Authorization in ASP.NET Identity

Introduction


One of the main user management features in ASP.NET Identity is authorization. Authorization is a feature that allows you to control who can and can't access resources of your web application.

In this section, i will show you how to implement simple authorization using ASP.NET Identity.

Authorization


Lets's suppose we have the following user controller :

public class UserController : Controller
{
    public ActionResult Login()
    {
        return View();
    }
        
    public ActionResult Logout()
    {
        // Implemetation ... 
        return RedirectToAction("Index", "Home");
    }
}

The logout feature is meant for logged in users (it's not logical to logout a user that is not logged in) so in order to limit its access to only authenticated users, we use the Authorize attribute.

Authorize


The authorize attribute specifies that access to a ressource (controller or action) is restricted to authenticated users. So by applying it to the logout action, only authenticated users will have access to it

[Authorize]
public ActionResult Logout()
{
    // Implementation ... 
    return RedirectToAction("Index", "Home");
}

If a non-authenticated user tries to access the logout action, he will get redirected to the /Account/Login path. This default path is defined in the Startup.Auth.cs file.

app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

You can change the default value assigned to the LoginPath property in order to redirect non-authenticated users to a custom url (a custom login page for example).


If you want to restrict the access to the whole controller instead of only a specific action, you can do it by assigning the authorize attribute to that controller.

[Authorize]
public class UserController : Controller
{
    public ActionResult Login()
    {
        return View();
    }
        
    public ActionResult Logout()
    {
        // Implementation ... 
        return RedirectToAction("Index", "Home");
    }
}

If you want to restrict the access to the whole controller except of one method, you can do it by using the AllowAnonymous attribute.

AllowAnonymous


The AllowAnonymous attribute allows access to non-authenticated users and therefore skip the restrictions made by the authorize attribute.

[Authorize]
public class UserController : Controller
{
    [AllowAnonymous]
    public ActionResult Login()
    {
        return View();
    }
        
    public ActionResult Logout()
    {
        // Implementation ... 
        return RedirectToAction("Index", "Home");
    }
}

By applying the AllowAnonymous attribute to the login action, non-authenticated users will have access to it even though the authorize attribute is applied to the controller.

Be careful when applying the AllowAnonymous attribute to a whole controller because as we said, it will bypass all applied authorize attributes

[AllowAnonymous]
public class UserController : Controller
{
    public ActionResult Login()
    {
        return View();
    }
    
    [Authorize]
    public ActionResult Logout()
    {
        // Implementation ... 
        return RedirectToAction("Index", "Home");
    }
}

In the above example, non-authenticated users will still have access to the logout action even though the authorize attrbiute is applied to it because the the allowAnonymous attribute is applied to the user controller and therefore it will bypass all applied authorize attributes.