ASP.NET Core Authentication Schemas (.NET 7 Minimal Apis C#)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

welcome everybody in this video we're going to be talking about authentication schemas a lot of beginners are confused about this TalkBack I certainly was when I was starting I didn't quite understand we have the cookie scheme and we may potentially have a couple of schemas somewhere else uh what does it actually mean what are we trying to represent what idea is the authentication schema pointing at when we were taking a look at the authentication in the very first video we've understood that with authentication there is a way that you can log in and that is basically dealing out a cookie and then you are able to get that cookie and open it up and get all the values therefore achieving your authentication session those two points live on the authentication Handler that you register here and we will take a look at it in a second but understand that the process of dealing out the cookie and then being able to recognize the cookie is a single authentication type this is the same as going to the government getting a passport and then being able to use the passport to go into places and people being able to recognize this is the passport authentication schema hopefully then the analogy goes as follows you have the driving license you may have some kind of legal document Etc you may understand at this point okay I get the analogy how does it map to the programming world when am I ever going to need multiple schemas so here is an example you are building a shop okay and you have customers and you have various types of customers you have a visitor person that's just visiting and you want to be able to map a cart to him you may have a user that is then logged into your shop he can track his orders or get special discounts and then perhaps you're a YouTube Creator where you have a patreon page and there are people who have been supporting you for years you've released a shop and you want to give them a bigger discount but for this you need to verify that that user has been actually supporting you on their patreon so before they can get any discount they actually have to log in and then they have to connect their patreon account what I've described here is three authentication schemas and this is what we're going to take a look at here this is primarily going to be cookie authentication and auth if you are just starting out the playlist please hold on tight if you don't understand auth we will cover it later a little bit more in depth well let's go to the example here we have an end point again this can be fetch product fetch discount any kind of logic can sit here you then have the login local endpoint and this is when you actually input your credentials and you get back a cookie this is the middle scenario this is where I'm just a user I'm logged in well what if before you're logged in you were going to be a visitor this is going to be a different authentication schema let's add another quick authentication schema and we're going to call it visitor and before we move on to the oauth schema we're gonna see how these two compete with each other now adding quickly this way will require me to implement something in the middle that basically says look as soon as you visit my website I just give you back a cookie so you may do some kind of redirect stuff and all of that what I'm gonna opt in for is I'm gonna go to add cookie I'm gonna scroll all the way down to the default authentication Handler that registers here the cookie authentication Handler I'm gonna take it I'm gonna come back to program CS jump to the bottom and I'll create a public class and let me put a bunch of spaces here so we can look at it and visitor of Anne Handler you can spell today and I'll just extend the current cookie Authentication I then know that I will need a Constructor because my ID tells me but I can overwrite some members and specifically what I'm looking for is handle authenticate async as we've seen in the previous episode this is the Handler that gets called when we're going through the authentication pipeline so I will select this and I will say okay I'll try to do the default cookie authentication so I'm trying to read a cookie and this is going to give me some kind of result all right if the result is successful let's see if there is some kind of success this is asynchronous so we will need to await on this make this asynchronous if the result succeeded cool let's just go ahead and pass on the result and I can't spell today now if we haven't succeeded how about we force a sign in right so just sign you in and that's it in the many parameters they get passed in the Constructor what you don't actually see is one of the services or rather important services that gets attached to the cookie authentication Handler if we open it up we go into a little bit down the tree but down here you will find the HTTP context so we can actually use this to call sign in async all right so I will close all of this if I'm successful just carry on if it's not successful let's sign in async and we'll sign in as visitor all I'm going to do is I'm going to grab this authentication that I'm doing here the identity that I'm creating over here is going to be a visitor identity and let me just make sure that I've messed up my setup example but never mind this is going to be local this is going to be visitor and this is the user that's going to be signed in semicolon and the weight and finally I'm gonna Force an authentication result to be successful with a new authentication ticket where I will need to pass a claims principle so I'll just pass this user so not only am I dealing out a set cookie the user that I just created I'm just saying for this current request that is happening use this user in addition to the user again we just have to re-specify the authentication schema that we have actually signed in with if you're wondering why do you have to specify the authentication schema so many times we've set it here why why do we say it here and here there are going to be situations like in the case of oauth where again we're saying that authentication schema is responsible for grouping together the creation and recognition of the thing that you've authenticated with so the situation is that you are going to use a single authentication schema for creation and then you're gonna do some magic to put it back into another authentication schema so then you can just recognize it and that's what happens in the case of auth where we're saying do this whole redirect Malarkey for the creation and then deal out the cookie so we take one creation process chain it into the next one so then we can just recognize it but anyway we will get to that step in a couple of minutes here's our visitor authentication cookie let's see it work I will come back here I will open up the developer tools if I refresh this now if we've noticed in the previous examples we just get authenticated regardless however here right now I am not seeing a cookie it's not being appended the reason for that is because we're not specifying a default authentication schema and we're not requiring anything on the endpoint right so there is no way for our application to determine should you be signing in with this do you even need it there doesn't seem to be a default I don't think I can even attempt to start guessing what should I try to recognize why should your application start looking at cookies if you don't specify a default authentication schema and the thing that we have here we have a visitor and a local authentication schema so it can either be a visitor or a user they should both be able to access products or discounts Etc okay this is where your policy comes in and this is a way that you can specify what authentication schemas you want so again we'll bring in our let's say authorization Builder on the Builder we're going to add policy and we're going to say that it's a customer that is going to be looking at these we're then going to have a policy Builder add authentication schemas there we go local visitor and then we're going to require authentication so require authenticated user and now that we have the customer policy let's set it on this endpoint require authorization or policy of customer let's wait for our application to refresh come back around and refresh and we're seeing a 404 because we're being redirected to login so we haven't authenticated let's come back around and okay so I'm not actually using the visitor of Handler let's go ahead and grab it rename the Constructor and I'll drop down the terminal we want to do the same thing that add cookie does down here add schema and then our custom schema let's come back around to here we will add a new authentication schema a new way to create something and a new way to actually read it I'll just use the same cookie authentication options but then Supply my visitor cookie authentication Handler this will require me to put some default options here so I'm just going to supply an empty Lambda and there we go so this should now produce a cookie for me I am loading two authentication schemas however this should only bring up the single one I should be authenticated with one but not the other let's take a look at the result we'll come back here and we're gonna navigate if we come back around to the application and we're gonna go to login local so slash login local we're now gonna have two cookies and both of those should be loaded here so now we can be recognized as a customer either if we have a visitor cookie or if we have local authentication and we can check for this logic inside the controller or a Handler let's go ahead and attach a debugger so we see what it looks like I'm gonna attach to add authentication schemas looks like that is going I will refresh and looks so let's actually hit home and this should give us the debugger in the context what I want to find is the user object okay so if you are doing MVC the user object should be on the controller let's open up the user and here we're gonna see that we have the two identities the first identity is the visitor and then well I'm not sure what that was the second identity is local so now I can you know look at the identity who is it Factory pattern get one Handler for a visitor or get the other Handler or a local user right now let's kick it up a notch let's go to the example where we may have some kind of user who's been a patron supporter for a long time and you know it's giving a lot of money he didn't get anything back in return perhaps you want a third Handler for users that are patrons see some kind of products that are not there you know whatever your creativity is the limit here so in addition to our cookie of adding local we are gonna add auth auth is gonna be external off or let's say external Patron okay this is gonna have some options and what I'm using for this example again for people that know auth this is going to be okayish for people that don't know of this might be a little bit confusing but here's some information we just need to put it in this is a mock API all this is going to do is just going to go through the flow and it's gonna help me authenticate now I'm going to input some of these options here usually you'd get things like some kind of client ID you'd get a client secret but because this is a mock API you don't get it and if you're wondering about ID and secret this is just like a username and password for your application okay so you have these things and then you have to specify some configuration this is where you go to obtain certain tokens and stuff like that so we're gonna have the authorization endpoint let's just whack this information in there same for the token endpoint let's put that there user info URL and the last one we can skip one thing is that I'm also going to Define is my callback path this is just going to be CB Patron so callback Patron I have a video available on auth I'm actually going to link it in this description if you want to understand a little bit more about off and what I'm doing here finally I am going to add some scopes for example like profile not that it's gonna help me that much and I'm also going to save tokens I'm going to set to true and now for the final bit the bit why you're still here when we go and get the token you usually don't put tokens in the browser because it's a little bit sensitive information and you gotta handle it manually and there is room for user error there if it's a cookie browsers handle it securely automatically so what we want to do is save the token into a cookie and this specific service actually already implements this and what you're saying here is oh sign in schema so when you're creating right when you want to create you want to create as some kind of other schema I can supply visitor here I can supply local here if I put in local it is just going to flat out override my local authentication session right so if I have some kind of additional parameters for my users it's just gonna erase those you have to do a little bit more work to combine them so all I'm going to do is I'm going to say I'm gonna have another cookie and it can be authenticated locally and if you have extended your current authentication session with actually being authenticated with patreon you're going to have an additional cookie okay so this is going to be a patron cookie and when we have the sign in schema here we specify patreon cookie so when we actually finish obtaining tokens we will deal out a patron cookie and in order to reach a login for Patron you will actually have to be a user so let's add a policy will be a user and you have to be logged in with local no visitors let's attach the user here and then instead of signing in we don't want to forge the identity it comes externally we just want to say go over there for this there is a challenge async okay we've talked about creating cookies and then reading cookies and cookie is just a collection of strings it could be really creating anything reading anything challengesync is listen we don't know who you are go and create your thing and that is what challenge is challenge is a way to basically say go to the creation process and usually in your options over here this is where you would specify where do you go for the creation options do you go to the login screen do you get redirected somewhere so in here specifically when we get challenged when we need to go to the creation process we will get redirected and we will pop on a different login screen we'll where we will need to input our credentials Etc and that's about it but here I'm going to use the external Patron place it over here semicolon and then away and I think actually this can just be a Lambda and look at that all right so I think this has Reloaded no longer need this website let's come back over here let's make sure that I still have only two cookies cool and actually let's do this we will log in Patron and we're gonna get redirected 404 to a login so essentially if we fail authentication we get challenged so we get redirected to the login screen so first of all what we want to do is we want to log in with local there we have it and then we want to log in with patreon because we have an authentication session that we want to tie our patreon account with and you can have multiples you can have a GitHub account you can have a Facebook account you can tie all of these things into your service right we'll do something like bobbittest.com and then log in this is going to actually be pretty funny so let's try this again password login and you will see that I'm logging in it's uh redirecting me to the Callback Patron and then I'm getting redirected to login Patron again and I'm kind of stuck in this Loop so what I want to say is when I log into patreon let me drop this down to a new line over here in the authentication properties that I'm passing here I want to specify a redirect URI where I'm going to return to just the root path okay and if you're wondering how or where these authentication properties end up in again I highly recommend you download rider or some kind of decompiler you can open up at auth you can go to the auth Handler you can look at all properties or actually let's just straight up look for challenge where we'll find a function that looks something like this you will see how it basically tries to use the redirect URI it takes your slash it reconstructs the whole thing based on your current path Etc let's back out from here now that I'm actually telling go generate your token once you're done with everything and you come back this is where you come back so let's come back over here and actually I want to restart let's open up another window we're again gonna open up the network tab and the application I know I have a patron cookie somewhere over here but we are just gonna shred it we're then gonna log in with patreon get redirected login and there we have it we're back here uh the cookie window is a little bit slow to refresh but there we have it we have patreon cookie let's reattach the debugger and take a look at this authentication schema looks like that is good refresh and again context scroll down to the user open it up and we have two identities I have specified customer over here so we're only loading visitor and local let's go ahead also load the patreon user here because we value our patreon users right let's grab local we'll put it over here and we want the patreon cookie so once you actually have the patreon cookie this is what we are going to be checking we cannot check this external Patron authentication schema purely for redirecting you purely for the challenge this is why we have this authentication schema to say go and obtain but then during the obtaining process create for this patreon cookie and this is what we specify here which we're specifying this other authentication schema so we've specified that there let's reattach let's refresh the page and there we have it let's take a look at the context user identities now we have three the third one is external Patron uh we don't have many claims the what you might call it that mock API doesn't really return any claims but hopefully you get the picture in this video we've taken a look at three even four authentication schemas the first one is the visitor authentication schema which is kind of just locally you land on the website and your user we now know how to identify you we've just given you a token no questions asked now if you authenticate with us you're a user we need to be able to slice between the visitors and the users this is a different authentication schema and finally even further let's say you want to go ahead and extend your current login session with more privileges so you log in with patreon some kind of other service so you're enabling more functionality in this application so you go and obtain a token and we just deal you out another cookie to basically say you have more privilege Villages but before you actually do this you need to be a user this authentication schema stuff can go as far as locally we are going to have a cookie authentication schema you can go sign in with Google you can go sign in with Facebook but once you come here we process the tokens and then we create our own cookie token from there so you would have three authentication schemas one for obtaining tokens from Google or one for obtaining tokens from Facebook and then the local one which is your cookie authentication schema which is local and that is the end of the story this will be it for this video thank you very much for watching if you enjoyed it don't forget to leave a like subscribe if you have any questions or want to say thank you leave it in the comment section or better yet come support me on patreon very big thank you to all my current patreon supporters you helped me make these videos and a little announcement I will be in at NDC Oslo if you're going to be there as well come say hi and message me on Discord if you're going to be there I might have a present I might not anyway again thank you for watching and have a good day

Info

Channel: Raw Coding

Views: 18,629

Rating: undefined out of 5

Keywords: asp.net core, authentication, explained, tutorial, guide, c#, authorization, auth, authn, authz, authentication middleware, authorization middleware, dotnet, authentication scheme, minimal api

Id: N_zVCCpnjXM

Channel Id: undefined

Length: 22min 21sec (1341 seconds)

Published: Wed Sep 14 2022