Authentication vs Authorization in ASP.NET Core
π‘ Concept Name
Authentication vs Authorization
π Quick Intro
Authentication is about identifying the user β "Who are you?". Authorization is about verifying access rights β "What can you do?". In ASP.NET Core, both work together to secure APIs and web apps.
π§ Analogy / Short Story
Think of entering an office building. Showing your ID card to the security guard is Authentication. Being allowed to enter certain rooms based on your job title is Authorization. Without a valid ID, you can't even enter. With it, you're allowed in β but not everywhere!
π§ Technical Explanation
In ASP.NET Core, authentication is handled using schemes like JWT Bearer, Cookies, or OAuth2 to validate user identity. Authorization uses roles, policies, or claims to determine access to resources. The `[Authorize]` attribute restricts access, while `[AllowAnonymous]` lets anyone access.
π― Purpose & Use Case
- β Login functionality using cookies or JWT (Authentication)
- β Restrict access to APIs or views based on roles (Authorization)
- β Allow anonymous pages while securing others
- β Claims-based authorization for complex scenarios
- β IdentityServer/OpenID Connect integration
π» Real Code Example
// Authentication configuration in Program.cs
builder.Services.AddAuthentication("MyCookieScheme")
.AddCookie("MyCookieScheme", options => {
options.LoginPath = "/Account/Login";
});
app.UseAuthentication();
app.UseAuthorization();
// Protecting a controller
[Authorize(Roles = "Admin")]
public IActionResult AdminDashboard()
{
return View();
}
β Interview Q&A
Q1: What is the key difference between authentication and authorization?
A: Authentication identifies the user; authorization determines what they're allowed to do.
Q2: How do you configure authentication in ASP.NET Core?
A: Using `AddAuthentication()` and middleware like cookie or JWT bearer schemes.
Q3: What attribute is used to enforce authorization?
A: `[Authorize]`
Q4: What if a page should allow everyone?
A: Use `[AllowAnonymous]`
Q5: Whatβs the role of claims in authorization?
A: Claims provide detailed user data that policies can check.
Q6: Is authentication required before authorization?
A: Yes, always.
Q7: Can we authorize based on policy?
A: Yes, using `AddAuthorization()` with policies.
Q8: What happens if no authentication is configured?
A: The `[Authorize]` attribute has no effect.
Q9: Can we mix multiple schemes?
A: Yes, using `DefaultScheme` or custom policies.
Q10: Whatβs the purpose of `User.Identity.IsAuthenticated`?
A: It checks if the user is authenticated in the current context.
π MCQs
Q1. Which comes first?
- Authorization
- Authentication
- Routing
- Middleware
Q2. Which attribute skips login checks?
- [Authorize]
- [AllowAnonymous]
- [SkipLogin]
- [IgnoreUser]
Q3. Which method adds authentication?
- UseAuth
- AddSecurity
- AddAuthentication
- ConfigureLogin
Q4. What does [Authorize(Roles="Admin")] do?
- Allows all
- Blocks all
- Restricts access to Admins
- Logs user actions
Q5. Is role part of authentication or authorization?
- Authentication
- Routing
- Authorization
- Validation
Q6. What middleware is required to use authentication?
- UseRouting()
- UseCors()
- UseAuthentication()
- UseStaticFiles()
Q7. Which object holds user claims?
- Request.User
- UserContext
- HttpContext.User
- AuthService
Q8. What does User.Identity.IsAuthenticated return?
- User role
- Login URL
- True if user is logged in
- Always false
Q9. Which token is common in authentication?
- XML
- SQL
- JWT
- SSL
Q10. Which method registers role-based auth?
- AddRoles
- AddAuth
- AddAuthorization
- UseRoles
π‘ Bonus Insight
Always remember: authentication tells "who" you are; authorization tells "what" you can access. Combining both ensures secure applications β never rely solely on frontend checks.
π PDF Download
Need a handy summary for your notes? Download this topic as a PDF!