to inspect each incoming request.
Identity starts by looking for an authentication cookie and
if it doesn't find one it'll redirect the user to the sign-in page.
Using a form on the sign in page, the user posts their user name and
password to the server.
An MVC controller in your web app handles the request and
uses identity to verify the provided username and password.
If the log in is successful, identity is then used to sign in the user.
Signing in the user causes identity to create an authentication cookie containing
information about the user and attaches it to the response returned to the client.
The user information stored in the cookie is encrypted in order to keep it safe.
After receiving the authentication cookie,
the browser will include the cookie in every subsequent request to the server.
This time, when Identity inspects the incoming request looking for
an authentication cookie you'll find one.
The user information stored in the cookie is then decrypted and
added to the request.
This makes the user information available to the rest of the code that will run
as part of processing the request and preparing the response to the client.
Because all of the identity information is kept in the cookie,
the server doesn't need to keep track of the users who are authenticated.
The presence of the authentication cookie alone
is what determines if a user is signed in to our web app.
In order to process incoming requests and modify outgoing responses from your
ASP.NET web app, identity provides a set of OWIN middleware components.
ASP.NET applications are built to run on a web server.
A web server is a special type of application.
Web servers listen for HTTP requests and host websites and
web apps which are used to process requests and prepare HTTP responses.
Microsoft's Internet Information Services, or IIS,
is a commonly used web server for hosting ASP.NET applications.
OWIN is the Open Web Interface for .NET.
OWIN represents a web server as two separate concepts, a host and a server.
The host manages the startup of your web apps which includes selecting and
starting the server.
Once started, the server listens for HTTP requests.
When you write code for OWIN, you write components called middleware.
These are components that sit in the middle between the server and
your web app.
A series of middleware components are combined to form a request pipeline.
When the server receives an HTTP request it passes it through the request pipeline.
Each incoming HTTP request passes through each of the middleware components in
the pipeline in the order that they were configured, before reaching the webapp.
After the web app has processed the request and created a response,
the response then passes back through the pipeline in the reverse order.
If the middleware component is able to fully process a request
it can immediately return a response,
short circuiting the remaining middleware components and the web app.
When using OWIN, your code interacts with only the OWIN host and
server abstractions instead of interacting directly with the underlying web server.
This approach decouples your code from the specific web server that you use for
development, testing and production.
While it's possible for an entire web applications to be written using nothing
but OWIN middleware components, this isn't the approach that ASP.NET identity takes.
As mentioned earlier, ASP.NET identity sits between your web app and the client.
To make this possible, identity leverages OWIN middleware components to inspect
each incoming request and to modify request and responses as needed.
By using OWIN middleware identity is also able to work multiple frameworks including
ASP.NET MVC and web API while supporting any OWIN compliant host including IIS,
Microsoft's Azure Cloud Computing platform and self hosting scenarios.
Don't worry if you find any of this information confusing.
The important thing to remember is that OWIN middleware components
are used to process incoming requests before they reach your web app.
And they're able to modify the responses that are created by your web app before
they're sent back to the client.
We'll continue to revisit each of the key user authentication concepts and
components throughout the remainder of this course.
So don't worry if you feel overwhelmed or confused, you've got this.
In the next step, let's review the Visual Studio solution
that we'll be working with throughout the remainder of this course.
You need to sign up for Treehouse in order to download course files.Sign up