Giacomo Santarnecchi Giacomo Santarnecchi - 10 months ago 88
C# Question

How to implement custom authentication in ASP.NET MVC 5

I'm developing an ASP.NET MVC 5 application. I have an existing DB, from which I created my ADO.NET Entity Data Model.
I have a table in that DB which contains "username" and "password" column, and I want to use them to implement authentication and authorization in my Webapp; I cannot create any other database or table or column and I cannot use the standard Identity authentication, because of customer's requirements.
I don't need to manage signup, password changing or other stuffs: just login with password and username.
How can I do that?

Answer Source

Yes you can. Microsoft's Identity framework's authentication and authorization parts works independently. If you have own authentication service you can just use Identity's authorization part. Consider you already have a UserManager which validates username and password. Therefore you can write following code in your post back login action:

[HttpPost]
public ActionResult Login(string username, string password)
{
    if (new UserManager().IsValid(username, password))
    {
        var ident = new ClaimsIdentity(
          new[] { 
              // adding following 2 claim just for supporting default antiforgery provider
              new Claim(ClaimTypes.NameIdentifier, username),
              new Claim("http://schemas.microsoft.com/accesscontrolservice/2010/07/claims/identityprovider", "ASP.NET Identity", "http://www.w3.org/2001/XMLSchema#string"),

              new Claim(ClaimTypes.Name,username),

              // optionally you could add roles if any
              new Claim(ClaimTypes.Role, "RoleName"),
              new Claim(ClaimTypes.Role, "AnotherRole"),

          },
          DefaultAuthenticationTypes.ApplicationCookie);

        HttpContext.GetOwinContext().Authentication.SignIn(
           new AuthenticationProperties { IsPersistent = false }, ident);
        return RedirectToAction("MyAction"); // auth succeed 
    }
    // invalid username or password
    ModelState.AddModelError("", "invalid username or password");
    return View();
}

And your user manager can be something like this:

class UserManager
{
    public bool IsValid(string username, string password)
    {
         using(var db=new MyDbContext()) // use your DbConext
         {
             // if your users set name is Users
             return db.Users.Any(u=>u.Username==username 
                 && u.Password==password); 
         }
    }
}

At the end you can protect your actions or controllers by adding Authorize attribute.

[Authorize]
public ActionResult MySecretAction()
{
    // all authorized users can use this method
    // we have access current user principal by calling also
    // HttpContext.User
}

[Authorize(Roles="Admin")]
public ActionResult MySecretAction()
{
    // just Admin users have access to this method
}