Incorporating additional logic/checks into the authentication scheme

Sep 12, 2014 at 1:29 PM
I have a scenario where I need to add an additional check to the authentication process: Whenever the user is authenticated, I need to check that their email address is in some external db/table. It seems that there are various points in the API where I might try to inject this logic, but I am not at all sure which is the best one.

Would wrapping the OnValidateIdentity delegate of the CookieAuthenticationProvider be a good way to inject this logic? I also considered whether it might make more sense to create a custom bit of middle-ware hooked into the authentication stage.

Thanks for any advices.
Sep 12, 2014 at 2:38 PM
It depends on which components you're using.

CookieAuthProvider.OnValidateIdentity is more of a re-validation point that can be used to reject the user if they've had their permissions revoked, password changed, etc..

If you're using one of the 3rd party auth providers (e.g. Twitter, Microsoft, etc.) they all have an *Provider.OnAuthenticated event that can be used for additional validation.

If you're using the Asp.Net Identity framework, I'm sure they have their own hooks for user-login and new-user validation.
Sep 12, 2014 at 3:27 PM
Thanks for the quick response. It sounds like my particular scenario is within the scope of what CookieAuthProvider.OnValidateIdentity is intended to support. And I don't use any of the third-party authentication providers, nor do I anticipate doing so.

Now I just need to figure out how to chain my logic together with SecurityStampValidator.OnValidateIdentity. That is a very interesting API: A function that returns a function that returns a task. I wonder why it is setup that way, but I guess that's a question for the ASP.NET Identity folks.