Cookies, Tokens, or JWTs? The ASP.NET Core Identity Dilemma

Should you use cookie-based or token-based authentication in ASP.NET Core Identity? Or should you use JWT and OpenID Connect?
Read more…

:writing_hand:t2: Brought to you by @andrea.chiarelli

What’s up Devs! How did you like this post? Please share any comments or feedback with us on this thread

Disabling /register is possible;



app.Use(async (context, next) =>
    await next.Invoke();
    //if we are in prod then return 404 for register endpoint
    if (context.Request.Path.ToString().StartsWith("/account/register"))
        context.Response.StatusCode = 404;
        await context.Response.CompleteAsync();
        await next.Invoke();

Hi @a876c,
Welcome to the Auth0 Community, and thank you for sharing this workaround.

Actually this approach allows you to even customize any Identity API endpoint. However, I would expect there to be an easier way to disable/replace endpoints, for example via configuration.
I’m confident this will be fixed soon :slightly_smiling_face:

So I am currently looking into all different authentication methods and which one is best standard. I’m new to the authentication field and looking to integrate it into a SPA with API’s - I have attempted a MERN but I work with .NET, so thought I would try this out…

The fact you can’t customise the endpoints has been a bad move for myself. Register only have Email and Password no ability to add additional fields.

Hey @jasonreynolds96, I understand your disappointment.
As far as I know, there is currently no solution other than to create your own custom endpoint, similar to what is suggested here.

@andrea.chiarelli Thank you for giving this rundown of the new options! In the section about which authentication type to use, you say:

In previous versions of .NET, if you wanted to leverage the ASP.NET Core Identity built-in authentication pages in your SPA, the user experience would be disrupted.

What’s different in this new version? How do you prevent the page reload when using cookie-based authentication in a SPA?

Hey @benjamin.t.sutton,
You can create your own UI in your SPA and call the Identity API endpoints through HTTP requests (with cookie support enabled, of course).
Identity API endpoints support cookie-based authentication too, as explained here.