Cookies, Tokens, or JWTs? The ASP.NET Core Identity Dilemma

robertino.calcaterra · November 23, 2023, 2:37pm

Should you use cookie-based or token-based authentication in ASP.NET Core Identity? Or should you use JWT and OpenID Connect?
Read more…

Brought to you by @andrea.chiarelli

robertino.calcaterra · November 23, 2023, 2:38pm

What’s up Devs! How did you like this post? Please share any comments or feedback with us on this thread

a876c · November 25, 2023, 2:34pm

Disabling /register is possible;

app.MapGroup("/account").MapIdentityApi<User>();

app.UseAuthorization();

app.Use(async (context, next) =>
{
#if DEBUG
    await next.Invoke();
#else
    //if we are in prod then return 404 for register endpoint
    if (context.Request.Path.ToString().StartsWith("/account/register"))
    {
        context.Response.StatusCode = 404;
        await context.Response.CompleteAsync();
    }
    else
    {
        await next.Invoke();
    }
#endif
});

andrea.chiarelli · November 27, 2023, 10:59am

Hi @a876c,
Welcome to the Auth0 Community, and thank you for sharing this workaround.

Actually this approach allows you to even customize any Identity API endpoint. However, I would expect there to be an easier way to disable/replace endpoints, for example via configuration.
I’m confident this will be fixed soon

jasonreynolds96 · January 28, 2024, 10:23pm

So I am currently looking into all different authentication methods and which one is best standard. I’m new to the authentication field and looking to integrate it into a SPA with API’s - I have attempted a MERN but I work with .NET, so thought I would try this out…

The fact you can’t customise the endpoints has been a bad move for myself. Register only have Email and Password no ability to add additional fields.

andrea.chiarelli · January 29, 2024, 3:30pm

Hey @jasonreynolds96, I understand your disappointment.
As far as I know, there is currently no solution other than to create your own custom endpoint, similar to what is suggested here.

benjamin.t.sutton · February 6, 2024, 5:09pm

@andrea.chiarelli Thank you for giving this rundown of the new options! In the section about which authentication type to use, you say:

In previous versions of .NET, if you wanted to leverage the ASP.NET Core Identity built-in authentication pages in your SPA, the user experience would be disrupted.

What’s different in this new version? How do you prevent the page reload when using cookie-based authentication in a SPA?

andrea.chiarelli · February 7, 2024, 10:51am

Hey @benjamin.t.sutton,
You can create your own UI in your SPA and call the Identity API endpoints through HTTP requests (with cookie support enabled, of course).
Identity API endpoints support cookie-based authentication too, as explained here.