Authentication and Authorization

The information in this section is about the administration authentication and authorization.

Administration Access

One of the key factors of mvc567 authentication is the three-factor authentication provided by the application layer

Admin Cookie

Admin cookie is specific for the client cookie which allows the users to access the admin area of the application. This cookie is autogenerated by the system and it is quite difficult (impossible) to be set up manually. To set up the admin cookie you must enter 6 numbers generated by the administration authenticator by access the route /admin/auth/init.

To get these 6 numbers you must set up the authenticator by using the hash from the AdminLoginAuthenticator:SecretKey property from the configuration. In case you enter wrong numbers there is instance-based brute force protection. In addition, this form has CSRF protection.

Admin Login

Admin login is a form where you must enter the admin email and password. This form is protected by Google ReCaptcha and CSRF. In case you fill wrong password 5 times your account will be locked.

There are generated two profiles - one for admin and one for user. To login with these profiles use following credentials:

• Admin - admin@example.com with password Admin123!
• User - user@example.com with password User123!

Admin 2 Factor Authentication

In case when you enter correct email and password you must enter your personal authenticator code. This form is protected by Google ReCaptcha and CSRF.

To activate your personal authenticator use the profile settings when you enter in the administration.

Authentication

The authentication is separated on two schemes:

• Cookies - CookieAuthenticationDefaults.AuthenticationScheme
• JWT Bearer - JwtBearerDefaults.AuthenticationScheme

In case you want to access some page from the administration you have to be authenticated by using the cookies scheme. By using the AuthorizedAttribute you use the default scheme which is cookies one. In case you use API calls you could specify which authentication scheme will be more applicable for you.

Authorization

The authorization is represented by roles and policies. By default, startup roles in the systems are Admin and User. Admin has all permissions while User has no permissions. In addition to roles, there are policies which are defined by specific permissions. These permissions are as follows:

• Access Administration
• Access Error Logs
• Users Management
• Public Root Access
• Private Root Access
• Static Page Management
• Search Engine Optimization Management
• Languages Management

The policies related to these permissions are available in the static class ApplicationPermissions. You can find them on the Constant section.

The usage of these roles and policies has no difference than normal ASP.NET Core application.

To define addition policy you can use the virtual method AddAuthorizationOptions which is available in ApplicationStartup.