IT:AD:ASP.NET:Identity
Summary
“ASP.NET Identity is a fresh look at what the membership system should be when you are building modern applications for the web, phone, or tablet.”
Notes
Background
ASP.NET Identity is MS's third or fourth attempt at getting right:
- ASP.NET Membership:
- Acid:
- Advantages:
- None.
- Disadvantages:
- Poor development standards used.
- Forms based.
- Saves UserName/Password in-app, rather than delegating to an external IdP.
- Had a RoleProvider, but not as rich as Claims which were not available in 2005.
- Defunct. Replaced by Simple Membership.
- Considerations:
- Developed for ASP.NET Classic.
- Cookie based Session handling leads to CORS requirements.
- Architecture tightly tied to ASP.NET Handlers, therefore not compatible with OWIN Pipeline.
- Acid:
- Advantages:
- None.
- Considerations:
- Same issues as ASP.NET Membership.
- Defunct. Short lived. Replaced with ASP.NET Identity
-
- Acid:
- Advantages:
- Can be used for WinForms, MVC, WebAPI.
- Have control over database schema and storage destination.
- Claims based.
- Considerations
- OWin Based (so ASP.NET 5 requires addition of Owin Pipeline).
- Assemblies:
- MVC Approach:
- Microsoft.AspNet.Identity.EntityFramework
- Microsoft.AspNet.Identity.Core
- Microsoft.AspNet.Identity.OWIN
- Provides access to Cookie middleware.
-
- Advantages:
- Claims based
- Can customize persistence to database.
- Has a Role Provider that will be useful.
- Has providers for:
- Azure Active Directory
- Social (Facebook, Google, etc.)
- There is a Role Provider
- OWIN pipeline based.
- Considerations:
- Being Owin pipeline based, requires IT:AD:ASP.NET:MVC 5 to be upgraded with Owin.
Assembly Reference
The following is a current (Q3/2017) graph of the assembly dependencies.
As functionality stabilizes, I've seen some classes move from “Microsoft…” to “System…”.
In addition, MS' focus is getting ASP.NET Core the new standard, so new development sometimes not only creates breaking changes, but is also not intended to work with ASP.NET MVC5 on .NET Framework Full. Case in point: System.IdentityModel.Tokens.Jwt version 5.0+.
- Key in the above is
Microsoft.Owin.Security.Cookies
which provides cookie based authentication, much like Microsoft FormsAuthentiation.