Implementing Authentication and Authorization in .NET Core Apps

June 13, 2025

🔐 Implementing Authentication and Authorization in .NET Core Apps

Authentication and authorization are critical for protecting your application.

Authentication verifies who the user is.

Authorization defines what the user is allowed to do.

In .NET Core, this can be implemented using built-in middleware and Identity system, or with external providers like JWT, Google, Azure AD, etc.

✅ Step 1: Set Up a .NET Core Web App

Create a new app:

bash

Copy

Edit

dotnet new webapp -n AuthDemo

cd AuthDemo

Or for APIs:

bash

Copy

Edit

dotnet new webapi -n AuthDemoApi

👤 Step 2: Add Authentication with ASP.NET Core Identity

Add Identity

Install Identity packages (if not already in the project):

bash

Copy

Edit

dotnet add package Microsoft.AspNetCore.Identity.EntityFrameworkCore

dotnet add package Microsoft.EntityFrameworkCore.SqlServer

Configure Identity in Startup.cs (or Program.cs for .NET 6+)

csharp

Copy

Edit

builder.Services.AddDbContext<ApplicationDbContext>(options =>

options.UseSqlServer(builder.Configuration.GetConnectionString("DefaultConnection")));

builder.Services.AddIdentity<IdentityUser, IdentityRole>()

.AddEntityFrameworkStores<ApplicationDbContext>()

.AddDefaultTokenProviders();

builder.Services.ConfigureApplicationCookie(options => {

options.LoginPath = "/Account/Login";

options.AccessDeniedPath = "/Account/AccessDenied";

});

Add Middleware

csharp

Copy

Edit

app.UseAuthentication();

app.UseAuthorization();

🔑 Step 3: Create Account Controllers and Views (for Web Apps)

Use built-in scaffolding to generate Identity UI:

bash

Copy

Edit

dotnet aspnet-codegenerator identity -dc ApplicationDbContext

🔒 Step 4: Protect Routes with Authorization

Apply attributes to controllers or actions:

csharp

Copy

Edit

[Authorize] // Requires any authenticated user

public class DashboardController : Controller

{

public IActionResult Index() => View();

}

Or restrict by role:

csharp

Copy

Edit

[Authorize(Roles = "Admin")]

public IActionResult AdminPanel() => View();

You can also use [AllowAnonymous] to let unauthenticated users access specific pages:

csharp

Copy

Edit

[AllowAnonymous]

public IActionResult Login() => View();

🔧 Step 5: Add Authorization Policies (Optional for More Control)

Define policies in Program.cs:

csharp

Copy

Edit

builder.Services.AddAuthorization(options =>

{

options.AddPolicy("MustBeManager", policy =>

policy.RequireClaim("Department", "Management"));

});

Use it in your controller:

csharp

Copy

Edit

[Authorize(Policy = "MustBeManager")]

public IActionResult Reports() => View();

🔐 Step 6: Using JWT Authentication (for APIs)

Install JWT package:

bash

Copy

Edit

dotnet add package Microsoft.AspNetCore.Authentication.JwtBearer

Configure JWT in Program.cs:

csharp

Copy

Edit

builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)

.AddJwtBearer(options =>

{

options.TokenValidationParameters = new TokenValidationParameters

{

ValidateIssuer = true,

ValidateAudience = true,

ValidateLifetime = true,

ValidateIssuerSigningKey = true,

ValidIssuer = "yourapp.com",

ValidAudience = "yourapp.com",

IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes("your_secret_key"))

};

});

Use [Authorize] on your API controllers:

csharp

Copy

Edit

[Authorize]

[ApiController]

[Route("api/[controller]")]

public class ProfileController : ControllerBase

{

public IActionResult Get() => Ok("This is a protected endpoint.");

}

🧠 Summary

Concept Description

Authentication Identifies the user (e.g., login)

Authorization Controls access to resources (e.g., roles, policies)

Identity Built-in system for managing users and roles

JWT Token-based authentication for APIs

Role-based Access controlled by user roles

Policy-based Access controlled by custom logic or claims

🚀 Want to Go Further?

Integrate with Google, Facebook, Microsoft logins

Store extra user profile data in Identity

Secure Web APIs with refresh tokens

Use Azure AD for enterprise identity

Learn Full Stack Dot NET Training in Hyderabad

CRUD Operations in .NET Core

Visit Our Quality Thought Training in Hyderabad

Get Directions

Search This Blog

Best Quality Thought Software Institute Training in Hyderabad