Microsoft's New ASP.NET Identity Membership System for One ASP.NET

For a technology that's well over a decade old, you might expect that ASP.NET would be an old fuddy-duddy by now, mature and widely used but set in its ways. Thankfully, it's anything but! Microsoft's ASP.NET team has been busy for the last several years, and the upcoming releases around Visual Studio 2013 will bring some exciting and useful changes. Several changes are centered around Microsoft's "One ASP.NET" unification strategy -- or at least the first step towards it -- of all web application project types.

Related: "Microsoft's Web API Framework: Bridging the Divide Between Web Forms and ASP.NET MVC"

One new configuration option that you can use when creating a new web project in Visual Studio 2013 is the Change Authentication feature, which is available right in the New Project dialog box. Now you'll be able to base authentication on individual user or organization accounts, as well as Windows authentication. Support for Facebook, Twitter, and Google authentication comes out of the box for individual user accounts. Authentication support for OpenID and OAuth protocols comes through the open-source DotNetOpenAuth project that you can also use directly.

But the really big news for security in the new releases is the new ASP.NET Identity membership system, a complete rewrite of the old Membership feature. Membership was a built-in way to validate and store user credentials, making it fairly easy to manage user authentication in websites using the provider model to make it extensible, but with too many limitations. The new Identity system still supports user management and adding login features to applications, but it's even easier to customize the data you store about each user. And it goes well beyond those basic features.

Related: "Entity Framework's Code-First Design: Going Beyond the Basic Database Objects"

The magic of customizing user information happens through the use of Entity Framework's Code First feature. You can extend the Plain Old C# Object (POCO) classes it uses to automatically update the data store for the custom data, a slick use of this Entity Framework feature. Identity uses a database by default, but you can also store it in other locations, such as SharePoint, Azure Table Service, or NoSql databases by plugging in a different storage provider.

The new identity system is based on OWIN, the Open Web Interface for .NET. OWIN is an extensible middleware layer that lets you plug into an authentication pipeline. That's a topic for another article -- more like a series of articles -- but it's a technology that developers in the Microsoft web space will want to learn more about. It's already integrated into some of the latest tool and technologies surrounding Visual Studio 2012.

ASP.NET Identity also supports claims-based authentication that represents the user's identity as a set of claims from a trusted issuer. The benefit of claims-based authentication is that it abstracts the individual elements of identity and access control into two parts: a general notion of claims and the concept of a trusted issuer or authority. This is a whole different way of thinking about identity and authentication that can overcome the limitations of relying on usernames and passwords, and now it's built into ASP.NET.

Whenever I start thinking that it's time to start looking around for a better web development stack and tools and environment, Microsoft always sucks me back into Visual Studio and the .NET Framework with releases that we're reportedly going to be seeing this fall. There is some exciting stuff coming, and the vastly improved web application security features look like winners.