Section 1 of 6

Authentication Fundamentals

🎯 What You'll Learn

  • What is authentication
  • Authentication vs authorization
  • Authentication schemes
  • Claims and principals
  • Authentication middleware

What is Authentication?

Authentication is the process of determining who the user is. It verifies the user's identity through credentials like username/password, tokens, or external providers.

💡 Key Concept

Authentication = "Who are you?"
Authorization = "What are you allowed to do?"

Authentication vs Authorization

Aspect Authentication Authorization
Question Who are you? What can you do?
Purpose Verify identity Grant permissions
Example Login with username/password Admin can delete users
Happens First After authentication

Authentication Schemes

ASP.NET Core supports multiple authentication schemes:

Scheme Description Use Case
Cookie Browser-based authentication Traditional web apps (MVC, Razor Pages)
JWT Bearer Token-based authentication APIs, SPAs, mobile apps
OAuth 2.0 Delegated authorization Third-party access (Google, Facebook)
OpenID Connect Identity layer on OAuth 2.0 Single sign-on (SSO)

Claims and Principals

Claims

A claim is a piece of information about the user (name, email, role, etc.).

Claim Example C# 
var claims = new List<Claim>
{
    new Claim(ClaimTypes.Name, "john@example.com"),
    new Claim(ClaimTypes.Email, "john@example.com"),
    new Claim(ClaimTypes.Role, "Admin"),
    new Claim("UserId", "123")
};

ClaimsIdentity

A collection of claims representing a single identity.

ClaimsIdentity C# 
var identity = new ClaimsIdentity(claims, "CookieAuth");

ClaimsPrincipal

Represents the current user (can have multiple identities).

ClaimsPrincipal C# 
var principal = new ClaimsPrincipal(identity);

// Access in controllers/pages
var userName = User.Identity?.Name;
var isAuthenticated = User.Identity?.IsAuthenticated;
var email = User.FindFirst(ClaimTypes.Email)?.Value;

Authentication Middleware

Program.cs C# 
var builder = WebApplication.CreateBuilder(args);

// Add authentication services
builder.Services.AddAuthentication("CookieAuth")
    .AddCookie("CookieAuth");

var app = builder.Build();

// Use authentication middleware (BEFORE authorization)
app.UseAuthentication();
app.UseAuthorization();

app.Run();
⚠️ Order Matters!

UseAuthentication() must come before UseAuthorization(). You must know who the user is before checking what they can do.

Accessing User Information

In Controllers/Pages C# 
public class HomeController : Controller
{
    public IActionResult Index()
    {
        // Check if authenticated
        if (User.Identity?.IsAuthenticated == true)
        {
            var userName = User.Identity.Name;
            var email = User.FindFirst(ClaimTypes.Email)?.Value;
            var userId = User.FindFirst("UserId")?.Value;
        }

        return View();
    }
}
In Views HTML 
@if (User.Identity?.IsAuthenticated == true)
{
    <p>Welcome, @User.Identity.Name!</p>
}
@else
{
    <a href="/login">Login</a>
}

Key Takeaways

  • Authentication: Verifying who the user is
  • Authorization: Determining what the user can do
  • Claims: Information about the user
  • ClaimsIdentity: Collection of claims
  • ClaimsPrincipal: Represents the current user
  • Schemes: Cookie, JWT, OAuth, OpenID Connect
  • Middleware: UseAuthentication() before UseAuthorization()
🎯 Next Steps

You now understand authentication fundamentals! In the next section, we'll explore ASP.NET Core Identity—a complete membership system for managing users, passwords, roles, and more.