The application is developed on core 3. Faced with the authorization problem, when the user has many roles.
Roles for users:
public enum UserRole
None = 0x0,
View = 0x1,
ConfirmAlarm = 0x2,
ObjectScaling = 0x4,
SchemeEditor = 0x8,
ObjectEditor = 0x10
private async Task Authenticate(User user)
var claims = new List<Claim>
new Claim(ClaimsIdentity.DefaultNameClaimType, user.Login),
new Claim(ClaimsIdentity.DefaultRoleClaimType, ((UserRole)user.Role).ToString()),
new Claim("uGroupId", user.GroupId.ToString()),
new Claim("uInfo", user.Info),
new Claim("uTheme", user.Theme)
ClaimsIdentity id = new ClaimsIdentity(claims, "ApplicationCookie",
ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType);
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, new
Controller Method:
[Authorize(Roles = "View")]
public async Task<string> SomeAction()
//...some code
If the user has all the roles of the "View, ConfirmAlarm, ObjectScaling, SchemeEditor, ObjectEditor" available, then he cannot be authorized for the method in the controller.
What could be the problem? Need to create a custom AuthorizeAttribute?
Added two classes:
public class RolesRequirement : IAuthorizationRequirement
public string RoleName { get; }
public RolesRequirement(string roleName)
RoleName = roleName;
public class RoleHandler : AuthorizationHandler<RolesRequirement>
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, RolesRequirement requirement)
string roles = context.User.Claims.FirstOrDefault(x => x.Type == ClaimsIdentity.DefaultRoleClaimType).Value;
if (!string.IsNullOrEmpty(roles))
if (roles.Contains(requirement.RoleName))
return Task.CompletedTask;
Add policies to startup.cs
services.AddAuthorization(options =>
options.AddPolicy("View", policy => policy.Requirements.Add(new RolesRequirement("View")));
options.AddPolicy("ConfirmAlarm", policy => policy.Requirements.Add(new RolesRequirement("ConfirmAlarm")));
options.AddPolicy("ObjectEditor", policy => policy.Requirements.Add(new RolesRequirement("ObjectEditor")));
And add the attributes before the controller method.
[Authorize(Policy = "View")]
[Authorize(Policy = "ObjectEditor")]
public async Task<string> SomeAction()
//...some code

Please try below line :
ClaimsIdentity id = new ClaimsIdentity(claims, CookieAuthenticationDefaults.AuthenticationScheme,
ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType);
Instead of :
ClaimsIdentity id = new ClaimsIdentity(claims, "ApplicationCookie",
ClaimsIdentity.DefaultNameClaimType, ClaimsIdentity.DefaultRoleClaimType);
CookieAuthenticationDefaults.AuthenticationScheme is Cookies , which matches cookie's default authenticationScheme in Startup.cs:
Updated :
You can manually check the claims :
services.AddAuthorization(options =>
options.AddPolicy("AllowedView", policy =>
policy.RequireAssertion(context =>
var roles = context.User.Claims.FirstOrDefault(x => x.Type == ClaimTypes.Role)?.Value;
var listRolesElements = roles.Split(',').ToList();
return listRolesElements.Contains("View");
And apply policy on the controller which need View permission :
[Authorize(Policy = "AllowedView")]


How to get identity values from google external provider in ASP.NET Core Web API

public class AuthController : ControllerBase
private readonly SignInManager<IdentityUser> _signInManager;
public AuthController(SignInManager<IdentityUser> signInManager)
_signInManager = signInManager ?? throw new ArgumentNullException(nameof(signInManager));
public ChallengeResult Token()
var properties = new GoogleChallengeProperties
RedirectUri = "/auth/retrieve",
AllowRefresh = true,
return Challenge(properties, "Google");
public async Task Retrieve()
var token = await HttpContext.GetTokenAsync("access_token");
var externalLoginInfoAsync = await _signInManager.GetExternalLoginInfoAsync();
var identityName = User?.Identity?.Name;
var authenticateResult = await HttpContext.AuthenticateAsync();
I direct the user to /auth/token, where he is redirected to the Google Oauth Page, if successful, he is redirected to /auth/retrieve, where I expect the user data, but token, externalLoginInfoAsync, identityName, authenticateResult is null
public void ConfigureServices(IServiceCollection services)
services.AddDbContext<ApplicationDbContext>(options =>
services.AddIdentity<IdentityUser, IdentityRole>()
.AddGoogle(options =>
options.AccessType = "offline";
options.SaveTokens = true;
options.SignInScheme = IdentityConstants.ExternalScheme;
options.Events.OnCreatingTicket = ctx =>
var identityName = ctx.Identity.Name;
return Task.CompletedTask;
options.ClientId = "SMTH_VALUE";
options.ClientSecret = "SMTH_VALUE";
I debug the google provider and found the user values in the Events - identityName is not null.
How i can get this value in the controller?
You could refer the following code to configure Google authentication in Startup.ConfigureServices method:
public void ConfigureServices(IServiceCollection services)
services.AddDbContext<ApplicationDbContext>(options =>
services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddGoogle(opt =>
opt.ClientId = "";
opt.ClientSecret = "GXFN0cHBbUlZ6nYLD7a7-cT8";
opt.SignInScheme = IdentityConstants.ExternalScheme;
Then, use the following sample to login using Google and get user information:
public class AccountController : Controller
private UserManager<ApplicationUser> userManager;
private SignInManager<ApplicationUser> signInManager;
public AccountController(UserManager<ApplicationUser> userMgr, SignInManager<ApplicationUser> signinMgr)
userManager = userMgr;
signInManager = signinMgr;
// other methods
public IActionResult AccessDenied()
return View();
public IActionResult GoogleLogin()
string redirectUrl = Url.Action("GoogleResponse", "Account");
var properties = signInManager.ConfigureExternalAuthenticationProperties("Google", redirectUrl);
return new ChallengeResult("Google", properties);
public IActionResult Login()
return View();
public async Task<IActionResult> GoogleResponse()
ExternalLoginInfo info = await signInManager.GetExternalLoginInfoAsync();
if (info == null)
return RedirectToAction(nameof(Login));
var result = await signInManager.ExternalLoginSignInAsync(info.LoginProvider, info.ProviderKey, false);
string[] userInfo = { info.Principal.FindFirst(ClaimTypes.Name).Value, info.Principal.FindFirst(ClaimTypes.Email).Value };
if (result.Succeeded)
return View(userInfo);
ApplicationUser user = new ApplicationUser
Email = info.Principal.FindFirst(ClaimTypes.Email).Value,
UserName = info.Principal.FindFirst(ClaimTypes.Email).Value
IdentityResult identResult = await userManager.CreateAsync(user);
if (identResult.Succeeded)
identResult = await userManager.AddLoginAsync(user, info);
if (identResult.Succeeded)
await signInManager.SignInAsync(user, false);
return View(userInfo);
return AccessDenied();
The result like this:
More detail information, see How to integrate Google login feature in ASP.NET Core Identity and Google external login setup in ASP.NET Core

Blazor authentication role based

I'm working on a client-side blazor application with the last webassembly version (3.2.0).
I started the project from the visual tool with enabling local authentications and I tried to add roles.
First, I added the roles in the ApplicationDbContext :
public class ApplicationDbContext : ApiAuthorizationDbContext<ApplicationUser>
public ApplicationDbContext(
DbContextOptions options,
IOptions<OperationalStoreOptions> operationalStoreOptions) : base(options, operationalStoreOptions)
protected override void OnModelCreating(ModelBuilder builder)
.HasData(new IdentityRole { Name = "User", NormalizedName = "USER", Id = Guid.NewGuid().ToString(), ConcurrencyStamp = Guid.NewGuid().ToString() });
.HasData(new IdentityRole { Name = "Admin", NormalizedName = "ADMIN", Id = Guid.NewGuid().ToString(), ConcurrencyStamp = Guid.NewGuid().ToString() });
Then I added Roles to the IdentityBuilder in the startup class :
public void ConfigureServices(IServiceCollection services)
services.AddDbContext<ApplicationDbContext>(options =>
services.AddDefaultIdentity<ApplicationUser>(options => options.SignIn.RequireConfirmedAccount = true)
.AddApiAuthorization<ApplicationUser, ApplicationDbContext>();
And then in my DbInitializer I created an Admin account with both roles :
private async Task SeedASPIdentityCoreAsync()
if (!await context.Users.AnyAsync())
var admin = new ApplicationUser()
UserName = "",
Email = "",
EmailConfirmed = true,
var result = await userManager.CreateAsync(admin, "aA&123");
if (!result.Succeeded)
throw new Exception(result.Errors.First().Description);
result = await userManager.AddClaimsAsync(admin, new Claim[]
new Claim(JwtClaimTypes.Email, ""),
new Claim(JwtClaimTypes.Name, "")
ApplicationUser user = await userManager.FindByNameAsync("");
result = await userManager.AddToRoleAsync(user, "User");
result = await userManager.AddToRoleAsync(user, "Admin");
await userManager.DeleteAsync(user);
if (!result.Succeeded)
await userManager.DeleteAsync(user);
throw new Exception(result.Errors.First().Description);
But the roles doen't appear in the JWT, and the client-side has no idea about the roles.
How can I add the roles in the JWT, as with the new version of blazor, there is no need of the LoginController ? (If i well understood the changes)
Ok I found what I needed :
1) Create a CustomUserFactory in your client App
using System.Linq;
using System.Security.Claims;
using System.Text.Json;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication;
using Microsoft.AspNetCore.Components.WebAssembly.Authentication.Internal;
public class CustomUserFactory
: AccountClaimsPrincipalFactory<RemoteUserAccount>
public CustomUserFactory(IAccessTokenProviderAccessor accessor)
: base(accessor)
public async override ValueTask<ClaimsPrincipal> CreateUserAsync(
RemoteUserAccount account,
RemoteAuthenticationUserOptions options)
var user = await base.CreateUserAsync(account, options);
if (user.Identity.IsAuthenticated)
var identity = (ClaimsIdentity)user.Identity;
var roleClaims = identity.FindAll(identity.RoleClaimType);
if (roleClaims != null && roleClaims.Any())
foreach (var existingClaim in roleClaims)
var rolesElem = account.AdditionalProperties[identity.RoleClaimType];
if (rolesElem is JsonElement roles)
if (roles.ValueKind == JsonValueKind.Array)
foreach (var role in roles.EnumerateArray())
identity.AddClaim(new Claim(options.RoleClaim, role.GetString()));
identity.AddClaim(new Claim(options.RoleClaim, roles.GetString()));
return user;
2) Register the client factory
3) In the Server App, call IdentityBuilder.AddRoles
services.AddDefaultIdentity<ApplicationUser>(options =>
options.SignIn.RequireConfirmedAccount = true)
4) Configure Identity Server
.AddApiAuthorization<ApplicationUser, ApplicationDbContext>(options => {
There is an other way, by creating a ProfileService
5) User Authorization mechanisms :
<AuthorizeView Roles="admin">
Source :

SignalR Core Custom Authentication - Context.User.Identity is null after user is authenticated in /negotiate

I wrote a custom authentication for SignalR Core. One of the feature is anonymous login. It will create new user if it's first time user connect. The code work but the problem is the authentication done after /myhub/negotiate is cleared and all the claims in Context.User.Identity is cleared again and IsAuthenticated change to false when the client request /myhub/. Only after that the claims in Context.User.Identity is not cleared. I tried to return Fail if it's request to /myhub/negotiate but then the client won't send request to /myhub/ if I do that.
Any idea on how to fix or work around this? Is my implement of custom authentication correct?
Here is the code of all the class I'm using:
public class CustomAuthRequirementHandler : AuthorizationHandler<CustomAuthRequirement>
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, CustomAuthRequirement requirement)
string name = context.User.Claims.Where(p => p.Type == ClaimTypes.NameIdentifier).Select(p => p.Value).SingleOrDefault();
if (!context.User.Identity.IsAuthenticated)
return Task.CompletedTask;
public class CustomAuthRequirement : IAuthorizationRequirement
public class MyAuthenticationHandler : AuthenticationHandler<MyOptions>
public MyAuthenticationHandler(IOptionsMonitor<MyOptions> options, ILoggerFactory logger, UrlEncoder encoder, ISystemClock clock)
: base(options, logger, encoder, clock) { }
protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
if (Context.User.Identity != null && Context.User.Identity.IsAuthenticated) return await Task.FromResult(
new AuthenticationTicket(
new ClaimsPrincipal(Options.Identity),
new AuthenticationProperties(),
//if (Request.Path != "/myhub/") return await Task.FromResult(AuthenticateResult.Fail()); // only do authentication in /myhub/
var u = CreateNewUser(); // connect to db create new user
var claims = new List<Claim>() { };
claims.Add(new Claim(ClaimTypes.Name, u.Id.ToString()));
claims.Add(new Claim(ClaimTypes.NameIdentifier, u.Id.ToString()));
Options.Identity = new ClaimsIdentity(claims, "Custom");
var user = new ClaimsPrincipal(Options.Identity);
Context.User = user;
return await Task.FromResult(AuthenticateResult.Success(new AuthenticationTicket(user, new AuthenticationProperties(), this.Scheme.Name)));
public class MyOptions : AuthenticationSchemeOptions
public ClaimsIdentity Identity { get; set; }
public MyOptions()
The configuration code in ConfigureServices
services.AddSingleton<IAuthorizationHandler, CustomAuthRequirementHandler>();
services.AddAuthorization(p =>
p.AddPolicy("MainPolicy", builder =>
builder.Requirements.Add(new CustomAuthRequirement());
builder.AuthenticationSchemes = new List<string> { "MyScheme" };
services.AddAuthentication(o =>
o.DefaultScheme = "MyScheme";
}).AddScheme<MyOptions, MyAuthenticationHandler>("MyScheme", "MyScheme", p => { });
Configure code
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
if (env.IsDevelopment())
// The default HSTS value is 30 days. You may want to change this for production scenarios, see
app.UseSignalR(routes =>
Edit: Added client side code
ViewData["Title"] = "Home page";
<input type="button" onclick="anonLogin()" value="AnonLogin" />
<script src="~/##aspnet/signalr/dist/browser/signalr.js"></script>
<script type="text/javascript">
var connection;
function anonLogin() {
var token = "anon";
connection = new signalR.HubConnectionBuilder().withUrl("/main?anon=" + token).build();
connection.start().then(function () {
console.log("Connection ok");
console.log("Sending message....");
connection.invoke("Test").catch(function (err) {
return console.error("Error sending message: " + err.toString());
}).catch(function (err) {
console.log("Connection error: " + err.toString());
return console.error(err.toString());
I ended up creating a fake claims for identity just for the call to /myhub/negotiate since this call is unimportant and it just needs the authentication to success so it can go to /myhub/.
var u = new DomainUser() { Id = -1 };
var claims = new List<Claim>() { };
claims.Add(new Claim(ClaimTypes.Name, u.Id.ToString()));
claims.Add(new Claim(ClaimTypes.NameIdentifier, u.Id.ToString()));
Options.Identity = new ClaimsIdentity(claims, "Custom");
var user = new ClaimsPrincipal(Options.Identity);
Context.User = user;
return await Task.FromResult(AuthenticateResult.Success(new AuthenticationTicket(Context.User, new AuthenticationProperties(), this.Scheme.Name)));

ASP.Net Core Identity JWT Role-Base Authentication is Forbidden

Good day.
The API is for a Quote sharing web-app.
I have setup role-based JWT authentication where I have "Member" and "Admin" roles with users of those roles correctly registered and able to retrieve tokens.
So far, methods (or classes) with only
can be correctly accessed provided a registered token.
Now once I added roles, access to methods or classes that require a certain role
is Forbidden (403), even though I do pass a correct token with the Authorization header.
Please note: I have verified that users are correctly created (dbo.AspNetUsers), roles are correctly created (dbo.AspNetRoles containing "Admin" and "Member" roles) and user-roles are correctly mapped (dbo.AspNetUserRoles).
This is the Startup class which contains a method CreateRoles() that's called by Configure():
public class Startup
public Startup(IConfiguration configuration)
Configuration = configuration;
public IConfiguration Configuration { get; }
public void ConfigureServices(IServiceCollection services)
services.AddDbContext<QuotContext>(options =>
services.AddIdentity<Member, IdentityRole>()
services.Configure<IdentityOptions>(options =>
// Password settings
options.Password.RequireDigit = false;
options.Password.RequiredLength = 4;
options.Password.RequireNonAlphanumeric = false;
options.Password.RequireUppercase = false;
options.Password.RequireLowercase = false;
options.Password.RequiredUniqueChars = 2;
// Lockout settings
options.Lockout.DefaultLockoutTimeSpan = TimeSpan.FromMinutes(30);
options.Lockout.MaxFailedAccessAttempts = 10;
options.Lockout.AllowedForNewUsers = true;
// User settings
options.User.RequireUniqueEmail = true;
services.AddLogging(builder =>
JwtSecurityTokenHandler.DefaultInboundClaimTypeMap.Clear(); // => remove default claims
.AddAuthentication(options =>
options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme;
options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme;
.AddJwtBearer(cfg =>
cfg.RequireHttpsMetadata = false;
cfg.SaveToken = true;
cfg.TokenValidationParameters = new TokenValidationParameters
ValidIssuer = Configuration["JwtIssuer"],
ValidAudience = Configuration["JwtIssuer"],
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(Configuration["JwtKey"])),
ClockSkew = TimeSpan.Zero // remove delay of token when expire
public void Configure(IApplicationBuilder app, IHostingEnvironment env, IServiceProvider serviceProvider, QuotContext dbContext)
if (env.IsDevelopment())
private async Task CreateRoles(IServiceProvider serviceProvider)
//initializing custom roles
var RoleManager = serviceProvider.GetRequiredService<RoleManager<IdentityRole>>();
var UserManager = serviceProvider.GetRequiredService<UserManager<Member>>();
string[] roleNames = { "Admin", "Member" };
IdentityResult roleResult;
foreach (var roleName in roleNames)
var roleExist = await RoleManager.RoleExistsAsync(roleName);
if (!roleExist)
roleResult = await RoleManager.CreateAsync(new IdentityRole(roleName));
var poweruser = new Member
UserName = Configuration["AppSettings:AdminEmail"],
Email = Configuration["AppSettings:AdminEmail"],
string password = Configuration["AppSettings:AdminPassword"];
var user = await UserManager.FindByEmailAsync(Configuration["AppSettings:AdminEmail"]);
if (user == null)
var createPowerUser = await UserManager.CreateAsync(poweruser, password);
if (createPowerUser.Succeeded)
await UserManager.AddToRoleAsync(poweruser, "Admin");
This is the MembersController class containing Register() and Login() methods:
public class MembersController : Controller
private readonly QuotContext _context;
private readonly UserManager<Member> _userManager;
private readonly SignInManager<Member> _signInManager;
private readonly ILogger<MembersController> _logger;
private readonly IConfiguration _configuration;
public MembersController(QuotContext context, UserManager<Member> userManager,
SignInManager<Member> signInManager, ILogger<MembersController> logger,
IConfiguration configuration)
_context = context;
_userManager = userManager;
_signInManager = signInManager;
_logger = logger;
_configuration = configuration;
public async Task<IActionResult> Register([FromBody] RegisterModel model)
if (ModelState.IsValid)
var newMember = new Member
UserName = model.Email,
Email = model.Email,
PostCount = 0,
Reputation = 10,
ProfilePicture = "default.png"
var result = await _userManager.CreateAsync(newMember, model.Password);
if (result.Succeeded)
_logger.LogInformation(1, "User registered.");
await _signInManager.SignInAsync(newMember, false);
return Ok(new { token = BuildToken(model.Email, newMember) });
_logger.LogInformation(1, "Registeration failed.");
return BadRequest();
return BadRequest();
public async Task<IActionResult> Login([FromBody] LoginModel model)
if (ModelState.IsValid)
var result = await _signInManager.PasswordSignInAsync(model.Email,
model.Password, model.RememberMe, lockoutOnFailure: false);
if (result.Succeeded)
_logger.LogInformation(1, "User logged in." + _configuration["AppSettings:AdminPassword"]);
var member = _userManager.Users.SingleOrDefault(r => r.Email == model.Email);
return Ok(new { token = BuildToken(model.Email, member) });
_logger.LogInformation(1, "Login failed.");
return BadRequest();
return BadRequest(ModelState);
private string BuildToken(string email, Member member)
var claims = new List<Claim>
new Claim(JwtRegisteredClaimNames.Sub, email),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(ClaimTypes.NameIdentifier, member.Id)
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["JwtKey"]));
var creds = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var expires = DateTime.Now.AddDays(Convert.ToDouble(_configuration["JwtExpireDays"]));
var token = new JwtSecurityToken(
expires: expires,
signingCredentials: creds
return new JwtSecurityTokenHandler().WriteToken(token);
Here's the example of 2 methods: the first requiring simple authentication which is successfully accessed provided a user token, and the second which is forbidden even given an admin token:
public class AuthorsController : Controller
private readonly QuotContext _context;
public AuthorsController(QuotContext context)
_context = context;
public IEnumerable<Author> GetAuthors()
return _context.Authors;
[Authorize(Roles = "Admin")]
public async Task<IActionResult> PostAuthor([FromBody] Author author)
if (!ModelState.IsValid)
return BadRequest(ModelState);
await _context.SaveChangesAsync();
return StatusCode(201);
Thank you for your help.
A github repo containing the full project:
I got the same problem. I've just find a way. In fact, a JWT token embeds the roles. So you have to add role claims in your token when you generate it.
var roles = await _userManager.GetRolesAsync(user);
var claims = new[]
new Claim(JwtRegisteredClaimNames.Sub, user.Id.ToString()),
new Claim(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString()),
new Claim(JwtRegisteredClaimNames.Iat, ToUnixEpochDate(dateTime).ToString(), ClaimValueTypes.Integer64)
ClaimsIdentity claimsIdentity = new ClaimsIdentity(claims, "Token");
// Adding roles code
// Roles property is string collection but you can modify Select code if it it's not
claimsIdentity.AddClaims(roles.Select(role => new Claim(ClaimTypes.Role, role)));
var token = new JwtSecurityToken
expires: dateTime,
notBefore: DateTime.UtcNow,
signingCredentials: new SigningCredentials(new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_configuration["Auth:Token:Key"])), SecurityAlgorithms.HmacSha256)
Found an explanation here and here.

.net Core Authentication

I wanted to implement forms authentication with membership in my MVC Core application.
We had forms authentication setup in our previous application as below and wanted to use the same in .net core.
public ActionResult Login(LoginModel model, string returnUrl)
if (!this.ModelState.IsValid)
return this.View(model);
if (!Membership.ValidateUser(model.UserName, model.Password))
this.ModelState.AddModelError(string.Empty, "The user name or
password provided is incorrect.");
return this.View(model);
FormsAuthentication.SetAuthCookie(model.UserName, model.RememberMe);
return this.RedirectToAction("Index", "Home");
return this.View(model);
In my config:
<membership defaultProvider="ADMembership">
<add name="ADMembership"
attributeMapUsername="sAMAccountName" />
So we are using active directory here in membership.
Is this still applicable in .net core.
If not what else is available in .net core for forms authentication and AD.
Would appreciate inputs.
Yes you can do that in Core MVC application. You enable form authentication and use LDAP as user store at the back-end.
Here is how I set things up, to give you start:
public class Startup
public void ConfigureServices(IServiceCollection services)
// Read LDAP settings from appsettings
// Define an interface for authentication service,
// We used Novell.Directory.Ldap as implementation.
services.AddScoped<IAuthenticationService, LdapAuthenticationService>();
// Global filter is enabled to protect the whole site
services.AddMvc(config =>
var policy = new AuthorizationPolicyBuilder()
config.Filters.Add(new AuthorizeFilter(policy));
// Form authentication and cookies settings
var cookiesConfig = this.Configuration.GetSection("cookies").Get<CookiesConfig>();
.AddCookie(options =>
options.Cookie.Name = cookiesConfig.CookieName;
options.LoginPath = cookiesConfig.LoginPath;
options.LogoutPath = cookiesConfig.LogoutPath;
options.AccessDeniedPath = cookiesConfig.AccessDeniedPath;
options.ReturnUrlParameter = cookiesConfig.ReturnUrlParameter;
public void Configure(IApplicationBuilder app, IHostingEnvironment env)
// Redirects all HTTP requests to HTTPS
if (env.IsProduction())
app.UseRewriter(new RewriteOptions()
if (env.IsDevelopment())
app.UseStatusCodePagesWithReExecute("/error", "?code={0}");
app.UseMvc(routes =>
"connectionStrings": {
"appDbConnection": xxx
"ldap": {
"url": "xxx.loc",
"bindDn": "CN=Users,DC=xxx,DC=loc",
"username": "xxx",
"password": "xxx",
"searchBase": "DC=xxx,DC=loc",
"searchFilter": "(&(objectClass=user)(objectClass=person)(sAMAccountName={0}))"
"cookies": {
"cookieName": "xxx",
"loginPath": "/account/login",
"logoutPath": "/account/logout",
"accessDeniedPath": "/account/accessDenied",
"returnUrlParameter": "returnUrl"
namespace DL.SO.Services.Core
public interface IAuthenticationService
IAppUser Login(string username, string password);
Ldap implementation of authentication service, using Novell.Directory.Ldap library to talk to active directory. You can Nuget that library.
using Microsoft.Extensions.Options;
using Novell.Directory.Ldap;
using DL.SO.Services.Core;
namespace DL.SO.Services.Security.Ldap
public class LdapAuthenticationService : IAuthenticationService
private const string MemberOfAttribute = "memberOf";
private const string DisplayNameAttribute = "displayName";
private const string SAMAccountNameAttribute = "sAMAccountName";
private const string MailAttribute = "mail";
private readonly LdapConfig _config;
private readonly LdapConnection _connection;
public LdapAuthenticationService(IOptions<LdapConfig> configAccessor)
// Config from appsettings, injected through the pipeline
_config = configAccessor.Value;
_connection = new LdapConnection();
public IAppUser Login(string username, string password)
_connection.Connect(_config.Url, LdapConnection.DEFAULT_PORT);
_connection.Bind(_config.Username, _config.Password);
var searchFilter = String.Format(_config.SearchFilter, username);
var result = _connection.Search(_config.SearchBase, LdapConnection.SCOPE_SUB, searchFilter,
new[] { MemberOfAttribute, DisplayNameAttribute, SAMAccountNameAttribute, MailAttribute }, false);
var user =;
if (user != null)
_connection.Bind(user.DN, password);
if (_connection.Bound)
var accountNameAttr = user.getAttribute(SAMAccountNameAttribute);
if (accountNameAttr == null)
throw new Exception("Your account is missing the account name.");
var displayNameAttr = user.getAttribute(DisplayNameAttribute);
if (displayNameAttr == null)
throw new Exception("Your account is missing the display name.");
var emailAttr = user.getAttribute(MailAttribute);
if (emailAttr == null)
throw new Exception("Your account is missing an email.");
var memberAttr = user.getAttribute(MemberOfAttribute);
if (memberAttr == null)
throw new Exception("Your account is missing roles.");
return new AppUser
DisplayName = displayNameAttr.StringValue,
Username = accountNameAttr.StringValue,
Email = emailAttr.StringValue,
Roles = memberAttr.StringValueArray
.Select(x => GetGroup(x))
.Where(x => x != null)
return null;
Then finally after the user is verified, you need to construct the principal from the user claims for sign in process, which would generate the cookie behind the scene.
public class AccountController : Controller
private readonly IAuthenticationService _authService;
public AccountController(IAuthenticationService authService)
_authService = authService;
public async Task<IActionResult> Login(LoginViewModel model)
if (ModelState.Valid)
var user = _authService.Login(model.Username, model.Password);
if (user != null)
var claims = new List<Claim>
new Claim(ClaimTypes.Name, user.Username),
new Claim(CustomClaimTypes.DisplayName, user.DisplayName),
new Claim(ClaimTypes.Email, user.Email)
// Roles
foreach (var role in user.Roles)
claims.Add(new Claim(ClaimTypes.Role, role));
// Construct Principal
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, _authService.GetType().Name));
await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme,
new AuthenticationProperties
IsPersistent = model.RememberMe
return Redirect(Url.IsLocalUrl(model.ReturnUrl)
? model.ReturnUrl
: "/");
ModelState.AddModelError("", #"Your username or password is incorrect.");
catch(Exception ex)
ModelState.AddModelError("", ex.Message);
return View(model);
Would this post help you integrate with AD for Authentication and Authorization?
MVC Core How to force / set global authorization for all actions?
The idea is add authentication within ConfigureServices method in Startup.cs file:
services.AddMvc(config =>
var policy = new AuthorizationPolicyBuilder()
.RequireRole([Your AD security group name in here without domain name]) // This line adds authorization to users in the AD group only
config.Filters.Add(new AuthorizeFilter(policy));
In Asp.Net Core the Authentication is controlled through project properties.
Open the solution. Right click on the Project and Click Properties.
Click the Debug tab. Check the Enable Windows Authentication checkbox. Ensure Anonymous Authentication is disabled.
Here is Microsoft's document,