Back to: ASP.NET MVC Tutorial For Beginners and Professionals
ASP.NET Identity Architecture
In this article, I will discuss the ASP.NET Identity Architecture and the different classes and interfaces involved in it. Please read our previous article, where we discussed What ASP.NET Identity is.
ASP.NET Identity Architecture
ASP.NET Identity has three types of classes: Managers, Stores, and Entities. Managers perform operations like Registering, Updating, and Deleting a user. Stores Persist and Retrieve Entities like Users and Roles, which Managers use.
Entities in ASP.NET Identity:
There are 5 entities in ASP.NET Identity: IdentityUser, IdentityUserClaim, IdentityUserLogin, IdentityRole, and IdentityUserRole. All these entities belong to Microsoft.AspNet.Identity.EntityFramework namespace.
IdentityUser
This class is used for registering users of your application, and it belongs to Microsoft.AspNet.Identity.EntityFramework namespace. This class contains 15 properties, as shown in the below image.
The meaning of the above properties is as follows:
- Email: This property represents the email address of the user
- EmailConfirmed: This Property will provide a Boolean value that shows whether the user’s email has been confirmed or not. If the email has been confirmed, the value will be true. Otherwise, the default value is false.
- PasswordHash: This Property retunded the salted/hashed form of the user password.
- SecurityStamp: A random value that should change whenever a user’s credentials have changed (password changed, login removed).
- PhoneNumber: Phone Number for the user.
- PhoneNumberConfirmed: It will return a Boolean value indicating whether the user’s phone number is confirmed. True if the phone number is confirmed; default is false.
- TwoFactorEnabled: It will return a Boolean value indicating whether the user can enable the two-factor authentication.
- LockoutEndDateUtc: DateTime in UTC when the lockout ends, any time in the past is considered not locked out.
- LockoutEnabled: It will return a Boolean value indicating whether the user can be locked out. Is lockout enabled for this user?
- AccessFailedCount: Number of failed access attempts of the user. It is used to record failures for the purposes of lockout.
- Roles: Roles assigned to this user. Navigation property for user roles.
- Claims: Claims of the user. Navigation property for user claims.
- Logins: Login accounts of the user. Navigation property for user logins.
- Id: User ID (Primary Key). Id of the user.
- UserName: The user name of the user
IdentityRole
This class represents a Role Entity, and it belongs to Microsoft.AspNet.Identity.EntityFramework namespace. It is used in a roles-based authorization. It contains 3 properties:
The meaning of the above three properties is as follows:
- Users: Users who are in this role. Navigation property for users in the role.
- Id: Role Id.
- Name: Roll Name.
IdentityUserLogin
It holds information about external authentication providers such as Facebook, Google, Microsoft, Twitter, etc, and it belongs to Microsoft.AspNet.Identity.EntityFramework namespace. This class contains 3 properties:
The meaning of the above properties is as follows:
- LoginProvider: The login provider for the login (i.e., Facebook, Google, Twitter, etc.).
- ProviderKey: Key representing the login for the provider.
- UserId: User Id for the user who owns this login.
IdentityUserClaim
A set of claims (name-value pairs) that represent the user’s identity. It is used in claims-based authorization. This represents one specific user claim, and it belongs to Microsoft.AspNet.Identity.EntityFramework namespace. This class contains 4 properties:
The meaning of the above properties is as follows:
- Id: Id of the claim. Primary key
- UserId: User Id for the user who owns this login.
- ClaimType: Type of the claim
- ClaimValue: Value of the claim
IdentityUserRole
This Entity contains information about which roles a user is assigned to, and it belongs to Microsoft.AspNet.Identity.EntityFramework namespace. This class contains 2 properties:
The meaning of the above properties is as follows:
- UserId: UserId for the user that is in the role.
- RoleId: RoleId for the role.
Stores in ASP.NET Identity
In ASP.NET Identity, there are 2 types of stores: UserStore and RoleStore.
UserStore in ASP.NET Identity
The UserStore class implements the following interfaces. All these Interfaces belong to Microsoft.AspNet.Identity namespace.
IUserStore
This is an Interface that exposes basic user management APIs. This interface contains 5 methods:
The use of the above five methods is as follows:
- CreateAsync(): Create or Insert a new user
- DeleteAsync(): Delete a user
- FindByIdAsync(): Find a user by Id
- FindByNameAsync(): Find a user by username
- UpdateAsync(): Update a user
IUserPasswordStore
This Interface is used to store a user’s password hash, and it contains 3 methods:
The use of the above three methods is as follows:
- GetPasswordHashAsync(): Get the user password hash.
- HasPasswordAsync(): Check if a user has a password. It returns true if a user has a password set.
- SetPasswordHashAsync(): Set the user password hash.
IUserRoleStore
This Interface is used to map users to their roles, and it contains 4 methods:
The use of the above four methods is as follows:
- AddToRoleAsync(): Add a user to a role.
- GetRolesAsync(): Returns all roles of a user.
- IsInRoleAsync(): Check if a user is in a role. That means it returns true if a user is in the role.
- RemoveFromRoleAsync(): Removes the role for the user.
IUserClaimStore
This Interface is used to store user-specific claims, and it contains 3 methods:
The use of the above three methods is as follows:
- AddClaimAsync(): Add a claim to a user.
- GetClaimsAsync(): Returns all claims of a user.
- RemoveClaimAsync(): Remove a claim from a user
IUserLoginStore
This Interface maps users to login providers, i.e., Google, Facebook, Twitter, and Microsoft, and it contains 4 methods:
The use of the above four methods is as follows:
- AddLoginAsync(): Adds a user login with the specified provider and key.
- FindAsync(): Returns the user associated with this login.
- GetLoginsAsync(): Get all logins of a user, i.e., returns the linked accounts for this user.
- RemoveLoginAsync(): Remove a login from a user. That means removing the user login with the specified combination if it exists.
IUserPhoneNumberStore
This Interface is used to store a user’s phone number, and it contains 4 methods:
The use of the above four methods is as follows:
- GetPhoneNumberAsync(): Get the user’s phone number.
- GetPhoneNumberConfirmedAsync(): Check if a user’s phone number is confirmed. Returns true if the user’s phone number is confirmed else, false.
- SetPhoneNumberAsync(): Set the user’s phone number.
- SetPhoneNumberConfirmedAsync(): Sets whether the user’s phone number is confirmed or not.
IUserEmailStore
This Interface is used to store a user’s email, and it contains 5 methods:
The use of the above five methods is as follows:
- FindByEmailAsync(): Returns the user associated with the email.
- GetEmailAsync(): Get the user’s email.
- GetEmailConfirmedAsync(): Check if a user’s email is confirmed. Returns true if the user email is confirmed else, false.
- SetEmailAsync(): Set the user email.
- SetEmailConfirmedAsync(): Sets whether the user email is confirmed or not.
IUserSecurityStampStore
This interface is used to store a user’s security stamp, and it contains 2 methods:
The use of the above two methods is as follows:
- GetSecurityStampAsync(): Get the user security stamp.
- SetSecurityStampAsync(): Set the user security stamp.
IUserTwoFactorStore
This interface Stores whether two-factor authentication is enabled for a user, and it contains 2 methods:
The use of the above two methods is as follows:
- GetTwoFactorEnabledAsync(): Returns whether two-factor authentication is enabled for the user.
- SetTwoFactorEnabledAsync(): Sets whether two-factor authentication is enabled for the user.
IUserLockoutStore
This Interface stores information that can be used to implement account lockout, including access failures and lockout status. It contains 7 methods:
The use of the above seven methods is as follows:
- GetAccessFailedCountAsync(): Returns the current number of failed access attempts. This number usually will be reset whenever the password is verified, or the account is locked out.
- GetLockoutEnabledAsync(): Returns whether the user can be locked out.
- GetLockoutEndDateAsync(): Returns the DateTimeOffset that represents the end of a user’s lockout; any time in the past should be considered not locked out.
- IncrementAccessFailedCountAsync(): Increment a user’s current failed access attempts. That means it is used to record when an attempt to access the user has failed.
- ResetAccessFailedCountAsync(): It is used to reset the access failed count, typically after the account is successfully accessed.
- SetLockoutEnabledAsync(): Sets whether the user can be locked out.
- SetLockoutEndDateAsync(): Set a user’s lockout end date. Locks a user out until the specified end date (set to a past date to unlock a user).
IQueryableUserStore
The interface that exposes IQueryable users. This interface contains a property that holds the queryable users.
RoleStore in ASP.NET Identity:
The RoleStore class in ASP.NET Identity implements the following interfaces:
IRoleStore
This Interface exposes basic role management, and it belongs to Microsoft.AspNet.Identity namespace. It contains 5 methods.
The use of the above five methods is as follows:
- CreateAsync(): Create a new role.
- DeleteAsync(): Delete a role.
- FindByIdAsync(): Find a role by Id.
- FindByNameAsync(): Find a role by name.
- UpdateAsync(): Update a role.
IQueryableRoleStore
An Interface that exposes IQueryable roles. This interface contains a property that holds the queryable roles. The Roles property will return the list of roles a user has.
Managers in ASP.NET Identity
In ASP.NET Identity, there are 3 types of managers: UserManager, RoleManager, and a SignInManager.
- UserManager: Performs user-related operations by calling the UserStore
- RoleManager: Performs role-related operations by calling the RoleStore
- SignInManager: Performs sign-in operations for users
Note: As we said in the previous section, ASP.NET Identity is based on Entity Framework Code First. If you do not want to use Entity Framework for persistence, you can create your own persistence mechanism by implementing the above interfaces in your customized classes. In these tutorials, we are going to use the default implementation.
In the next article, I am going to discuss Getting Started with ASP.NET Identity with New and Existing Projects. In this article, I try to explain the ASP.NET Identity Architecture. I hope you enjoy this ASP.NET Identity Architecture article.