Authenticating with ASP.NET Core Identity¶
Virto platform uses ASP.NET Core Identity as a membership system.
Using ASP.NET Core Identity enables several scenarios:
Creating new user data using the
Authenticating users through the
SignInManagertype. You can use
signInManager.SignInAsyncto sign in directly, or
signInManager.PasswordSignInAsyncto confirm the user’s password is correct and then sign them in
Identifying a user based on information stored in a cookie or barrier token so that requests from a browser could include the signed-in user’s identity and claims
Issuing JWT tokens with OpenIddict¶
To enable token authentication, ASP.NET Core supports multiple options for using OAuth 2.0 and OpenID Connect. We take advantage of a good third-party library and use OpenIddict to provide a simple and easy-to-use solution to implement an OpenID Connect server within the platform application.
OpenIddict is based on
AspNet.Security.OpenIdConnect.Server (ASOS) to control the OpenID Connect authentication flow and can be used with any membership stack, including ASP.NET Core Identity. Also, it supports various token formats, although in Virto platform, we use only JWT token for authorization because of the following advantages:
Stateless: The token contains all information to identify the user, eliminating the need for session state.
Reusability: A number of separate servers running on multiple platforms and domains can reuse the same token for authenticating the user. It is easy to build an application that shares permissions with other applications.
JWT Security: No cookies means you have no need to protect against cross-site request forgery attacks (CSRF).
Performance: No server-side lookup to find and deserialize the session on each request; you only need to calculate the HMAC SHA-256 to validate the token and parse its content.
Adding an OpenID Connect server to the platform allows you to support token authentication, as well as to manage all your users using a local password or an external identity provider (e.g. Azure Active Directory) for all your applications in a single place, with the power to control who can access your API and the information that is exposed to each client.
Virto platform uses JWT token authentication and OAuth2 Password, Client Credentials and Refresh token flows to issue and consume authorization token for clients.