Two levels of authentication in ASP.Net Core Identity in 2021

Asked Jan 15 '22 at 20:23

Active Jan 15 '22 at 20:32

Viewed 88 times

How can I manage two levels of authentication in Asp.Net Identity, where some (critical) functions can only be called when fully authenticatied - where some less critical ones can be called with less secure authentication?

Scenario:

The users can log in two ways:

Via the usual username/password functionality (Full Auth)
Via a short-lived URL token/one time password (Partial Auth)

Ideally, I can use something similar to the [Authorize(Roles=xxxxx)] attributes to easily decorate methods, that required full or partial auth. This would hopefully also take care of redirecting to Full Login page if partially authenticated.

How can this be accomplished in 2022?

The same question was asked in 2014 here - but that is 8 years ago, and many things could have changed, so I think it is relevant to ask again.

edited Jan 15 '22 at 20:32

asked Jan 15 '22 at 20:23

Kjensen

12,447
36
109
171

1

How about using [authorization policy](https://learn.microsoft.com/en-us/aspnet/core/security/authorization/policies?view=aspnetcore-6.0) ? The idea was when fully login, we grant an additional claim like `Fully`. Then we assign default authorization policy to just required authenticated user, but for some sensitive one, decorate the action with `[Authorize(Policy=xxx)]`, which required authenticated user and the extra `Fully` claim ? The implementation would be vary as authentication mechanism. – Gordon Khanh Ng. Jan 16 '22 at 05:47
@GordonKhanhNg. Thanks, I will look into that. :) – Kjensen Jan 27 '22 at 12:34

Two levels of authentication in ASP.Net Core Identity in 2021

0 Answers0