Giacomo Santarnecchi Giacomo Santarnecchi - 7 months ago 73
C# Question

How to implement custom authentication in ASP.NET MVC 5

I'm developing an ASP.NET MVC 5 application. I have an existing DB, from which I created my ADO.NET Entity Data Model.
I have a table in that DB which contains "username" and "password" column, and I want to use them to implement authentication and authorization in my Webapp; I cannot create any other database or table or column and I cannot use the standard Identity authentication, because of customer's requirements.
I don't need to manage signup, password changing or other stuffs: just login with password and username.
How can I do that?


Yes you can. Microsoft's Identity framework's authentication and authorization parts works independently. If you have own authentication service you can just use Identity's authorization part. Consider you already have a UserManager which validates username and password. Therefore you can write following code in your post back login action:

public ActionResult Login(string username, string password)
    if (new UserManager().IsValid(username, password))
        var ident = new ClaimsIdentity(
          new[] { 
              // adding following 2 claim just for supporting default antiforgery provider
              new Claim(ClaimTypes.NameIdentifier, username),
              new Claim("", "ASP.NET Identity", ""),

              new Claim(ClaimTypes.Name,username),

              // optionally you could add roles if any
              new Claim(ClaimTypes.Role, "RoleName"),
              new Claim(ClaimTypes.Role, "AnotherRole"),


           new AuthenticationProperties { IsPersistent = false }, ident);
        return RedirectToAction("MyAction"); // auth succeed 
    // invalid username or password
    ModelState.AddModelError("", "invalid username or password");
    return View();

And your user manager can be something like this:

class UserManager
    public bool IsValid(string username, string password)
         using(var db=new MyDbContext()) // use your DbConext
             // if your users set name is Users
             return db.Users.Any(u=>u.Username==username 
                 && u.Password==password); 

At the end you can protect your actions or controllers by adding Authorize attribute.

public ActionResult MySecretAction()
    // all authorized users can use this method
    // we have access current user principal by calling also
    // HttpContext.User

public ActionResult MySecretAction()
    // just Admin users have access to this method