Your official information source from the .NET Web Development and Tools group at Microsoft.
Today, we are releasing the final version of ASP.NET Identity 2.0. The main focus in this release was to add security and account management features as well as address feedback from the community.
You can download ASP.NET Identity from the NuGet gallery. You can install or update to these packages through NuGet using the NuGet Package Manager Console, like this:
Following is the list of features and major issues that were fixed in 2.0.0.
ASP.NET Identity now support two-factor authentication. Two-factor authentication provides an extra layer of security to your user accounts in the case where your password gets compromised. Most websites protect their data by having a user create an account on their website with a username and password. Passwords are not very secure and sometimes users choose weak passwords which can lead to user accounts being compromised.
SMS is the preferred way of sending codes but you can also use email in case the user does not have access to their phone. You can extend and write your own providers such as QR code generators and use Authenticator apps on phones to validate them.
There is also protection for brute force attacks against the two factor codes. If a user enters incorrect codes for a specified amount of time then the user account will be locked out for a specified amount of time. These values are configurable.
To try out this feature, you can install ASP.NET Identity Samples NuGet package (in an Empty ASP.NET app) and follow the steps to configure and run the project.
Provide a way to Lockout out the user if the user enters their password or two-factor codes incorrectly. The number of invalid attempts and the timespan for the users are locked out can be configured. A developer can optionally turn off Account Lockout for certain user accounts should they need to.
The ASP.NET Identity system now supports Account Confirmation by confirming the email of the user. This is a fairly common scenario in most websites today where when you register for a new account on the website, you are required to confirm your email before you could do anything in the website. Email Confirmation is useful because it prevents bogus accounts from being created. This is extremely useful if you are using email as a method of communicating with the users of your website such as Forum sites, banking, ecommerce, social web sites.
Note: To send emails you can configure SMTP Server or use some of the popular email services such as SendGrid (http://sendgrid.com/windowsazure.html) which integrate nicely with Windows Azure and require no configuration on the application developer
In the sample project below, you need to hook up the Email service for sending emails. You will not be able to reset your password until you confirm your account
Password Reset is a feature where the user can reset their passwords if they have forgotten their password.
Support a way to regenerate the Security Stamp for the user in cases when the User changes their password or any other security related information such as removing an associated login(such as Facebook, Google, Microsoft Account etc). This is needed to ensure that any tokens (cookies) generated with the old password are invalidated. In the sample project, if you change the users password then a new token is generated for the user and any previous tokens are invalidated.
This feature provides an extra layer of security to your application since when you change your password, you will be logged out where you have logged into this application. You can also extend this to Sign out from all places where you have logged in from. This sample shows how to do it.
You can configure this in Startup.Auth.cs by registering a CookieAuthenticationProvider as follows.
In 1.0 the type of PK for Users and Roles was strings. This means when the ASP.NET Identity system was persisted in Sql Server using Entity Framework, we were using nvarchar. There were lots of discussions around this default implementation on Stack Overflow and based on the incoming feedback, we have provided an extensibility hook where you can specify what should be the PK of your Users and Roles table. This extensibility hook is particularly useful if you are migrating your application and the application was storing UserIds are GUIDs or ints.
Since you are changing the type of PK for Users and Roles, you need to plug in the corresponding classes for Claims, Logins which take in the correct PK. Following is a snippet of code which shows how you can change the PK to be int
For a full working sample please see https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/ChangePK/readme.txt
We have added support for IQueryable on UsersStore and RolesStore so you can easily get the list of Users and Roles.
For eg. the following code uses the IQueryable and shows how you can get the list of Users from UserManager. You can do the same for getting list of Roles from RoleManager
In 1.0, if you had to delete a User, you could not do it through the UserManager. We have fixed this issue in this release so you can do the following to delete a user
You can use Factory implementation to get an instance of UserManager from the OWIN context. This pattern is similar to what we use for getting AuthenticationManager from OWIN context for SignIn and SignOut. This is a recommended way of getting an instance of UserManager per request for the application.
Following snippet of code shows how you can configure this middleware in StartupAuth.cs. This is in the sample project listed below.
Following snippet of code shows how you can get an instance of UserManager
ASP.NET Identity uses EntityFramework for persisting the Identity system in Sql Server. To do this the Identity System has a reference to the ApplicationDbContext. The DbContextFactory Middleware returns you an instance of the ApplicationDbContext per request which you can use in your application.
Following code shows how you can configure it in StartupAuth.cs. The code for this middleware is in the sample project.
In ASP.NET Identity Entity Framework implementation, we have added a unique index on the Username using the new IndexAttribute in EF 6.1.0. We did this to ensure that Usernames are always unique and there was no race condition in which you could end up with duplicate usernames.
The password validator that was shipped in ASP.NET Identity 1.0 was a fairly basic password validator which was only validating the minimum length. There is a new password validator which gives you more control over the complexity of the password. Please note that even if you turn on all the settings in this password, we do encourage you to enable two-factor authentication for the user accounts.
You can also add Password policies as per your own requirements. The following sample shows you how you can extend Identity for this scenario. https://aspnet.codeplex.com/SourceControl/latest#Samples/Identity/Identity-PasswordPolicy/Identity-PasswordPolicy/Readme.txt
We are releasing a Samples NuGet package to make it easier to install samples for ASP.NET Identity. This is a sample ASP.NET MVC application. Please modify the code to suit your application before you deploy this in production. The sample should be installed in an Empty ASP.NET application.
Following are the features in this samples package
The sample is still in preview since we are still working on improving the sample and fixing issues with it but it is in a state where you can easily see how to add ASP.NET Identity features in an application.
ASP.NET Identity 2.0.0 depends upon Entity Framework 6.1.0 which was also released earlier in the week. For more details please read this announcement post.
You can look at all the bugs that were fixed in this release by clicking this link.
If you are migrating from ASP.NET Identity 1.0 to 2.0.0, then please refer to this article on how you can use Entity Framework Code First migrations to migrate your database http://blogs.msdn.com/b/webdev/archive/2013/12/20/updating-asp-net-applications-from-asp-net-identity-1-0-to-2-0-0-alpha1.aspx
This article is based on migrating to ASP.NET Identity 2.0.0-alpha1 but the same steps apply to ASP.NET Identity 2.0.0
Following are some changes to be aware of while migrating
Following are the changes you will have to make to your application if you are upgrading from 2.0.0-Beta1 to 2.0.0 of Identity.
Thank You for trying out the previews and your feedback for ASP.NET Identity. Please let us know your feedback around ASP.NET Identity
Can you publish the 2.0 source for the Azure implementation that you use to test with?
Hao Kung had published the 1.0 version here: stackoverflow.com/.../19460847
Can your team contribute to the open source Azure implementation? github.com/.../AccidentalFish.AspNet.Identity.Azure
I would think that it would be in Microsoft's best interest to help with integrating ASP.Net Identity with the Microsoft Azure table service. Being that they both are Microsoft products.
Thank you for the work you and your team have done on this.
Is the source code available for the existing OAUTH2 providers ?
I would like to see these as I would like to write my own
I was using the nightly aspnet identity samples package 2.0.0-rtm-140304(prerelease) in a empty application and replicating the changes in my development project.
since upgrading both projects to use the 2.0.0 libraries my development project (which is set to not generate a database if the model changes) is warning about the model backing the application dbcontext has changed.
So when i do a SQL compare between the two databases i can see that between 140304 and rtm the lockout fields have been removed from the aspnetusers table/model is this correct as i thought this was one of the features? Also is there an updated samples package to reflect this model change and others ?
@pranav rastogi IC. It's great to hear that.
One more question. Will MS provide a full samples package that using INTEGER-based key (int, long, etc.) instead of GUID-based key?
Wow, thank you !!!
Are you planning to provide samples for the ASP.net Web Forms environment?
I've upgraded to 2.0 but get the following exception at runtime and trying to run a migration:
Schema specified is not valid. Errors:
(0,0) : error 0004: Could not load file or assembly 'Microsoft.AspNet.Identity.EntityFramework, Version=126.96.36.199, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)
Looks like someone else has the same problem: stackoverflow.com/.../cannot-build-or-migrate-database-after-update-to-aspnet-identity-version-2
Can someone tell me where is the web forms sample project for v2, please?
I'm a Web Forms developer!
greate updates. i`v been waiting for int pk :)
Glad that the reset password functionality was added. I would be glad to find some online samples to start working on it ! :)
Great news on this release. Thanks.
After following the installation instructions I got the exception:
Exception Details: System.EntryPointNotFoundException: The following errors occurred while attempting to load the app.
- For the app startup parameter value 'IdentitySample.Startup,ASPNETIdentity2_0_0', the assembly 'ASPNETIdentity2_0_0' was not found.
To disable OWIN startup discovery, add the appSetting owin:AutomaticAppStartup with a value of "false" in your web.config.
To specify the OWIN startup Assembly, Class, or Method, add the appSetting owin:AppStartup with the fully qualified startup class or configuration method name in your web.config.
I had to add the appSetting "owin:AutomaticAppStartup" with a value of "false" in my web.config to get the sample to run:
<add key="owin:AutomaticAppStartup" value="false" />
Now when I click on 'Login' or try to Register I get the exception:
No owin.Environment item was found in the context.
var loginProviders = Context.GetOwinContext().Authentication.GetExternalAuthenticationTypes();
and in (Register):
return _userManager ?? HttpContext.GetOwinContext().GetUserManager<ApplicationUserManager>();
What do I need to do to fix this issue and to get this very useful sample to work.
Thanks in advance.
Since the update I'm getting the error:
"There is no implicit reference conversion from 'Microsoft.AspNet.Identity.EntityFramework.RoleStore<ApplicationRole>' to 'Microsoft.AspNet.Identity.IRoleStore<ApplicationRole>'"
when registering the object with unity. Is this a known issue? Any ideas?
I am back with question #1 (comment page 1) and its error message :
"Unable to determine the provider name for provider factory of type 'System.Data.SqlClient.SqlClientFactory'. Make sure that the ADO.NET provider is installed or registered in the application config. ".
I have removed every Glimpse package and now it works.
So Glimpse may need an update to work with Identity 2.0.0, or a special configuration ?
@Walter: I had the same problem with OWIN. In looking at the format of the owin:AppStartup appSettings key, I found that value is in the following format: <Namespace>.<class>, <assembly>
In my case, my project name was "Identity 2.0 Sample". When I added the sample package from Nuget, it created the keys in the web.config, but it was somewhat mangled. So I deleted the solution and tried again, this time I used "IdentitySample" as the project, and it worked. My web.config now looks like:
<add key="owin:AppStartup" value="IdentitySample.Startup,IdentitySample" />
So the problem I had was project name didn't get translated properly because of spaces and periods. You might have the same problem.
@BrianC: Thank you so much. That was exactly the problem. I did as you suggested, deleted the solution, and tried again with a project name without periods. Thanks. Walter.