Authentication and Authorization in ASP.NET Core

Common vulnerabilities in software

• Cross-site scripting attacks
• SQL Injection
• Cross-Site request forgery
• Open redirect attacks

Authenticiation

ASP.NET Core Identity is a membership system that adds login functionality to ASP.NET Core apps. External login providers are also supported. (Read the article) Identity is enabled by calling UseAuthentication() which adds authentication middleware to the request pipeline. (In ASP.NET Core 1.x this was UseIdentity() - See Migration Guide)

When signing out, SignOutAsync clears the user's claims stored in a cookie. You can also add custom user data to Identity. 

Authorization

Process that determines what a user is able to do. ASP.NET Core provides a simple, declarative role and a rich policy-based model. Authorization is expressed in requirements, and handlers evaluate user's claims against requirements. You can have authorization handlers to handle different requests (for user types etc.) 

Authorization in MVC is controlled through the AuthorizeAttribute. AllowAnonymous will disregard any authorization statement. 

Role based authorization

Identity can be belong to one or many roles. You can add role checks for different controllers or actions. 

Policy based role checks

Role requirements can be expressed using the policy syntax. You can register policies at startup. Policies are applied using the Policy property on AuthorizeAttribute.

Claim based authorization

Identity may be assigned one or many claims issued by a trusted party. Claim is a name value pair represents what the subject is. Not what it can do. 

You can embed them against controller or an action. Before that of course the registering of policies. 

This policy will check for the presence of claim in current identity. Which is checked like this,

Policy based authorization

Role based and Claims-based use a requirement, a requirement-handler and a pre-configured policy. An authorization policy consists of one or more requirements.

Requirement

Requirement is a collection of data parameters that a policy can use to evaluate the current user principal. 

Authorization Handlers

Responsible for evaluation of a requirement's properties. Evaluates the requirements against a provided AuthorizationHandlerContext to determine if access is allowed. A requirement can have multiple handlers. (Examples included)

Handlers are registered in the services collection during configuration. 

While the recommended guideline by Microsoft is as above, it may not suitable everywhere. You can simply put a custom attribute as mentioned here.

Stackoverflow questions on ASP.NET Core Authorization. 

Securing Web APIs

Token based authentication :

https://www.ecanarys.com/Blogs/ArticleID/308/Token-Based-Authentication-for-Web-APIs

https://stackoverflow.com/questions/38977088/asp-net-core-web-api-authentication

https://jonhilton.net/complex-aspnet-core-custom-security-policies/