Is ASP.NET Identity 2.0 broken? Yes
While the authors at Microsoft who build the ASP.NET Identity 2.0 system say that all the changes from the older Simple membership system are a result of customer feedback, I wonder who those customers were and if they were just internal Microsoft clients. It’s certainly not clear what the goals of the system is, or who they are intended to be used by. It really does feel Microsoft has just made a clone of their Windows Live ID system in order to promote their proprietary Active Directory login system featured in Azure.
Because as a external user of the system, trying to get it to do anything, or access even a little bit of customisation, seems impossible. It’s a frustrating mess, I’ve spent upwards of 12 hours just to get Facebook to try and login, and I still have a bunch of cookies and state information that I have no idea where it comes from. So many authentication modules silently plug themselves in it’s impossible to debug. Trying to follow the execution chain is impossible since it’s all a mesh of interfaces and abstractions.
While they’ve been good to follow the principles of separation of concerns, the end result has been a system that has numerous distinct parts that all seem to hate each other. It’s a battle to get them all tied together. All the abstractions are so loose and separate from each other that they are tied together by only a weak tenuous thread. It’s like a jigsaw puzzle, only you don’t know that the picture is
Identity and membership systems are difficult to implement because there is such a wide variety of business needs and technology requirements for these systems. Out of the box solutions for identity management will never make everyone happy and are guaranteed to make somebody angry.
If you want to do something normal and common such as having users with an ID that is an integer (rather than the string (?) it comes with as default), then you basically have to rewrite the top layer yourself anyway, so there isn’t any time saved in using a system like this.
The way the Identity API is designed is to abstract everything away to a dozen different places.
- Want to set a dynamic settings such as a different Facebook oAuth client? No.
- Want to request different scope/permissions when prompting an oAuth provider? No.
- Want to get the redirect URL to issue to users to send them to the oAuth confirmation page? No.
- Want to control the cookies and state information when using oAuth login providers? No.
Perhaps these things are possible, but there is no documentation of what all the parts of the system do and where they are. All I did was install the system via nuget and watched it download a few dozen dependency packages.
All in all, don’t use the new Identity system for your net project. Wait until at least version six comes about and they might have made it right by then. I mean, it took Microsoft until version five of MVC before you could use a HTML drop down box without having to sacrifice a goat first.
Like so many demos coming out of Microsoft these days, one of design priorities seems to be creating a one line demo. Whilst the sample project has a ‘wow’ effect because you can add Facebook login support with one line – what the don’t show you in the demo is the massive complexity in actually doing anything with it. In an effort to make a one-size-fits-all library, they’ve made something that doesn’t seem to fit anyone unless you have ten arms and four legs…
I hope this post serves as a warning to anyone thinking of using this system. If you’ve got the knowledge on how to do things properly, role your own identity system – it’ll be a log quicker and easier.