👤 User Management & Identity in ASP.NET Core (ASP.NET Core Identity)

Introduction

Almost every serious application needs user management:

• User registration & login
• Password hashing
• Role management
• Secure authentication

ASP.NET Core provides a powerful built-in system called ASP.NET Core Identity that solves these problems securely and professionally.

In this article, you’ll learn:

• What ASP.NET Core Identity is
• How it works internally
• How to implement user registration & login
• How Identity works with JWT
• Best practices for real projects

This is Week 8 of our ASP.NET Core weekly series.

What Is ASP.NET Core Identity?

ASP.NET Core Identity is a membership system that handles:

• Users
• Passwords
• Roles
• Claims
• Security tokens

It is:

• Secure by default
• Database-backed
• Highly customizable
• Production-ready

📌 Identity is not just login — it’s a full user management framework.

Identity vs Custom Auth (Important)

| Feature          | ASP.NET Core Identity | Custom Auth           |
| ---------------- | --------------------- | --------------------- |
| Password hashing | ✅ Built-in            | ❌ Manual              |
| User lockout     | ✅ Yes                 | ❌ Usually missing     |
| Role management  | ✅ Yes                 | ❌ Manual              |
| Token support    | ✅ Yes                 | ❌ Complex             |
| Security updates | ✅ Microsoft           | ❌ Your responsibility |

👉 Use Identity unless you have a very strong reason not to.

How ASP.NET Core Identity Works

High-level flow:

Controller → UserManager → Identity → Database
                     ↓
                Password Hasher

Key components:

• UserManager<TUser> → user operations
• SignInManager<TUser> → login/logout
• RoleManager<TRole> → roles
• Identity tables → database storage

Step 1: Install Required Packages

dotnet add package Microsoft.AspNetCore.Identity.EntityFrameworkCore

(Usually added automatically in templates)

Step 2: Create Identity User

You can extend the default Identity user.

using Microsoft.AspNetCore.Identity;

public class ApplicationUser : IdentityUser
{
    public string FullName { get; set; }
}

✔ Adds custom fields
✔ Keeps Identity security intact

Step 3: Configure Identity with EF Core

DbContext

public class AppDbContext : IdentityDbContext<ApplicationUser>
{
    public AppDbContext(DbContextOptions<AppDbContext> options)
        : base(options) { }
}

Program.cs Configuration

builder.Services.AddIdentity<ApplicationUser, IdentityRole>()
    .AddEntityFrameworkStores<AppDbContext>()
    .AddDefaultTokenProviders();

Step 4: Identity Database Tables

When you run migrations, Identity creates tables like:

| Table            | Purpose         |
| ---------------- | --------------- |
| AspNetUsers      | Users           |
| AspNetRoles      | Roles           |
| AspNetUserRoles  | User ↔ Role     |
| AspNetUserClaims | Claims          |
| AspNetUserLogins | External logins |

📌 Never edit these tables manually.

Step 5: User Registration

Register DTO

public class RegisterDto
{
    public string Email { get; set; }
    public string Password { get; set; }
}

Registration Controller

[HttpPost("register")]
public async Task<IActionResult> Register(RegisterDto model)
{
    var user = new ApplicationUser
    {
        UserName = model.Email,
        Email = model.Email
    };

    var result = await _userManager.CreateAsync(user, model.Password);

    if (!result.Succeeded)
        return BadRequest(result.Errors);

    return Ok("User registered successfully");
}

✔ Password is automatically hashed
✔ Security rules are enforced

Step 6: User Login

[HttpPost("login")]
public async Task<IActionResult> Login(LoginDto model)
{
    var user = await _userManager.FindByEmailAsync(model.Email);

    if (user == null)
        return Unauthorized();

    var valid = await _userManager.CheckPasswordAsync(user, model.Password);

    if (!valid)
        return Unauthorized();

    // Generate JWT here
    return Ok("Login successful");
}

📌 Identity handles password verification securely.

Step 7: Identity + JWT (Best Practice)

Real-world APIs use:

• ASP.NET Core Identity → user management
• JWT → stateless authentication

Flow:

1. Identity validates user
2. JWT generated with user ID + roles
3. Client stores JWT
4. API validates JWT on every request

✔ Scalable
✔ Secure
✔ Cloud-ready

Step 8: Role Management

Create Role

await _roleManager.CreateAsync(new IdentityRole("Admin"));

Assign Role

await _userManager.AddToRoleAsync(user, "Admin");

Secure Endpoint

[Authorize(Roles = "Admin")]
public IActionResult AdminOnly()
{
    return Ok("Admin access");
}

Password Rules & Security

Identity enforces strong defaults:

• Minimum length
• Uppercase
• Numbers
• Special characters
• Lockout after failures

Customize rules:

builder.Services.Configure<IdentityOptions>(options =>
{
    options.Password.RequiredLength = 8;
    options.Lockout.MaxFailedAccessAttempts = 5;
});

Common Mistakes 🚫

• Storing plain passwords
• Bypassing Identity for login
• Returning Identity entities directly
• Disabling password policies
• Not using email confirmation

Best Practices ✅

• Always use Identity for user management
• Combine Identity with JWT for APIs
• Use DTOs
• Enable account lockout
• Add email confirmation in production
• Never expose sensitive fields

What You’ve Learned

✔ What ASP.NET Core Identity is
✔ Identity architecture
✔ User registration & login
✔ Password hashing
✔ Roles & authorization
✔ Identity + JWT integration

You now have enterprise-grade user management in your ASP.NET Core apps 👤🔐

🔜 Coming Next Article

Refresh Tokens & Secure Session Management

You’ll learn:

• Access vs Refresh tokens
• Token rotation
• Logout security
• Preventing token theft