Authentication and Authorization in MVC
In this article, I am going to discuss the Authentication and Authorization in MVC application. When you are developing any web application, then the most important thing that you need to take care of its security. That means we need to make sure that only authenticated and authorized user can access our webpage. As part of this article, we are going to discuss the following things.
- What are Authentication and Authorization?
- What are the different types of Authentication?
- How to implement Authentication and Authorization in ASP.NET MVC application?
What is Authentication?
Authentication is nothing but a process that ensures and confirms a user’s identity. In other words, we can say that it is a process to validate someone against some data source. Let’s have a look at the following diagram.
Let us understand Authentication from a layman’s point of view. The above image shows the different section of an IT Company like Reception, HR Section, Accounts Section, Server Room, etc. At the gate, we have biometrics to verify the employee. Suppose one user or one employee comes. This biometrics checks the employee credentials against some data source and if it found the employee is a valid employee then it only allows entering into the campus. This is nothing but Authentication.
What is Authorization?
Authorization is a security mechanism which is used to determine whether the user has access to a particular resource or not. The most point that you need to remember is, authentication happens first, then only authorization. Let us have a look at the following image.
As shown in the above image, once the user authenticated then he enters into the Campus. Then Authorization comes into the picture. Within the campus in which section he may allow entering is determined by the Authorization process. This is basically done by the Role of the user. If the user is having list privileges then he may not allow to each and every section. On the other hand, if the user is having the highest privileges then he may allow entering each and every section.
Types of Authentication:
The different types of Authentication supported by ASP.NET are as follows:
- Forms Authentication: In this type of authentication the user needs to provide his credentials through a form.
- Windows Authentication: Windows Authentication is used in conjunction with IIS authentication. The Authentication is performed by IIS in one of three ways such as basic, digest, or Integrated Windows Authentication. When IIS authentication is completed, then ASP.NET uses the authenticated identity to authorize access
- Passport Authentication: It is a centralized authentication service (paid service) provided by Microsoft which offers a single logon and core profile services for member sites.
- None: No Authentication provided. This is default Authentication mode
In web.config file of your application, you can specify the Authentication mode as shown below.
Different ways to implement Authentication in MVC:
There are many different ways to implement Authentication in MVC. Here in this article series, we are going to use the following two ways to implement Authentication and Authorization in MVC application.
- ASP.NET Identity
In the next article, I am going to discuss how to implement FormsAuthentication in MVC application with one real-time example. I hope you understood what is Authentication and Authorization in MVC.