Help with MVC authenication/authorization solution

Question

I have an MVC 3 app that I'm building, and need to figure out a good solution for managing authentication and authorization. I've used Membership, and I don't want to use it in this case -- I prefer to use my own design and tables. However, I'm open to implementing my custom logic using the built-in interfaces, if that is appropriate.

Here are my requirements:

• A user can be part of one or multiple roles.

• Roles may be mapped to any number of "permissions" (many-to-many). A permission is something like "Can edit other users' posts".

• Each controller action may allow access to one or more roles (or may have no authorization required, for public pages).

• I will also need "feature-level" control over which roles can see/update various elements on a view. May use permissions to drive these vs. roles.

• As a side note, I will probably also allow members to sign up using their Facebook and/or Twitter accounts. But this can be done independently of my custom membership implementation, if that is appropriate (i.e. create a custom user on signup, then tie it to FB/Twitter account).

I'm sure somebody has done something like this before. But based on the dozen or more blogs and SO posts I've seen on this topic, none of the solutions really fit this, it doesn't seem. But there's a good chance I'm just not able to fit the pieces together, and something appropriate is staring me right in the face.

For example, I've read some about "claim based" authentication vs. "role based", but not sure I understand the differences enough to make a call, nor weather or not they require ASP.NET Membership. I've also read about building custom membership by implementing IPrincipal and IIdentity and using action filters to drive controller access, but I'm not finding any comprehensive guides to doing this, and I'm still fairly green with action filters.

I'm also not sure whether I should be using some of .NET's built-in controls for signup, authentication, forgot password, etc. My instinct is not to, as I usually like building these myself, and I'm also not sure if they would work in a custom setup. But if I'm wrong, let me know.

Thanks in advance.

Answer 1

Remember that there's 2 different parts to the ASP.NET Authentication / Authorization framework. The first is the front end with membership and role providers and then there's the back-end using the SqlMembershipProvider and SqlRoleProvider.

In my personal experience, I've found it easiest to write my own custom versions of MembershipProvider and RoleProvider. I think it will satisfy every one of your requirements.

Update: Jared asked me: "It seems implementing MembershipProvider and RoleProvider adds a lot of overhead (and fluff) that I will never need/use. Is this still the way to go? What do I benefit from doing this?"

I think if you use the Authentication / Authorization framework, you can take advantage of lots of built in stuff. For example you can decorate controllers their methods authorization based on roles such as [Authorize(Roles = "DefaultUser")]. Also you can put this sort of checking code directly in the views if needed like:

<% if (Request.IsAuthenticated) { %> 
<p>Only authenticated users see this.</p>
<% } %>

In addition, Authentication / Authorization takes care of the dirty work of setting up role / user cookies and encrypting them. If you roll your own, then this is something you have to do yourself.

Jared also wants, "A user can be part of one or multiple roles." and "Roles may be mapped to any number of "permissions" (many-to-many). A permission is something like "Can edit other users' posts".

I consider roles and permissions the same thing. So a single user could have multiple roles and permissions. Like "CanEditPosts" "Admin" etc.