ASP.NET Identity is the membership system for ASP.NET apps. Following are the features of ASP.NET Identity in this sample application.
- Initialize ASP.NET Identity
You can initialize ASP.NET Identity when the application starts. Since ASP.NET Identity is Entity Framework based in this sample,
you can create DatabaseInitializer which is configured to get called each time the app starts.
Please look in App_Start\IdentityConfig.cs
This code shows the following
- When should the Initializer run and when should the database be created
- Create Admin user
- Create Admin role
- Add Admin user to Admin role
- Add profile data for the user
Please follow this tutorial.
- Add profile information in the Users Table
- Look in Models\IdentityModels.cs for examples
- When you create a User using a username or password, the Identity system performs validation on the username and password, and the passwords are hashed before they are stored in the database. You can customize the validation by changing some of the properties of the validators such as Turn alphanumeric on/off, set minimum password length or you can write your own custom validators and register them with the UserManager.
- Social Logins
- You can the support so that users can login using their Facebook, Google, Twitter, Microsoft Account and more.
- Basic User Management
- Do Create, Update, List and Delete Users. Assign a Role to a User. Only Users In Role Admin can access this page. This uses the [Authorize(Roles = "Admin")] on the UserAdmin controller.
- Basic Role Management
- Do Create, Update, List and Delete Roles. Only Users In Role Admin can access this page. This authorization is done by using the [Authorize(Roles = "Admin")] on the RolesAdmin controller.
- Account Confirmation
- When you register a new account, you will be sent an email confirmation. You can use an email service such as SendGrid which integrates nicely with Windows Azure and requires no configuration or set up an SMTP server to send email. You can send email using the EmailService which is registered in App_Start\IdentityConfig.cs
- Two-Factor Authentication
This sample shows how you can use Two-Factor authentication. This sample has a SMS and email service registered where you can send SMS or email for sending the security code.
You can add more two-factor authentication factors such as QR codes and plug them into ASP.NET Identity.
- You can use a SMS using Twilio or use any means of sending SMS. Please read for more details on using Twilio. You can send SMS using the SmsService which is registered in App_Start\IdentityConfig.cs
- You can use an email service such as SendGrid or set up an SMTP server to send email. You can send email using the EmailService which is registered in App_Start\IdentityConfig.cs
- When you login, you can add a phone number by clicking the Manage page.
- Once you add a phone number and have the Phone service hooked to send a SMS, you will get a code through SMS to confirm your phone number.
- In the Manage page, you can turn on Two-Factor authentication.
- When you logout and login, after you enter the username and password, you will get an option of how to get the security code to use for two-factor authentication.
- You can copy the code from your SMS or email and enter in the form to login.
- The sample also shows how to protect against Brute force attacks against two-factor codes. When you enter a code incorrectly for 5 times then you will be lockedout for 5 min before you can enter a new code. These settings can be configured in App_Start\IdentityConfig.cs by setting DefaultAccountLockoutTimeSpan and MaxFailedAccessAttemptsBeforeLockout on the UserManager.
- If the machine you are browsing this website is your own machine, you can choose to check the "Remember Me" option after you enter the code. This option will remember you forever on this machine and will not ask you for the two-factor authentication, the next time when you login to the website. You can change your "Remember Me" settings for two-factor authentication in the Manage page.
- Account Lockout
- Provide a way to Lockout out the user if the user enters their password or two-factor codes incorrectly. The number of invalid attempts and the timespan for the users are locked out can be configured. A developer can optionally turn off Account Lockout for certain user accounts should they need to.
- Account LockOut settings can be configured in the UserManager in IdentityConfig.cs
- Security Token provider
- Support a way to regenerate the Security Token for the user in cases when the User changes there password or any other security related information such as removing an associated login(such as Facebook, Google, Microsoft Account etc). This is needed to ensure that any tokens generated with the old password are invalidated. In the sample project, if you change the users password then a new token is generated for the user and any previous tokens are invalidated. This feature provides an extra layer of security to your application since when you change your password, you will be logged out from everywhere (all other browsers) where you have logged into this application.
- The provider is registered when you add CookieAuthentication in StartupAuth to your application.
- Password Reset
- Allows the user to reset their passwords if they have forgotten their password. In this sample users need to confirm their email before they can reset their passwords.
- Custom Storage providers
- You can extend ASP.NET Identity to write your own custom storage provider for storing the ASP.NET Identity system and user data in a persistance system of your choice such as MondoDb, RavenDb, Azure Table Storage etc.
- Tutorials: www.asp.net/identity
- StackOverflow: http://stackoverflow.com/questions/tagged/asp.net-identity
- Twitter: #identity #aspnet
- ASP.NET Identity on curah
- Have bugs or suggestions for ASP.NET Identity http://aspnetidentity.codeplex.com/