Authentication and Authorization in ASP.NET MVC

Back to: ASP.NET MVC Tutorial For Beginners and Professionals

Authentication and Authorization in ASP.NET MVC

In this article, I am going to discuss Authentication and Authorization in the ASP.NET MVC Application. When you are developing any web application, the most important thing you need to take care of is its security. That means we need to make sure that only authenticated and authorized users can access our webpage. As part of this article, we are going to discuss the following things.

1. What are Authentication and Authorization?
2. What are the different types of Authentication?
3. How to implement Authentication and Authorization in ASP.NET MVC application?

What is Authentication?

Authentication is nothing but a process that ensures and confirms a user’s identity. In other words, we can say that it is a process to validate someone against some data source. Let’s have a look at the following diagram.

Let us understand Authentication from a layman’s point of view. The above image shows the different sections of an IT Company like Reception, HR Section, Accounts Section, Server Room, etc. At the gate, we have biometrics to verify the employee. Suppose one user or one employee comes. This biometrics checks the employee credentials against some data source, and if it is found that the employee is a valid employee, it only allows entering into the campus. This is nothing but Authentication.

What is Authorization?

Authorization is a security mechanism used to determine whether the user has access to a particular resource. The most important point you must remember is that authentication happens first, and only authorization. Let us have a look at the following image.

As shown in the above image, once the user is authenticated, he enters the Campus. Then Authorization comes into the picture. Within the campus, which section he may allow entering is determined by the Authorization process. This is basically done by the Role of the user. If the user has list privileges, he may not allow each section. On the other hand, if the user has the highest privileges, he may allow entering each section.

Types of Authentication:

The different types of Authentication supported by ASP.NET MVC are as follows:

1. Forms Authentication: In this type of authentication, the user needs to provide his credentials through a form.
2. Windows Authentication: Windows Authentication is used in conjunction with IIS authentication. Authentication is performed by IIS in one of three ways such as basic, digest, or Integrated Windows Authentication. When IIS authentication is completed, then ASP.NET uses the authenticated identity to authorize access.
3. Passport Authentication: It is a centralized authentication service (paid service) provided by Microsoft which offers a single logon and core profile services for member sites.
4. None: No Authentication provided. This is the default Authentication mode

In the web.config file of your application, you can specify the Authentication mode as shown below.

Different ways to implement Authentication in MVC:

There are many different ways to implement Authentication in ASP.NET MVC. Here in this article series, we are going to use the following two ways to implement Authentication and Authorization in MVC applications.

1. FormsAuthentication
2. ASP.NET Identity

In the next article, I am going to discuss how to implement FormsAuthentication in ASP.NET MVC Applications with one real-time example. In this article, I try to explain Authentication and Authorization in MVC. I hope you understand what is Authentication and Authorization in ASP.NET MVC.