3

I have been following this post on creating a custom "storage provider" for the new ASP.NET Identity system, and so far it has proven very informative;

Creating a custom MySQL Identity Provider

I am not using MySQL, I am using RavenDB - and yes, I have already looked at the available RavenDB Identity Providers out there - that isn't really my issue. My issue comes with the IUserRoleStore<IdentityUser> and then the IdentityRole, as well as RoleStore.

I see them get created - I even see how they access data to see if a user is in a role, etc. But then later, I just see this ..

[Authorize(Roles = "Admin")]
public AccountController : Controller { 
    /// ... etc .etc..
}

This is where I am getting outright lost. I have looked up dozens and dozens and dozens of tutorials on the new ASP.NET Identity system and I cannot figure out at what point something becomes associated with the AuthorizeAttribute. How does it know to use the RoleStore I made? How does it know to use the IdentityRole I made? What is it verifying against?

These are all things I cannot find anywhere, and it is driving me kind of batty. Everything I find keeps plugging into Entity Framework, which isn't what I want to use - and it is just that way out of the box, and they seem to stop without telling you how to make sure the Authorize works like you want it to.

Community
  • 1
  • 1
Ciel
  • 4,290
  • 8
  • 51
  • 110

2 Answers2

3

It's actually a little bit simpler than that. When a user logs in, these lines in the AccountController creates a ClaimsIdentity and the auth middleware sets a cookie...

var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
AuthenticationManager.SignIn(new AuthenticationProperties() { IsPersistent = isPersistent }, identity);

The roles information is read from the database when the ClaimsIdentity is created. The identity (including the roles) is serialized and encrypted into the cookie. On subsequent requests, the ClaimsIdentity is decrypted and deserialized from the cookie by the middleware. The identity is attached to the thread, and that's what the AuthorizeAttribute uses to determine if the user is in a role. You can also programmatically access the ClaimsIdentity using User.Identity in a controller.

Anthony Chu
  • 37,170
  • 10
  • 81
  • 71
  • 1
    Man, I don't know how you guys keep up with all of this. I read every blog I can and all of this still goes so far over my head, even with all of my experience. – Ciel Apr 21 '14 at 18:25
  • @Ciel - It helps to use something like Resharper or similar to reverse engineer the code and walk through it.. or look through the aspnetwebstack sources on codeplex. – Erik Funkenbusch Apr 21 '14 at 19:22
2

The Authorize attribute doesn't know anything about ASP.NET Identity, or any other identity system. It simply works with IPrincipal and IIdentity interfaces that the MVC framework sets up for you.

ASP.NET Identity uses a ClaimsIdentity object, which implements IIdentity.

So the Framework, via the UserManager creates an authentication ticket. When a page loads, it loads this authentication ticket, decrypts it, and creates the necessary principal and identity and role objects.

Then, the Authorize attribute just basically checks User.IsInRole("Blah") when you say

[Authorize(Roles="Blah")]

Erik Funkenbusch
  • 92,674
  • 28
  • 195
  • 291
  • 1
    @Ciel - Well, I wouldn't say "literal", and if you understand the MVC (or asp.net for that matter) pipeline then it makes sense. The key point to understand is that Authorize doesn't care about which identity system you use, it's generic to ASP.NET's builtin interfaces. The "magic" happens in how the identities are wired up on the page load. – Erik Funkenbusch Apr 21 '14 at 19:18
  • Lol, I was being a bit sarcastic. It does seem a bit magical though. – Ciel Apr 25 '14 at 13:33
  • Man, after exploring this further, the whole thing is just amazing. Say what you will about Microsoft, and people bash them a lot - and many bash ASP.NET, but the entire strategy for the identity system is pretty incredible. – Ciel May 04 '14 at 20:39