Authentication and Authorization in ASP.NET MVC

Authentication is a process of verifying the identity of the user.(i.e By checking users credentials). So authentication is the first step when the user logs into the system and it is followed by authorization.

Let us understand Authentication from a layman’s point of view. The image shows the different section of an Hospital environment like Labour ward, ICU, Operation room,General ward and cafeteria. Let us say a visitor came to the hospital to see a patient.The visitor does not have the permission to enter all the wards except general ward and cafeteria. This is nothing but Authentication.

What is Authorization?

Authorization is process of allowing an authenticated users to access the resources by checking whether user has access rights to the system. It helps to control access rights by grant or deny permission to authenticated user. The following figure shows that only doctors,nurses are allowed to enter labour ward,icu and operation room, whereas visitors are not allowed to enter labour ward,icu and operation room.The visitors are allowed to enter only general ward and cafeteria.

Identity Object

Identity object is an object which stores information about an authenticated user. Contains 2 types of identity “windows identity” and “generic identity”

Principal Object

Principal object is an object which deals about the roles of authenticated user.(i.e whether he is admin or normal user)

Authorize example

It allows only authorize users to login to the application. For non authorized user , it goes to login page.
[Authorize]
public ActionResult Index()
{
ViewBag.Message = 'This page is viewed only by authorized user'
return View();
}