Menu
I finally got my login-method with JWT Token Authentication working.
Here I'm calling
await HttpContext.SignInAsync(
CookieAuthenticationDefaults.AuthenticationScheme,
ClaimsPrincipalFactory.CreatePrincipal(claims),
authProps);
I also called
await HttpContext.AuthenticateAsync(CookieAuthenticationDefaults.AuthenticationScheme);
In the example I read that I only need the SignInAsync.
So I tested it and removed AuthenticateAsync. But still, User.Identity.IsAuthenticated returns true.
Is it okay to remove the AuthenticateAsync? Or do I still need it? Why does it exist?
The doc-string of AuthenticateAsync only says Extension method for authenticate
656
AuthenticateAsync(HttpContext) Authenticate the current request using the default authentication scheme. The default authentication scheme can be configured using DefaultAuthenticateScheme. AuthenticateAsync(HttpContext, String) Authenticate the current request using the specified scheme.
//SignInAsync is a Extension method for Sign in a principal for the specified scheme. await HttpContext.SignInAsync(CookieAuthenticationDefaults.AuthenticationScheme, principal, new AuthenticationProperties() {
ChallengeAsync(HttpContext, String)Challenge the current request using the specified scheme. An authentication challenge can be issued when an unauthenticated user requests an endpoint that requires authentication.
AuthenticationScheme passed to AddAuthentication sets the default authentication scheme for the app. AuthenticationScheme is useful when there are multiple instances of cookie authentication and the app needs to authorize with a specific scheme. Setting the AuthenticationScheme to CookieAuthenticationDefaults.
Here's a recap between all the various methods coming from the Authentification framework (for ASP.NET Core 2.0), in the order in which they're called in a typical auth flow.
ChallengeAsync
This will instruct your browser on where to go to be authenticated. For example:
/Account/Login)AuthenticateAsync
This step handles whatever information comes from the authentication page (where you were redirected to by the Challenge step), and uses it to create a ClaimsPrincipal instance that identify the logged in user.
That ClaimsPrincipal is then assigned to HttpContext.User.
SignInAsync
This step takes the ClaimsPrincipal built from the previous step, and persists it. The most common way is of course the cookies.
Note that based on the source code in https://github.com/aspnet/Security/, it seems to be the only way to persist the ClaimsPrincipal.
SignOutAsync
This is the reverse step of the SignIn step. It instructs the middleware to delete any persisted data.
So to answer your question, if you already have a ClaimsPrincipal, calling AuthenticateAsync is not necessary.
In fact, it's a bit strange that you have a ClaimsPrincipal before calling AuthentificateAsync :)
90
I had the same question recently and figured it out.
AuthenticateAsync
The AuthenticateAsync() method of the Authentication Handlers is responsible for constructing the ClaimsPrincipal from the Request and return it to the Authentication Middleware. The Authentication middleware then sets the HttpContext.User Property with the ClaimsPrincipal.(reference)
From my understanding, AuthenticateAsync() method is used internally by asp.net core, we normally don't need to call it as we can access HttpContext.User Property to get the ClaimsPrincipal. But you can call this method in your code to get the AuthenticateResult if you want(but not necessary).
SignInAsync
This is used when you first authenticate the user after they log in, so you build ClaimsPrincipal in your code and call SignInAsync to persist the claims like write to cookie.
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
