Ten minutes to user authentication in ASP.NET

We’re excited to announce that our open-source ASP.NET authentication library is now out of beta! This means you can add the power of Stormpath to your ASP.NET projects for easy user management and authentication, absolutely no database required.

The ASP.NET platform has been getting a lot of attention lately, with the pending release of ASP.NET Core. Core will bring ASP.NET to a whole new set of environments — hello, Linux! — and has a lot of promise as the future direction of the platform.

The current version (can we call it “classic ASP.NET” yet?) running on Windows and .NET framework 4.5/4.6 isn’t dead yet, though! It’s a stable, mature platform that is used for mission-critical applications across the globe. (After all, what could possibly be more mission-critical than StackOverflow?)

If you’re working on a new or existing project in ASP.NET, authentication is one of the biggest (and sometimes, trickiest!) pieces of any web application. It’s a concern that cuts right across your database, business logic, and presentation layers and has implications for security and usability.

Thanks to this new release, you can use Stormpath to significantly simplify the task of securing and managing users in an ASP.NET application! To demonstrate how easy it is to set up, I’ll show you how to set up a complete MVC application with user management in ten minutes or less, using Stormpath and ASP.NET.

What is Stormpath?

Stormpath is a hosted user management API that lets you add authentication and authorization into your applications quickly, with strong security built by experts. Think of Stormpath as an alternative to wrangling and managing ASP.NET Identity plus a SQL Server database.

On top of authentication and authorization, Stormpath enables a lot of other great functionality in your application, like self-service password reset, social/external login, support for multi-tenancy, and more.

Let’s get started!

First, register for a free Stormpath account. You’ll need to grab some API credentials so your application can communicate with the Stormpath API.

Get Your API Credentials

Your ASP.NET application will need an API Key and Secret in order to communicate with Stormpath. The best way to provide these is through environment variables. You can also hardcode the values into your application code, but we recommend environment variables as a best practice for security.

To save your Stormpath API credentials as environment variables, follow these steps:

  1. If you haven’t registered for Stormpath already, create a free developer account.
  2. Log in to the Admin Console and click the Create API Key button on the right side of the page to create and download an API key file.
  3. Open the apiKey.properties file up in Notepad or your favorite text editor. Using the command line (or PowerShell), execute these commands:

Create a Project

Note: If you’re developing for ASP.NET Core, head over to the Core tutorial instead.

  1. Using Visual Studio, create a new ASP.NET application by choosing File – New Project. Select the ASP.NET Web Application template.
  2. In the New ASP.NET Application dialog box, pick the MVC template.
  3. Click Change Authentication and pick No Authentication. (You’ll be adding your own authentication in a minute!)

Install the Middleware

The Stormpath.AspNet NuGet package comes with everything you need to plug Stormpath into an ASP.NET project.

The package can be installed with the NuGet Package Manager interface, or using the Package Manager Console:

Note: If you get an error when installing the package, make sure NuGet is up to date.

Set up OWIN and Startup.cs

Once the package is installed, you need to add it to your OWIN Startup class (usually called Startup.cs).

You may need to add this file to your project. If you don’t see Startup.cs in the Solution Explorer, right-click on your project and select AddOWIN Startup class. Type “Startup” as the name of the file.

At the top of your Startup class, add this line:

Inside the Configuration method, add the Stormpath middleware to the top of your application pipeline:

That’s it! With this bit of code, the Stormpath middleware will automatically handle registration, login, logout, password reset, and email verification.

Updating the View

When a user logs in, Context.User is set automatically. You can use the IsAuthenticated property in your Razor views to show different content depending on whether the user is logged in.

In your Views/Shared/_Layout.cshtml file, replace the existing navbar with one that will update when a user logs in:

Try it out:

  1. Compile and run your application.
  2. Click the Register link in the navbar and fill out the form to create an account.
  3. Enter the same credentials on the login form to log in with the new account.
  4. You’ll be redirected back to your application. Check the navbar. You’re logged in!

Easily Secure MVC and Web API Controllers

Stormpath plugs right into the ASP.NET authentication system, which means you can use the [Authorize] attribute to protect your routes and actions.

Try adding a new MVC controller to allow logged-in users to view their profile:

Right-click on the Controllers folder in the Solution Explorer and choose Add – Controller. Select the MVC 5 Controller – Empty template and name the new controller ProfileController. Place the [Authorize] attribute above the class definition in the new controller file:

Next, create a new Razor view for the controller. When you created the new controller, Visual Studio added a new (empty) folder called Profile under the Views folder. (If it’s not there, go ahead and add it!)

Right-click on the Views/Profile folder and select Add – View. Name the view “Index” and make sure the View Template is Empty (without model).

Then, paste the following code into the new view:

Run your application again, and ensure that you are logged out. If you try to access /Profile, you’ll be redirected to the login page. When you log in, you’ll automatically be redirected to the Profile view. Awesome!

There’s a lot more you can do with Stormpath and ASP.NET. If you want to learn more, give our documentation a read, or check out the ASP.NET MVC5 sample application on Github.

A hosted solution like Stormpath is another alternative to ASP.NET Identity or building authentication and user management yourself. Our goal is to make user management as quick and as painless as possible.

If you have any questions about how Stormpath works with ASP.NET, leave me a comment below!