Skip to main content

ASP.NET Identity Framework

November 18, 2014


Securing a website is important to maintaining security and privacy for both users and hosted information. ASP.NET Identity provides a membership system for building and securing ASP.NET web applications. ASP.NET Identity allows the developer to add login features to an application, and makes it easy to customize data about the logged-in user by extending the ASP .NET database schema.

ASP.NET Identity can be used with all of the ASP.NET frameworks, such as ASP.NET MVC, Web Forms, Web Pages, Web API, and SignalR.

ASP.NET Identity can also be used for building web, phone, store or hybrid applications. It also supports using Microsoft, Google, Facebook and Twitter user login information.

ASP.NET Database Schema

The following database schema is used to persist user login and application role information.  The schema can be freely extended to add additional functionality.


Figure 1 – ASP.NET Identity Database Schema

The AspNetUser table is used to persist information about the User, including username and password, as well as their demographics.

The AspNetRole table is used to store information regarding application roles. A user gets assigned to one or more roles by which the user is granted access rights. By assigning a user to a role, the user immediately gets all the access rights defined for that role.

The AspNetUserClaim table is used to store information regarding a user’s or application’s set of claims. A claim is a statement that an entity (a user or another application) makes about itself. For example, a claim list can have the user’s name, e-mail, age, as well as authorization for an action. In the Role-Based Security model, a user presents the credentials directly to the application. In a claims-based model, the user presents the claims and not the credentials to the application. For a claim to have practical value, it must come from an entity the application trusts.

The AspNetUserLogin table is used to store login provider information. Facebook, Google, Twitter and Microsoft identities can be used with ASP.NET Identity.

Using ASP.NET Identity in an MVC Controller

The following code snippet shows how a controller action method can be decorated to different levels of access.

Anonymous Access
The AllowAnonymous attribute gives all users access to the action method.


Authenticated Access
The Authorize attribute gives authenticated (logged-in) users access to the action method.


Role Access
The Authorize attribute allows access to authenticated users


ontroller Class Access
Methods in a controller class can be set to a specific authentication profile by decorating the class accordingly. The Authorize attribute requires the user to be fully authenticated to use any of the methods in the AccountController class.



ASP.NET Identity provides a membership system to secure a website, and is important to maintaining security and privacy for both users and hosted information.