New Visual Studio 2013 Security Feature: ASP.NET Identity
In his latest commentary, Don Kiely delves into the new ASP.NET Identify feature that's available in Visual Studio 2013 and outline why it's a better choice for secure application development.
November 7, 2013
Related: "Microsoft Visual Studio 2013 Now Available for Download"
As you no doubt know by now, Microsoft released Visual Studio 2013, a scant 14 months after Visual Studio 2012 was unleashed. I have mixed feelings about such frequent releases of major versions of a tool that I spend all day in, but it’s certainly exciting to have new features to play with. Not only does Visual Studio have a lot of nice features, but also the simultaneous release of updated versions of other development technologies will have a significant impact on my work in the coming months—an impact that I expect to be largely for the better.
I’m not going to write yet another overview of what’s new in the Visual Studio 2013 and related releases; there are plenty of those around, both from Microsoft and others. One of the best is Troy Hunt’s “Essential reading for Visual Studio 2013, MVC 5 and Web API 2.” Regular readers of my musings here on Dev Pro know that I’m a bit of a Troy fanboy, who is a fellow MVP in Developer Security and a very nice guy. I consider his blog to be essential reading for developers who know that security is important. Instead, I’m going to briefly explore just one of the interesting new security-related features in this release—ASP.NET Identity.
ASP.NET Identity
ASP.NET has long provided a Membership system that supports customizing a user’s experience on your website. Early versions provided a nice infrastructure that you could build on and used a provider model to let you plug in your own features if the out-of-the-box features didn’t meet your needs. However, the ASP.NET Membership system was difficult to work with as there were several different kludges to store the data and customization often was a challenge. One of the best summaries that signals that the Membership’s time was over comes from Microsoft’s own documentation:
“ASP.NET Membership was designed to solve site membership requirements that were common in 2005, which involved Forms Authentication, and a SQL Server database for user names, passwords, and profile data. Today there is a much broader array of data storage options for web applications, and most developers want to enable their sites to use social identity providers for authentication and authorization functionality.”
That article goes on to list just a few—very few—problems with the Membership system as the security landscape of the web changed around it, problems that limited its ability to adapt to new security threats and the evolution of security technology. The Membership system evolved over iterations of ASP.NET, but eventually it became clear that it was pretty much a dead-end technology. This is especially true as developers tried to expand it to support different credential storage and the expanding world of authentication schemes.
The new ASP.NET Identity system is the new membership system for all types of ASP.NET applications. The list of primary features is pretty impressive and hits some of the worst pain points of older ASP.NET membership systems:
One ASP.NET Identity System to Rule Them All. Identity is usable and built into all ASP.NET frameworks, including MVC, Web Forms, Web Pages, Web API, and SignalR.
Social Login Providers. Why create your own user database when so many other sites have done all the heavy lifting for you? Identity supports social logins, including Microsoft Account, Facebook, Twitter, Google, and others. All you need to do is store user-specific data in your application and whatever’s needed to customize your application for each user.
You Control User and Profile Schemas. It’s now far easier to include custom information about the user, no matter what authentication types you build into the application.
You Control Data Storage. By default, Identity stores user information in a database. If you want to use SQL Server, then go for it. And you also have control over the database using Entity Framework Code First. But if you want another storage mechanism, then you can have that, too.
Testability. The earliest versions of ASP.NET Membership arrived shortly before unit testing became a big thing, so it wasn’t designed with testability in mind. Microsoft is now all about testability, so you can unit test the parts of your application that use Identity.
Support for Claims-Based Authentication. ASP.NET Identity fully supports claims-based authentication in which a set of claims represents a user’s identity. This provides much more flexibility than traditional roles permit, which is more of an either/or situation.
The bottom line is that Microsoft has clearly learned from the limitations of earlier technologies and has jumped in with both feet into its own external security systems and technologies to build the new Identity system. Best of all, they’ve been pretty aggressive about incorporating Identity features into Visual Studio 2013 templates. Identity is new enough that it has yet to prove itself up to the task of handling authentication and user profile features across all applications, but it looks promising so far.
Related: "First Impressions of Visual Studio 2013"
There’s really only one thing that troubles me about ASP.NET Identity so far. Over the years, Microsoft has gotten really good at abstracting away some of the nasty details of complex technologies, mostly through high-level APIs and lately through sophisticated Visual Studio project templates. You can easily get away with using Identity through project templates, and the odds are slightly in your favor that the web applications you build will work and be reasonably secure. But by only having a deep understanding of Identity will you be able to build secure applications, which means taking the time to learn about Identity and related technologies, such as OWIN.
Under the covers, Identity is a sophisticated technology that solves several different old problems with the goal of providing the infrastructure for making applications more secure. Only time will tell how successful Microsoft is with its goals for replacing the membership infrastructure, and there’s no telling what new problems it will introduce. But for now, Identity is the new membership of choice, and I personally hope that it’s wildly successful at what it sets out to do. Now, I just need to delve into its internals so that I can better understand how to make full use of it!
About the Author
You May Also Like