Entrypoint

Appearance

Access control

Authentication

Authentication is a process of proving a user's identity. Usually, a user proves their identity by providing their credentials, typically a combination of username and password.

During authentication (login), the username and password is exchanged for an access token.

The exchange process happens in the HandlePasswordGrantType method of AuthController.

On front-end, we save the received access token to the user store.

After that, the access token will be automatically added to any request to the server as custom HTTP header.

Authorization

Authorization is the process of giving the user permission to access a resource. In starter project, we use a Role-Based Access Control (RBAC) as authorization approach.

This means that we assign each user to some role (like Admin or User) and control which Controllers or specific Actions are available for which roles.

If the Controller or Action has the AuthorizeAttribute, a check if user is authorized to access this resource will happen:

  • If access token is missing, the server will return HTTP Status Code 401 (Unauthorized).

  • If access token is incorrect or expired, the server will return 403 (Forbidden).

  • If access token is correct, but user doesn't has the required role, the server will also return 403.

  • If access token is correct and user has the required role then authorization is successfull and 200 is returned (OK).

If 401 or 403 were returned, the user will be redirected to the corresponding error pages.

User info

Immediately after login, we also request some basic user profile information and save it to the user store.

User info consist of user attributes (also named claims). For example, some standard claims returned are Name, Email and Role.

We can use these claims in the front-end code to display only those menu items that are available to this user (based on his Role), to show user's Email or Name in the header, and so on.

User info is also available in any Vue component via the user store and can be updated (re-requested) by calling the this.$auth.updateUserInfo() method. For example, we call it after user makes changes to his profile.

Implementation details

All authentication and authorization logic is implemented according to the OAuth 2.0 and OpenID Connect industry standards.

When exchanging username and password for an access token, we follow the Resource Owner Password Flow.

On front-end, all authentication and authorization logic is incapsulated into the AuthManager plugin.

AuthManager is accessible from any Vue component via the this.$auth.

On back-end, we use the OpenIddict library.

Made by Entrypoint with ❤️

Copyright © 2019 - present Entrypoint