Understand certification (Authentication) and authorization (Authorization) concept
Before starting we have to figure out the difference between the two. We are certified when accessing certain data resources, the need to provide an identity identity, then the server holding this identity, to a storage container to match, if match on the to prove that the authentication is successful.
whether you have access to the resources needed to see if you have permission for this resource, to get permission, you have to give your identity authorization, that is, so you have permission to access the resources, so the two actions not the same as when the stage described.
So simple point, it's a combination of both, is equivalent to a process of visitors to web server resources. First of all visitors have to hold a login user, used to log web server. This web server then will face holders a visitor list. only when the
login user with a list of matches the user can access the web server. but if you want to access the login user of resources must be appropriate privilege level. some of confidential documents you need to apply to get the admin approve. this process is called authorization.
About Authentication in asp.net core support in
services.AddAuthentication
Configureservice method may be injected inside the IAuthenticationService startup.cs middleware. The Authentication service will be used to register the program Authentication handler corresponding authentication logic. These are referred to as registered Authentication handelers schemas. So we pass in common Startup.ConfigureServices
to see such Configuration:
services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(JwtBearerDefaults.AuthenticationScheme, options => Configuration.Bind("JwtSettings", options))
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme, options => Configuration.Bind("CookieSettings", options);
Here there are multiple schema is registered when it came in for authentication in the back, you can according to actual needs to use a different schema to be authenticated is also very simple, such as using jwt certification of a Controller..:
[Authorize(AuthenticationSchemes =
JwtBearerDefaults.AuthenticationScheme)]
public class MixedController : Controller
Specifically refer to Microsoft documentation:
Authorize with a specific scheme in ASP.NET Core
services.AddDefaultIdentity
If the project is a web MVC asp.net core project, and individual users with a template, we may see this behavior in the injection startup.configureservice in:
services.AddDbContext<ApplicationDbContext>(options =>
options.UseSqlServer(
Configuration.GetConnectionString("DefaultConnection")));
services.AddDefaultIdentity<IdentityUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddEntityFrameworkStores<ApplicationDbContext>();
services.AddRazorPages();
And AddAuthentication
actually it built AddDefaultIdentity
inside. So do not go along with the extra time.
app.UseAuthentication();
Either way, the project will use the Authentication Service is injected in, need to be performed in startup.configure in:
app.UseRouting()
app.UseAuthentication();
aspp.UseEndpoints();
Add it to the pipeline in response to the http request. And arranged relative order can not be changed.
Authentication understand some related terms
- Schema
Generally based authentication you add, as well as configuration options, go to http request request for authentication. So
AddJwtBearer
, it is added jwt authentication,AddCookie
in fact, is to add a cookie authentication.
- Challenge
Here refers to the certification process, such as links to resources the anonymous user requests to access or click limited. Authentication Service will be certified according to the respective process or default Schema. Typically, the cookie-based authentication redirects the user to the login screen. Jwt-based authentication and will return code 401.
- Forbid
Forbid occurs after authentication by the authentication phase, the Authorization service to determine whether user has access to the resource. When users without access to resources, cookie-based authentication at this stage will redirect the user to display a 'user without permission visit 'the page. jwt-based authentication and returns a 403 code.