ASP.NET MVC: Identity and security basics

DevToolsGuy / Tuesday, September 1, 2015

As a web developer, there are plenty of languages and frameworks to choose from when you want to create an application. One of the most powerful frameworks is ASP.NET. ASP.NET is great for building standards-based web applications with HTML5, CSS3 and JavaScript. It supports three different ways of creating extensive web applications:


  • ASP.NET WebForms: Uses controls and an event-model for component based development.
  • ASP.NET MVC: Uses the popular and common used Model-View-Controller approach.
  • ASP.NET WebPages: This is a single page model that mixes code and HTML markup.


The ASP.NET Web API can also be used for the creation of rich REST-ful Web Services that return JSON XML, or any kind of content the web supports. These services can be used to provide data to mobile applications or any other application.


In this post, we will be looking at the identity and security basics of ASP.NET. This is quite a big topic so not only will we be doing a follow up post, but we'll also include links to further reading.


The ASP.NET Identity system 


The previous version of ASP.NET used the Membership System. The ASP.NET Membership system has been showing its age for some time. It is based on the principle that a user from a web application will create and store his credentials in a SQL database owned by the application. Modern apps don’t always work this way. Indeed, with the popularity of social networks many users want to use social credentials to access other applications.


The 'old' Membership system is being replaced by the ASP.NET Identity system and includes features like:


  • Profile support
  • OAuth integration
  • OWIN


The ASP.NET Identity providers is already included in Visual Studio 2013 in the ASP.NET templates and is available through a NuGet package so it can be easily implemented in existing applications.


The previous Membership system was built on SQL Server. When an application needed a different kind of backend data store to keep user information the developer needed to write a lot of custom code. The ASP.NET Identity system can still be based on SQL Server but it is easier to plug in different storage environments - like SharePoint, Azure storage or NoSQL. Where with the Membership system you, as developer, needed to throw in a few.




This is no longer needed.


The ASP.NET Identity system contains a Role provider where you can create roles like "student" or "admin" and add users to these roles. The Role membership is a boolean expression. When you need to include richer information about a user you need to use Claim based authentication. With claims, the user's identity information is represented as a set of claims.


To read more about the Role Provider and Claim based authentication check out one of the following resources:



Social authentication


We live in a world where users often have one or more social logins and want to use one of those to gain access to other applications. The ASP.NET Identity system contains Social Login Providers that helps the developer creating social logins. With Social Login Providers, you can use a Microsoft Account, Twitter, Facebook, Google or any other social login system and store the user-specific data in your application data store.


Get more information about the Social Login Providers at:



The above Social Login Providers come out of the box, but some in the community have experienced issues when using them. For more information, and some helping in resolving these issues, see this post on StackOverflow.



ASP.NET authentication is now based on OWIN middleware that can be used on any OWIN-based host. Therefore, ASP.NET Identity does not have any dependency on System.Web. It is a fully compliant OWIN framework and can be used in any OWIN hosted application. OWIN is a standard interface between .NET web servers and web applications. 


Find out more about OWIN here:



It is good to know that the new version of ASP.NET, called ASP.NET vNext or ASP.NET 5, will be completely based on OWIN.


A powerful system


ASP.NET Identity is a powerful system that handles the whole process of authentication and security in your ASP.NET web application. The Visual Studio ASP.NET templates already contains the basics of the ASP.NET Identity system so it takes only a few moments to setup a rich identity system for your application. Keep in mind that the ASP.NET Identity framework will keep evolving and a good starting point for all ASP.NET Identity related information are the blog posts on the ASP.NET 5 website.