ASP.NET Core 5.0 MVC claims based authentication and authorization Edit

Murugan Andezuthu Dharmaratnam | 08 February 2021 | 244

Difference between authentication and authorization

First, let's understand what is identity and access. Identity is who someone is & Access is whether you have access to a resource. Let's also understand what is digital identity. Digital identity is data that uniquely describes a person or a thing and contains information about the subject's relationship.

Authentication is the process of verifying the identity of a user or determining who you are. Authorization is the process of checking whether the user has the right to access particular resources in the system or in simple words what you are allowed to do. Authentication always happens before authorization. Even when you are accessing the web application as an anonymous user you are authenticated as an anonymous user.

Different scenarios in which identity is used

  1. Individual User Account : Individual user accounts are used for simple asp .net application, small and medium businesses and consumer apps
  2. Active Directory (AD) : Active directory is used in on premises enterprise applications. Within an organization Active Directory maintains a list of users and all the applications that use Active Directory within that organization check the active directory for authentication and authorization. Its mainly used for single signon within the organization
  3. Active Directory federation services (ADFS) : ADFS is used in on premises application with remote users.
  4. Azure Active Directory (AAD) : Azure AD is an enterpeise cloud based identity and access management solution. It can sync with on prem AD and provide authentication to cloud based applications


The main difference between ASP.NET Core 5.0 Identity and earlier versions (ASP.NET 4.x.) is that HttpContext.User is of type System.Security.Principal.GenericPrincipal in ASP .Net 4.x and is of type System.Security.Claims.ClaimsPrincipal in ASP.NET Core 5.0. There are only minor differences the fundamental properties associated with identity has not really changed.

ASP.NET 4.x and earlier used to use role-based authentication. Whether the user can access a resource was based on the roles assigned to the user. For example, If I had a method ManageUsers and I had limited access to the method to only users with role admin, then only administrators could access that method