ASP.NET Core Web API + Entity Framework Core : Basic Authentication Explained - EP07

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

[removed]

👍︎︎ 6 👤︎︎ u/[deleted] 📅︎︎ Jan 12 2020 🗫︎ replies

Basic auth has the username and password encoded, not encrypted. You also say that you can use many different encryption methods on the username and password, but that's not true, basic auth is always base64 encoded. This is an important distinction because since it's only encoded, anyone who gets that string has the username and password.

👍︎︎ 3 👤︎︎ u/Coda17 📅︎︎ Jan 12 2020 🗫︎ replies

I don't have time to check this out yet. But does the video go over refresh tokens with the authentication bit?

👍︎︎ 1 👤︎︎ u/devperez 📅︎︎ Jan 12 2020 🗫︎ replies

Captions

hey guys today I'm gonna talk about basic authentication in asp.net Web API basic authentication is the easiest way you can authenticate your web request and if you're doing any school project where authentication is not the major part of your project basic authentication is the way to go and even if you want to use GWT or better or auth authentication methods in your web request I think it's better if you understand how basic authentication work before you jump into advanced authentication methods so what's the problem statement so we created this experiment that would be adding the installed entity framework or so they've been talk to our database and we have our clients who are talking to our Web API inches apart but some of the information that we have in our database is sensitive information right like if someone is - if our clients are trying to login into system and if they want to violate it the user they cannot really pass email address and password as query parameters or route parameters so that's that's a bad way to go about it so how do we pass email address and password that's the problem how do we pass email address and password in encrypted format and not in query parameters or rogue route parameters that's where basic authentication comes into play so this is a bad way this is not a good way to go about it we should use basic authentication so for PC authentication what you do you pass an encrypted string of your email address and password in my case I'm going to use email address colon password and you can use any encryption method make sure that you have this decryption algorithm for that too you can you know use secret key for encryption and decryption which you know you know only your clients and servers can access but for this demo I'm just going to use convert base64 to my email address : password into an encrypted string and then I'm gonna use from base64 method to bring back my to decrypt my encrypted string so for this method where you do you add authorization header and then basic space the encrypted string of your email address and password but okay this is good when when client knows that okay they have to pass a basic space encrypted string of their email address and password what do we need to do on verb a PSI that's that's important great so for that appear what you need to do you need to create a handler which will handle all these sensitive sensitive requests so if klein asks for a data when client sends authorization header and the encrypted email address and password the api should know how to handle this request before saying before sending sensitive information right so these are the steps that we need to follow these are the steps that we need to follow for our asp.net web api core 3.1 project so what we'll do we'll follow the steps one by one and then we'll enable our a spirit and type API to handle authentication to handle these requests so that it checks it knows that the user is authorized to ask for this information so the first thing that we need to do we need to enable our Facebook and Web API for authentication and then we'll have to create this authentication Handler of type automation scheme options and then we will have to use this authorized tag authorized attribute on one of our controllers which is going to send census religion so that the controller knows that it should go and first use this authentication hand before it sends sensitive information and to make these two ends meet what you need to do you need to tell your services your experiment services to add this basic auth addiction handler as authentication before you know sensing sending the sensitive information and then we're going to use authentication authenticate result fail and success depending on if the user is valid or not we're going to use entity framework or for validating the user against a database and authentication header value is something that we use for reading for reading the author authorization header from our web request all right so I have already um I'm going to use postman tool for for testing this and I've already created this web request which is in Kent user and it's passing emulators of John Smith and password which is already encrypted password but still we shouldn't pass even encrypted password in quite query screen and it's returning the whole user okay so how do we how do we fix this problem how do we get rid of this email address and password from our query string and pass it in our authorization header and you know make our asp.net Web API in able to handle this request but it so the first thing that you need to do is you need to go to your startup clause and here before authorization or tell your app that is going to use use authentication yes and then now our app knows that you know we could send some requests which need to be authenticated second thing that you need to do you need to create authentication handler so let's go ahead and create authentication handler what I'm going to do I'm gonna create a folder here might be the folder College as handlers and I'm going to add a class and call it as basic authentication handler nice see this is the class which will handle the requests which are coming from clients and I'm going to inherit authentication handler for that we'll have to bring in some need this is here bring in that and then we'll have to tell her authentication handler red scheme that is going to use what type of scheme is going to use so I'm gonna pass this as a type it's gonna throw and accept our error here because we need to implement the abstract class here you can see that it's it wants us to it wants us to call this function handle authentication easing which will get called whenever a request needs authentication alright so and it's still giving an exception because it's asking for a particular kind of constructor for that I am going to copy some code here I'm gonna say my basic automation handler it takes these parameters these parameters and the constructor and let's bring in some names list for that it takes automation scheme as options and passes to its superclass here and it takes a logger a factory as parameter and URL and color all that good stuff alright so now you can see that our authentication handler is happy what I'm gonna do I'm gonna return instead of throwing an exception here I'm going to return authentication result here I'm gonna say authentication fail and say that we need to need to implement instead of you know throwing an exception and this is an async function yes so okay so we now have the hot handler here and then we will have to go and tell her controller a user controller which has sensitive information that it needs to get authorized it means to get authorized before before sending the request before sending the data okay so to do that you just use this authorized attribute on top of the controller and you can use this authorized attribute in any of the functions if you want to - all right so we have authorize we want our control to be authorized but our controller doesn't really know which authentication to use right for to do that to make these two ends meet we'll have to go to our starter class again and tell our services that we use the ad authentication here we need to add alt indication of type basic authentication this is just a name name identifier so I'm gonna pass the string I'm gonna say that it's basically division and then it's gonna ask for it's gonna ask for bit scheme that you're using with scheme that you're using so for scheme is of type authentication scheme options and and the scheme that we're using it's basic on some authentication humming and then again it again takes the name identifier which is same as this and then it takes some config which I'm going to pass as no [Music] and I'm gonna bring in some wrenches here nice so now our our experiment that appeai knows that okay this is the authentication that you have to use and before sending in a request from user controller make sure that you are calling this basic authentication handler what I'm gonna do I'm just gonna put a breakpoint here and we're gonna run a tab API to make sure that it calls handle authentication handle authenticate async before calling a user controller okay so I'm gonna run it and you can see that now it's my Chrome is pointing to a PA user which is the user's controller and it's passing it game to this handle authentication async before it went to our users I use this function to return all the users to return all the users okay so let's go ahead and implement this handle authenticate async and you can see that in chrome it's towing this photo one error which means that it's unauthenticated if I go to my postman and if I try to now get the user by email address and password if I send this you can see that it's trying to go back to the handle off and hit a sync if I continue then you can see that it throws 401 unauthorized ever so we managed to filter the request filter the request saying that okay you need to authenticate before asking this information so let's go ahead and handle this request the first thing that you need to do usually you got to make sure that you have the authorization authorization tag in your headers so I'm going to check if authorization is mentioned in the request or not if it's not mentioned that I'm gonna see that okay you got a read on you gotta return fail and say that authorization authorization header was not found nice now we know that authorization header is dead so let's read this authorization have to read this authorization header what I'm gonna do I'm going to use this authorization header value header value and I'm gonna use pars I think we'll have to bring in some namespaces for this I'll have to bring in some namespaces yep thanks and we'll have to parse our request so I'm gonna do I'm gonna say request headers and let's parse authorization header and we'll have to bring in into a bad character here so what I'm doing is I'm reading I'm reading though I'm reading the authorization header value from my header and putting it into about here so I'm gonna see man we're not the dictionary value equal to this nice so now we have the authorization header value which has our encrypted or encrypted string which has our encrypted string and we would like to convert this encrypted string into proper string into bytes to do that what I'm gonna do I'm gonna go - I'm gonna say convert convert from base64 and I'm gonna pass this authentication header value value and parameter which will give me the bytes which will give me the bytes which I need to convert into proper string to convert so we know that the encrypted string was passed as one of the parameters one of the basic parameters in authorization tag we converted that into PI it and we'll have to convert these bytes into proper strength to do that what I'm gonna do I'm gonna say encoding and coding will have to bring in bring in a namespace for this and I'm gonna use utf-8 get string will get clingy and I'm gonna pass these bytes into us so that it will get the proper string as credentials so basically we are trying to decrypt the encrypted string which has been passed into a proper string okay so let's test this so what we have here is I'm gonna put a breakpoint here not here and I'm going to step through this and show you how it exactly works for that force will have to encrypt encrypt an email address and password for that I'm going to use this website base64 encode which will encode my email address and password and then I'm gonna use that encrypted string and pass it as headers into my request so when I'm going to I am going to use John Smith John Smith as one of the parameters and the second parameter is the password and when I click on encode I do get this encrypted string so will you pass this encrypted string which is the username and password into our authorization header so now we do not need we need a header which is an authorization header and here I'm gonna pass basic basic space the authorization the strain that we just copied from here okay so now if I click on send I need to run my Web API here so now if I now if I click on send here you can see that it came again it's trying to handle authenticate a sink it's trying to handle our web request and this time we have authorization header and two into our request let's try to read that so if I if I get this request at an authentication header value you can see in parameter data encrypted string that we passed we are able to read read it in our authentication header and which will convert into bytes which we cannot really read but when we convert these bytes into you into string using encoding UTF get string and then you can see in our credentials John Smith at the range email : password of shawnsmith so this is how you can filter your request this is how you can pass authorization parameters in authorization and if you have any questioning this method like you know even authorization or is getting authorization header could get expose you should use HTTPS which will encrypt everything in your header so all right so now we have we have username and password we have email address and password of the of the user who's trying to access the information what I'm going to I'm gonna I'm gonna try and split the string I'm going to try and split the string into into two and here we will get our string array and string inverters is the force credential force which is John Smith and string password which is credentials second part nice now we have an email address and password which has been sent in authorization header here we will have to you know validate these email at this email address and password against our database so for that what I'm gonna do I'm going to copy paste some I'm gonna inject my dbcontext and you know you can use any method here you can use your own class or services to authenticate your user you don't really have to follow the same method but here I'm going to inject my my DB context so that I can use it oh I'm gonna save book DB context and then I'm going to assign my context with this nice so now we have our TB context so what I'm gonna do I'm going to get user which is context users users where a user is users email address is the email address which has been passed in authorization heavy and [Music] the user password password is equal to password which has been passed in our authorization header I'm gonna get a false ready false value here force twenty-fourth user nice so now we have we are checking if the authentication requested which has been passed is proper or not valid or not but we could get some exceptions here so let's just put some try and catch and make sure that we have valid requests I'm gonna put some try and catch and copy this paste it here and if you get any exception then I'm gonna say I'm gonna say authentication has failed and the message is error has a code oh error as a code and then we could get no user rate so that also we will have to handle so I'm gonna say user is equal to null then also we'll have to pass we have to fail this authentication and I'm gonna say invalid and username or password you figure that out else else what I'm gonna do here I'm going to you I'm gonna create identity I'm gonna copy/paste some code from here and paste it here so what I'm doing I created some claims some claims which is taking the user which you know if it's if it's a valid user then I will create some means an identity and principle and I'm creating a ticket of authentication ticket type of the same scheme and that is what I am going to return a success I'm gonna say that finally we have success and which is the ticket which has been created by the user which has been passed in authorization error let's get rid of this we don't need that all right so now we have we have the the user which we are trying to pass in our authorization and then it should handle the requests which are been sent which I've been sending my client ok so how do we read this user in our users controller so now in our get user we do not need we do not really need these parameters we are not passing email address and password as query strings so so how do we read this how do we read our email address tweet that email address gonna see it should be context user identity name and we will just pass the email address of the user we don't need password we are already validated that and before sending the user what I'm gonna do I'm going to make we're already making sure the password is null here so even if you are you know authenticating the user information the response that you're sending make sure that you do not have any sensitive information in your response all right so yeah let's go ahead and test it we have our basic on addiction handler setup and we have our users control yourself so now I'm going to go to my postman here and here I'm not passing email address and password in my query string I'm passing the encrypted string into authorization let's run this and when you're getting some error okay we'll have to maybe pass this as fail if if it doesn't go in any in any else block let's go down this there you go I think it should be happy Oh we'd have to put some rib down here that's why I'm not getting oh there you go maybe that all right let's run this maybe to me to return here for failure we need to pass some string there you go alright now it will work hey you okay so now we have our authentication our basic authentication Handler and user controller ready for handling requests so I'm gonna test this from the postman tool and I have my query ready I have my API request ready and I have my authorization already so when I click on send here well there you go so now I did not pass email address and password of the user I pass encrypted user name colon password in my authorization and I'm getting the response in my juicer if I modify this if I see if I add D here and sent the request and you can see that we are not getting any requests back alright let's try some other user let's try going into our database I'm gonna go to my database so show some table data I'm gonna use so the first user first user and go and put it here and I'm gonna get the password and get that password and put it here put it here and cut that string copy that string and put it in the basic authentication here basic authentication here and when I click on son don't play you're getting the force to user ID follow according at gmail.com so this is how you can you know pass your email address and password and in your web request and making make sure that you're not passing any sensitive information or the network in my next videos I'm going to talk about how we can use GWT and what and better for advanced authentication and if you have any questions about this demo you can reach out to me on Twitter or Facebook and don't forget to subscribe the channel thanks for watching bye [Music]

Info

Channel: Curious Drive

Views: 49,129

Rating: undefined out of 5

Keywords: .net, vsual studio, programming, c#, visual studio code, .net core, msbuild, web, asp.net, developer, code, librararies, .netstandard, javascript interop, windows, linux, macOS, open source, free, app, ecosystem, performance, reliability, security, classes, assemblies, MVC, dotnetconf, web api, api, REST, asp.net core, serialization, Authentication, authorization, Routing, HTTPS, JSON, Entity Frramework Core, SQL, Microsoft.EntityFrameworkCore.SqlServer, Scaffold, HTTP Methods, Microsoft.EntityFrameworkCore.Tools

Id: 6X6iONXhz2w

Channel Id: undefined

Length: 28min 55sec (1735 seconds)

Published: Sat Jan 11 2020