Authentication and Authorization


So far we’ve learned how to build a full-stack app but we’ll never be able to deploy it without securing it first. If you publish a form that calls a database and allow anyone to use it, it will eventually be found by bots designed to find database vulnerabilities. If you pay for your data server as you use it, the result will be a massive bill. Believe me, I learned the hard way. 😁

In principle, creating a custom authentication and authorisation system is fairly easy. You can even try yourself. Simply create an ‘user’ table with login and password and create a registration form that will insert a new user and a login form that will check the user input against that table. Then if the user is logged in you can allow them to view your page. If not, redirect them to the login/registration area.

The reality is a little bit more complex though, since any real A&A system will need to support functionalities like changing password, managing an account, confirming a registration, just to name a few. ASP.NET Identity offers scaffolding for dozens of these operations, shipping fully-functioning front and back-end solutions. And they’re customisable too! Let’s see how it works.


  • In this project, you'll have two tasks.
  • In a first moment you'll create a new Web App project with Identity as part of it.
  • In a second moment you'll scaffold Identity into the Movies App you created before. If you haven't done the Movies app, you can scaffold it into a project of your choice. This is the only project you need to submit for review.
  • You need to use Entity Framework, raw SQL isn't allowed.
  • You need to seed test data.
  • You need to use EF's EnsureCreated method so the database and tables are created automatically.
  • You need to add logging logic to your app and save logs to your database when errors occur.
  • You don't need to handle auth scenarios such as e-mail confirmation, password recovery, etc. These will be addressed in future projects.


  • After wiring Identity up, you need to apply it to the controller you want to protect.
  • You'll only submit one project for review, however it's important to complete both tasks. Creating an app with identity from the beginning. And then scaffolding identity into an existing app. These are two different beasts and it's important to have exposure to both.
Log in to mark this article as read and save your progress.
An unhandled error has occurred. Reload 🗙