I am trying to understand how the Microsoft Identity package for authenticating users works.
It isn't clear to me what exactly schemes and handlers are and how they are used with each other.
I faced those two terms when I was learning how to use the Microsoft Identity package for authenticating users. I tried to find an answer for that myself but it still isn't clear so I tried to check tutorials for authenticating users without this package so that I get a more clear view about what this package does behind the scenes.
There are some points that are still hazy for me:
string authenticationType passed to the constructor of ClaimsIdentity(IEnumerable<Claim>? claims, string? authenticationType), and is it related to the schemes and handlers or not?SignInManager.PasswordSignInAsync(TUser user, string password, bool isPersistent, bool lockoutOnFailure) which is provided by the identity package?What are schemes and handlers and how are they related?
An authentication scheme is a specific way to authenticate a client or request.
An authentication handler is a class or middleware-function that ASP.NET Core uses to perform that authentication process on a request.
Within the context of ASP.NET Core 3.1 or later, the most common authentication-schemes you'll run into are:
Microsoft.AspNetCore.Authentication.Cookies (default name: "Cookies")Microsoft.AspNetCore.Authentication.OAuth (no default-name; often implies using JWTs to access other resources, while using Cookies to store those JWT tokens, and other auth info, for web-browser users)Microsoft.AspNetCore.Authentication.OpenIdConnect (as with OAuth2, ASP.NET Core will combine this scheme with Cookies so web-browser users can use stateless auth)Microsoft.AspNetCore.Authentication.JwtBearer - use this scheme if your ASP.NET Core code is a web-service ("web API") - it is not suitable for use in MVC web-applications with web-browser users and if you aren't using OAuth2 or OIDC. Do not use this scheme directly if you're using OAuth2/OIDC even if they're using JWT, because those other scheme's libraries take care of a lot of responsibilities you'd have to write by hand here (such as the cryptrographic keys for JWT verification).What is the (
string authenticationTypeparameter given to the constructor ofClaimsIdentity(IEnumerable<Claim>? claims, string? authenticationType)and is it related to the schemes and handlers or not?
If you aren't using ASP.NET Core Identity then this is nothing you need to worry about as it isn't really used anywhere anymore; and the current (.NET 8) documentation only makes references to old-school schemes like HTTP Basic, NTLM, Kerberos, and Passport.
"Passport" was Microsoft's first-attempt at their own first-party semi-federated SSO thing around 1999 - it was killed-off sometime around 2003-ish, which was after ASP.NET first launched, which is why ASP.NET (for .NET Framework) has vestigial references to it still. Passport's successor was launched around 2005 as "Windows Live ID" which eventually turned into today's "Microsoft Account" around 2011-ish?
But if you are using ASP.NET Core Identity and you're using multiple authenticatio-schemes, then SignInManager (and some other places) use this property to check to see if the current request user is/was authenticated with a specific SignInManager by using the SignInManager.AuthenticationScheme property value which you configure during startup).
What is the scheme that is used when signing in a user using the
SignInManager.PasswordSignInAsync(TUser user, string password, bool isPersistent, bool lockoutOnFailure)which is provided by the identity package?
According to the source-code, if you use MapIdentityApi with ASP.NET Core Identity, then SignInManager.AuthenticationScheme will be set to either "Identity.Application" or "Identity.Bearer" (depending on whether ASP.NET Core Identity is configured for Cookies or Bearer-tokens respectively).
If you don't use MapIdentityApi - but use ASP.NET Core Identity's AddDefaultIdentity method, then uses "Identity.External" for the DefaultSignInScheme and "Identity.Application" for its own Cookies scheme.