What is the best method for user authorisation/authentication in ASP.NET MVC?
I see there are really two approaches:
I'd prefer the second option, because User is part of my domain model (and I have zero experience with ASP.NET's built-in stuff), but I'd really like to hear what people have been doing in this area.
There is actually a third approach. The asp.net membership functionality is based on the provider model. You can write a custom provider, thus being able to provide your own implementation for how the data is stored, but retaining much of the benefit of asp.net membership.
Some articles on the subject:
http://msdn.microsoft.com/en-us/library/f1kyba5e.aspx
http://www.asp.net/learn/videos/video-189.aspx
Go with custom. MembershipProvider is way too heavy for my tastes. Yes it's possible to implement it in a simplified way, but then you get a really bad smell of NotSupportedException or NotImplementedException.
With a totally custom implementation you can still use IPrincipal, IIdentity and FormsAuth. And really how hard is it do your own login page and such?
Yet another approach is to use ASP.NET membership for authentication, link your User class to ASP.NET members, and use your User class for more granular permissions. We do this, because it allows changing authentication providers very easily, while still retaining the ability to have a complex permission system.
In general, it's worth remembering that authentication/identity and storing permissions are not necessarily the same problem.
Has anyone successfully integrated OpenID/OAuth style auth & auth with ASP.NET MVC? The more I read about auth, the more I get pointed to ASP.NET Membership style auth. Membership style auth is good for providers who also manage identities. But for just delegators, the auth is often multi-step, multi-token based, which I am not sure if the membership model fits in naturally.
Any pointers towards this would help me a lot.