Skip to main content

Overview

RealtimeChat uses ASP.NET Core Identity as its authentication framework, providing secure user management with cookie-based authentication and external OAuth provider support.

ASP.NET Identity

Built-in user management with secure password hashing and validation

Google OAuth

Social authentication with Google OAuth 2.0 integration

Cookie Authentication

Session-based authentication using secure HTTP-only cookies

Identity API

RESTful endpoints for registration, login, and user management

Authentication System

Core Components

The authentication system is built on several key components:
  1. ApplicationUser Model - Custom user entity extending IdentityUser
  2. Identity Configuration - Entity Framework Core configuration for identity tables
  3. External Auth Service - Handles OAuth provider authentication
  4. Auth Extensions - Configures authentication middleware and endpoints

User Model

The ApplicationUser class extends ASP.NET Identity’s IdentityUser with additional properties:
Applications/RealtimeChat.API/Entities/ApplicationUser.cs
public class ApplicationUser: IdentityUser
{
    public string? FirstName { get; set; }
    public string? LastName { get; set; }
    
    public ICollection<MessageEntity> Messages { get; set; } = null!;
    public ICollection<ChatRoomParticipantEntity> ChannelParticipants { get; set; } = null!;
}

Inherited Properties

From IdentityUser, the following properties are available:
Id
string
Unique identifier for the user
UserName
string
Username (typically the email address)
Email
string
User’s email address
EmailConfirmed
bool
Whether the email has been verified
PasswordHash
string
Hashed password (never stored in plain text)
PhoneNumber
string
Optional phone number

Custom Properties

FirstName
string?
User’s first name (nullable)
LastName
string?
User’s last name (nullable)
Messages
ICollection<MessageEntity>
Navigation property for user’s chat messages
ChannelParticipants
ICollection<ChatRoomParticipantEntity>
Navigation property for chat room participations

Authentication Flow

Traditional Registration & Login

1

User Registration

User submits registration form with email and password to /account/register
2

Password Hashing

ASP.NET Identity hashes the password using PBKDF2 algorithm
3

User Creation

ApplicationUser record is created in the database
4

Authentication Cookie

Upon successful login, an authentication cookie is issued
5

Authorized Requests

Cookie is sent with subsequent requests to authenticate the user

OAuth Flow (Google)

1

Initiate OAuth

User clicks “Login with Google” which redirects to /auth/external-login/Google
2

Google Authentication

User authenticates with Google and grants permissions
3

OAuth Callback

Google redirects back to /auth/external-callback with user claims
4

User Lookup or Creation

ExternalAuthService checks if user exists by email or creates new user
5

Link Login Provider

External login (Google) is linked to the user account
6

Sign In

User is signed in and authentication cookie is issued

Authentication Schemes

RealtimeChat configures multiple authentication schemes:
Applications/RealtimeChat.API/Extensions/AuthExtensions.cs
builder.Services
    .AddAuthentication(options =>
    {
        options.DefaultAuthenticateScheme = IdentityConstants.ApplicationScheme;
        options.DefaultChallengeScheme = IdentityConstants.ExternalScheme;
        options.DefaultSignInScheme = IdentityConstants.ExternalScheme;
    })
    .AddGoogle(googleOptions =>
    {
        googleOptions.ClientId = builder.Configuration["Authentication:Google:ClientId"]!;
        googleOptions.ClientSecret = builder.Configuration["Authentication:Google:ClientSecret"]!;
        googleOptions.CallbackPath = "/signin-google";
    });
  • ApplicationScheme - Default scheme for cookie authentication
  • ExternalScheme - Used for OAuth provider authentication

API Endpoints

The following authentication endpoints are automatically mapped:

Identity API Endpoints

app.MapGroup("/account").MapIdentityApi<ApplicationUser>();
This creates standard endpoints:
  • POST /account/register - Register new user
  • POST /account/login - Login with email/password
  • POST /account/refresh - Refresh authentication token
  • GET /account/manage/info - Get current user info
  • POST /account/manage/info - Update user info

Custom Endpoints

POST /account/logout
GET /auth-ping (requires authorization)
GET /auth/external-login/{provider}
GET /auth/external-callback

Security Best Practices

RealtimeChat implements several security best practices:

Password Security

  • Passwords are hashed using PBKDF2 with salt
  • Plain text passwords are never stored
  • ASP.NET Identity handles all password hashing automatically
  • Authentication cookies are HTTP-only (not accessible via JavaScript)
  • Cookies are secure in production (HTTPS only)
  • Session cookies expire when browser closes (non-persistent by default)

OAuth Security

  • OAuth tokens are validated server-side
  • External login providers must be explicitly configured
  • Callback URLs are restricted to prevent open redirects

Database Security

  • Connection strings should be stored in environment variables or Azure Key Vault
  • Never commit credentials to source control
  • Use separate databases for development and production
Always store sensitive configuration (ClientId, ClientSecret, connection strings) in environment variables or secure configuration providers, never in appsettings.json committed to source control.

Next Steps

OAuth Setup

Configure Google OAuth for social authentication

Identity Configuration

Learn about ASP.NET Identity configuration

Build docs developers (and LLMs) love

Get started for freeTalk to us