Cookie-based Authentication in stateless ASP.NET MVC 6 application

Question

I'm developing a stateless (no database) ASP.NET 5/MVC 6 application that authenticates users against 2 webservices using the same username/password combination. Users are authenticated against a OAuth2-based REST API for which the accessToken needs to be stored somehow, and at the same time users are authenticated against a soap service for which the sessionId needs to be stored somehow.

What I want to do:

• Have login form asking for username/password
• Authenticate against the aforementioned REST API and Soap service
• Store both accessToken and soapSessionId in a cookie for later reuse.
• Redirect to returnUrl
• Be able to easily retrieve the accessToken and soapSessionId again in requests

I've read a lot of different things about how most of the above can be mostly done for you in ASP.NET 5/MVC 6, but I'm not sure which route to pick. I've seen stuff like this:

app.UseCookieAuthentication(options => {
    options.AutomaticAuthentication = true;
    options.LoginPath = "/Home/Login";
});

But I've also seen this:

app.UseIdentity();

Are they related? Which one should I use? To be clear: I don't want to store any information in a database. I just want to persist the tokens in a cookie and handle login in a way that conforms to best practices in ASP.NET 5/MVC 6 (ie. don't do any stuff manually that the framework can take care off)

Answer 1

Are they related?

Yes, in a certain sense, they are related. Because app.UseIdentity(); internally calls app.UseCookieAuthentication() . You can see that in source code on GitHub .

I don't want to store any information in a database.

Using Identity doesn't force you to use Database for storage data, but you have to do certain steps for setting it up in ConfigureServices method.

Generally, for your purposes, you don't need to use app.UseIdentity() .