Adding authentication using ASP.NET Core Identity

Once you integrate Xperience ASP.NET Core Identity into your project, you can implement actions that allow visitors to sign in and out of the website with Xperience user accounts.

Use the following approach to develop sign-in actions (this example uses the MVC development approach):

  1. Create a new controller class in your project or edit an existing one.
  2. Provide an instance of the Microsoft.AspNetCore.Identity.SignInManager<ApplicationUser> class using dependency injection.
  3. Implement two sign-in actions – one basic GET action to display the sign-in form and a second POST action to handle the authentication when the form is submitted.
  4. Call the PasswordSignInAsync method of the SignInManager instance to authenticate users against the Xperience database.

    using System;
    using System.Net;
    using System.Threading.Tasks;
     
    using Microsoft.AspNetCore.Mvc;
    using Microsoft.AspNetCore.Http;
    using Microsoft.AspNetCore.Authorization;
    using Microsoft.AspNetCore.Identity;
     
    using CMS.Base;
    using CMS.Core;
    using CMS.Membership;
    using CMS.Base.UploadExtensions;
     
    using Kentico.Membership;
     
    using LearningKitCore.Models.Users.Account;
    
    Sign-in actions example
            /// <summary>
            /// Basic action that displays the sign-in form.
            /// </summary>
            public IActionResult SignIn()
            {
                return View();
            }
     
     
            /// <summary>
            /// Handles authentication when the sign-in form is submitted. Accepts parameters posted from the sign-in form via the SignInViewModel.
            /// </summary>
            [HttpPost]
            [ValidateAntiForgeryToken]
            public async Task<IActionResult> SignIn(SignInViewModel model, string returnUrl)
            {
                // Validates the received user credentials based on the view model
                if (!ModelState.IsValid)
                {
                    // Displays the sign-in form if the user credentials are invalid
                    return View();
                }
                   
                // Attempts to authenticate the user against the Xperience database
                var signInResult = Microsoft.AspNetCore.Identity.SignInResult.Failed;
                try
                {
                    signInResult = await signInManager.PasswordSignInAsync(model.UserName, model.Password, model.RememberMe, false);
                }
                catch (Exception ex)
                {
                    // Logs an error into the Xperience event log if the authentication fails
                    eventLogService.LogException("MvcApplication", "AUTHENTICATION", ex);
                }
                
                // If the authentication was successful, redirects to the return URL when possible or to a different default action
                if (signInResult.Succeeded)
                {
                    string decodedReturnUrl = WebUtility.UrlDecode(returnUrl);
                    if (!string.IsNullOrEmpty(decodedReturnUrl) && Url.IsLocalUrl(decodedReturnUrl))
                    {
                        return Redirect(decodedReturnUrl);
                    }
                    // Redirects the user to the homepage
                    return RedirectToAction(nameof(HomeController.Index), "Home");
                }
     
                if(signInResult.IsNotAllowed)
                {
                    // If the 'Registration requires administrator's approval' setting is enabled and the user account
                    // is pending activation, displays an appropriate message
                    ApplicationUser user = await userManager.FindByNameAsync(model.UserName);
                    if (user != null && user.WaitingForApproval)
                    {
                        ModelState.AddModelError(String.Empty, "You account is pending administrator approval.");
                        return RedirectToAction(nameof(WaitingForApproval));
                    }
     
                    // Otherwise, the 'Require email confirmation' setting is enabled
                    ModelState.AddModelError(String.Empty, "Please confirm your email.");
     
                    return View();
                }
     
                // If the authentication was not successful due to any other reason, displays the sign-in form with an "Authentication failed" message 
                ModelState.AddModelError(String.Empty, "Authentication failed, please verify that you entered the correct authentication credentials.");
                return View();            
            }
     
            public IActionResult WaitingForApproval()
            {
                return View();
            }
    

  5. We recommend creating a view model for your sign-in action (SignInViewModel in the example above). The view model allows you to:
    • Pass parameters from the sign-in form (username, password, and sign-in persistence status).
    • Use data annotations to define validation and formatting rules for the sign-in parameters. See System.ComponentModel.DataAnnotations for more information about the available data annotation attributes.

To allow users to sign out on your website, extend your sign-in controller class:

  1. Add another action to handle sign-out requests.

  2. Call the SignOutAsync method of the sign-in manager to sign out the current user.

    Sign-out action example
            /// <summary>
            /// Action for signing out users. The Authorize attribute allows the action only for users who are already signed in.
            /// </summary>
            [Authorize]
            [HttpPost]
            [ValidateAntiForgeryToken]
            public IActionResult SignOut()
            {
                // Signs out the current user
                signInManager.SignOutAsync();
     
                // Redirects to a different action after the sign-out
                return RedirectToAction(nameof(HomeController.Index), "Home");
            }
    

Finally, you need to design a user interface for the authentication logic:

  • Create a view for the SignIn action and display an appropriate sign-in form for your website. We recommend using a strongly typed view based on your sign-in view model.
  • Add a sign in button or link that targets the SignIn action (for example within your site's main layout page).
  • Add a sign out button or link that targets the SignOut action.

Visitors can now sign in to your site with Xperience user accounts from the connected database. If you wish to allow users to register new accounts, see Adding user registration using ASP.NET Core Identity.

Tip: When writing additional code or views for your website, you can access information about the currently authenticated user via the User property. For example, User.Identity.Name returns the username of the currently signed-in user.

Ensuring the correct password format

If your administration application uses a custom salt value when generating password hashes, you also need to set the same value for the Core application. Authentication will always fail if the password hashes are not identical for both applications.

Check the appSettings section of your administration application's web.config for the CMSPasswordSalt key. If the key is present, copy it to the application configuration file of your Core project (appsettings.json by default).

See also: Setting the user password format


Was this page helpful?