ASP.Net MVC 5 Identity Questions

[Wizardskills]

So I have been learning ASP.Net MVC along with Entity Framework from database first perspective.

The identity framework that is included in the project templates looks very interesting and will save me a lot of time as writing these sorts of systems is always a time consuming job. There are a couple of things that I am unsure about and I thought it would be best to ask on here before I dive in using this framework in my next big project.

Firstly, that database that it creates on the fly, can that be my main application database or will I have to run 2 (one for the identity stuff and one for my main app)? Is the framework smart enough not to interfere with the tables that I'll create and manage?

Secondly, I noticed the passwords are stored as a hash (good), but there is no sign of a salt anywhere. Exactly how secure is this hash that is created? Am I going to have to change this hashing mechanism to be more secure?

Thirdly, the user table does not contain all of the information I want to associate with a user. I hoping I'll be able to create another table with a 1 to 1 relationship with this table that'll contain all of the data that I'll need. I cant foresee any issues with this but has anyone else done something like this successfully?

Forthly, I'm going to need a roles and permissions based system in my application. I'm assuming I'll be able to utilise the roles and claims in the identity framework to do this, or will I be better off writing my own implementation?

 

[GravyMonster]

Firstly, that database that it creates on the fly, can that be my main application database or will I have to run 2 (one for the identity stuff and one for my main app)? Is the framework smart enough not to interfere with the tables that I'll create and manage?

Yep, you can run it on your main data store and it'll be fine, so long as you don't duplicate the entity names.

Secondly, I noticed the passwords are stored as a hash (good), but there is no sign of a salt anywhere. Exactly how secure is this hash that is created? Am I going to have to change this hashing mechanism to be more secure?

It's very secure and it does salt the hash. See here for a more in depth explanation of what it does.

Thirdly, the user table does not contain all of the information I want to associate with a user. I hoping I'll be able to create another table with a 1 to 1 relationship with this table that'll contain all of the data that I'll need. I cant foresee any issues with this but has anyone else done something like this successfully?

That's exactly what I do too. There's the 'User' table which is created by the Identity library by default, and I normally create a 'UserDetail' table with a 1-1 relationship to store additional data for that user that's relevant to my system. You could override the Identity classes to include it all in the default User model, but frankly it's more work than it's worth.

Forthly, I'm going to need a roles and permissions based system in my application. I'm assuming I'll be able to utilise the roles and claims in the identity framework to do this, or will I be better off writing my own implementation?

Roles are already included in Identity. It's a simple matter of calling 'IdentityUser.AddRole('rolename')' and you're done. All you need to do from that point is add the [Authorize('rolename, rolename2')] attribute to the relevant actions in the controller - or even on the controller itself if all actions have equal permissions requirements.

 

[Wizardskills]

Ah excellent, thanks for all the info, sounds like it will be perfect for my new app. Any other tips in getting to grips with MVC? I've gone through the initial tutorials for it on the Microsoft website and it all seems quite straight forward (and much nicer than web forms).

 

[Wizardskills]

Ok a few more questions

1) I want to put all of my models into a class library including all of the identity models that were created for me.

2) How do I go about changing the connection string that is created for me by the identity framework? I need it to point to an existing database on an SQL Server 2016 instance.

I attempted point 1 and this obviously gave me a lot of compile errors which were easy to fix (namespaces needing updating). I placed the provided con string into the app.config but I got a context error when trying to register on the site. I'm pretty sure this was a connection string issue, hence question 2.

I tried to fix this by setting the DefaultConnection to the same as my edmx connection string but just got a wall of red errors :| . Any pointers would be appreciated.