Asp.Net Core - simplest possible forms authentication

Question

I have this old MVC5 application that uses forms authentication in the simplest possible form. There is only one account stored in web.config, there are no roles etc.

<authentication mode="Forms">
  <forms loginUrl="~/Login/Index" timeout="30">
    <credentials passwordFormat="Clear">
      <user name="some-user" password="some-password" />
    </credentials>
  </forms>
</authentication>

The login routine just calls

FormsAuthentication.Authenticate(name, password);

And that's it. Is there something similar (in terms of simplicity) in asp.net core?

Answer 1

A little update for ASP.NET Core 6 MVC for Anuraj's answer... (The .NET Core 5 answer no longer works in .NET Core 6)

1. In the Program.cs, configure method.

   // Forms Authentication
   builder.Services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
        .AddCookie(o => o.LoginPath = new PathString("/Home/Login"));
   
   ...
   
   // Forms Authentication
   app.UseAuthentication();
   

2. Add Authorize attribute to protect the resources you want to secure.

   [Authorize]
   public IActionResult Index()
   {
      return View();
   }
   

3. In the HomeController, Login Post action method, write the following code:

   var username = Configuration["username"];
   var password = Configuration["password"];
   
   if (authUser.Username == username && authUser.Password == password)
   {
      var claims = new[] { new Claim(ClaimTypes.Name, username) };
   
      var identity = new ClaimsIdentity(claims, 
          CookieAuthenticationDefaults.AuthenticationScheme);
   
      HttpContext.SignInAsync(
        CookieAuthenticationDefaults.AuthenticationScheme,
        new ClaimsPrincipal(identity));
   
      return Redirect("~/Home/Index");
   }
   else
   {
      ModelState.AddModelError("","Login failed. Please check Username and/or password");
   }
   

Answer 2

To add to Anuraj's answer - a number of classes have been deprecated for .Net Core 2. FYI:

Startup.cs - In ConfigureServices:

services.AddAuthentication(CookieAuthenticationDefaults.AuthenticationScheme)
    .AddCookie(o => o.LoginPath = new PathString("/account/login"));

Startup.cs - In Configure:

app.UseAuthentication();

In your account/login controller method/wherever you're doing your authentication:

var claims = new[] { new Claim(ClaimTypes.Name, "MyUserNameOrID"),
    new Claim(ClaimTypes.Role, "SomeRoleName") };

var identity = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme);

await context.SignInAsync(
    CookieAuthenticationDefaults.AuthenticationScheme, 
    new ClaimsPrincipal(identity));
// Do your redirect here

Sources: https://github.com/aspnet/Announcements/issues/232

https://github.com/aspnet/Security/issues/1310

Answer 3

It is not that simple :)

1. In the Startup.cs, configure method.

   app.UseCookieAuthentication(options =>
   {
     options.AutomaticAuthenticate = true;
     options.AutomaticChallenge = true;
     options.LoginPath = "/Home/Login";
   });
   

2. Add Authorize attribute to protect the resources you want to secure.

   [Authorize]
   public IActionResult Index()
   {
     return View();
   }
   

3. In the Home Controller, Login Post action method, write the following method.

   var username = Configuration["username"];
   var password = Configuration["password"];
   if (authUser.Username == username && authUser.Password == password)
   {
     var identity = new ClaimsIdentity(claims, 
         CookieAuthenticationDefaults.AuthenticationScheme);
   
     HttpContext.Authentication.SignInAsync(
       CookieAuthenticationDefaults.AuthenticationScheme,
       new ClaimsPrincipal(identity));
   
     return Redirect("~/Home/Index");
   }
   else
   {
     ModelState.AddModelError("","Login failed. Please check Username and/or password");
   }
   

Here is the github repo for your reference : https://github.com/anuraj/CookieAuthMVCSample