Authentication and Authorization in ASP.NET MVC

Back to: ASP.NET MVC Tutorial

Authentication and Authorization in ASP.NET MVC

In this article, I am going to discuss Authentication and Authorization in the ASP.NET MVC application. When you are developing any web application, then the most important thing that you need to take care of is its security. That means we need to make sure that only authenticated and authorized users can access our webpage. As part of this article, we are going to discuss the following things.

1. What are Authentication and Authorization?
2. What are the different types of Authentication?
3. How to implement Authentication and Authorization in ASP.NET MVC application?

What is Authentication?

Authentication is nothing but a process that ensures and confirms a user’s identity. In other words, we can say that it is a process to validate someone against some data source. Let’s have a look at the following diagram.

Let us understand Authentication from a layman’s point of view. The above image shows the different sections of an IT Company like Reception, HR Section, Accounts Section, Server Room, etc. At the gate, we have biometrics to verify the employee. Suppose one user or one employee comes. This biometrics checks the employee credentials against some data source and if it is found the employee is a valid employee then it only allows entering into the campus. This is nothing but Authentication.

What is Authorization?

Authorization is a security mechanism that is used to determine whether the user has access to a particular resource or not. The most important point that you need to remember is, authentication happens first, and then only authorization. Let us have a look at the following image.

As shown in the above image, once the user is authenticated then he enters the Campus. Then Authorization comes into the picture. Within the campus in which section he may allow entering is determined by the Authorization process. This is basically done by the Role of the user. If the user is having list privileges then he may not allow each and every section. On the other hand, if the user is having the highest privileges then he may allow entering each and every section.

Types of Authentication:

The different types of Authentication supported by ASP.NET MVC are as follows:

1. Forms Authentication: In this type of authentication the user needs to provide his credentials through a form.
2. Windows Authentication: Windows Authentication is used in conjunction with IIS authentication. The Authentication is performed by IIS in one of three ways such as basic, digest, or Integrated Windows Authentication. When IIS authentication is completed, then ASP.NET uses the authenticated identity to authorize access
3. Passport Authentication: It is a centralized authentication service (paid service) provided by Microsoft which offers a single logon and core profile services for member sites.
4. None: No Authentication provided. This is the default Authentication mode

In the web.config file of your application, you can specify the Authentication mode as shown below.

Different ways to implement Authentication in MVC:

There are many different ways to implement Authentication in ASP.NET MVC. Here in this article series, we are going to use the following two ways to implement Authentication and Authorization in the MVC applications.

1. FormsAuthentication
2. ASP.NET Identity

In the next article, I am going to discuss how to implement FormsAuthentication in ASP.NET MVC application with one real-time example. In this article, I try to explain Authentication and Authorization in MVC. I hope you understood what is Authentication and Authorization in ASP.NET MVC.