Nikhil VC Nikhil VC - 11 months ago 116
ASP.NET (C#) Question

Difference between authentication and authorization filters in aspnet-mvc5

Why authentication filter is included in mvc 5? What is the major difference between authentication filter and authorization filter in mvc 5?

Answer Source

To answer this you must understand the difference between authentication and authorization. Simply put,

  • Authentication is the server trying to the user (i.e. asking the question of 'who are you'). Usually this involves entering usernames, passwords, and/or access tokens.
  • Authorization is the server determining whether the claimed user can/cannot perform certain actions.

Given the above definitions, authorization must come after authentication since you must be able to identify the user before determining what actions are legal for that particular user.

For ASP.NET MVC, authentication filters run before authorization filters as explained above. They both allow you the specify custom authentication (via IAuthenticationFilter.OnAuthentication and IAuthenticationFilter.OnAuthenticationChallenge) and authorization logic (via IAuthorizationFilter.OnAuthorization) respectively.