Antonio
Authentication without a dedicated separate database in .NET 8.0?
Hello! So, I am working on a future application for a small company as a freelance back-end web developer, and I am using .NET for it, and loving it so far! So, what I want to ask is the following, and I am sorry if it sounds a little dumb or something: is it possible to use ASP.NET Core's tools for authentication (registering and login of users of the application) without a dedicated database specifically for it? Basically, this is what I want my application's database to look like, even though I know that the recommended path is for all the tables that are prefixed with AspNet to be in a separate database (see image below, where I crossed out in red the stuff that I created for the application for security reasons, and only left the tables that ASP.NET Core creates by default for authentication):
MyDatabase on Microsoft SQL Server
Now, the reason why I was recommended by the senior dev of the Project (there are only two devs in the project: him and me, and I'm a junior), who is on the front-end, to follow this path of just one database is for economic reasons, as the Project is really small, and he told me that more than one database means spending more Money, and there are budget constraints.
The Problem
So, on to the technical issues I've been having. When I have a dedicated database specifically for authentication (which means I will have two DbContexts in my app - something like "MyApplicationDbContext" and "MyApplicationAuthorizationDbContext"), registering and login cause no problem at all: new users are saved on the database, and if you don't log in and try to access certain routes without authorization, you won't be able to do so; but if you do log in, you can access those routes with no problem at all. However, if I try to put everything in a single database (and therefore, use just one DbContext - which is what I want to do, due to financial reasons, as I said), registering is not a problem, but logging in is. Basically, I can log in, but the routes that require authorization can't "recognize" that I am now an authorized user, and therefore I can't access them (whereas I can if I have two databases). That is the problem I've been having, in a nutshell. And what puzzles me is that in both situations (both when I am working with two databases and when I am working with just one database) the users are saved on the database, logging in seems to be successful, and valid JwtTokens are returned by Swagger as a response.
Example
For example, let's say that I have this user here (and I will attach some screenshots from Swagger and Microsoft SQL Server to walk you all through it):
Example user
When I register this user, everything goes well. Here is Swagger's message after registering this user:
Screenshot from Swagger right after registering
And to prove that this user was indeed saved into the database, here is a screenshot of Microsoft SQL Server:
User saved in the database
Now, I haven't logged in via Swagger yet, so let's try to access a route that can only be accessed if you are authorized:
Access denial before login
Ok, now let's log in. Having clicked the "Authorize" button on Swagger on the top right, and having inserted the JwtToken following the format "Bearer myJwtTokenIsInsertedHereAndItIsALongString" this is what I get:
After authorization
Right, so on to trying to access the route that can only be accessed by authorized users. As you can see, it's like I hadn't even logged in at all (or maybe the application doesn't recognize the JwtToken? I don't know):
Access denial even after login
(Discord apparently created a separate file with the rest of my post. Check it out! And I thank you for any help 🙏 )
10 replies