C# ASP.NET MVC Authentication - Logging in locally or with OAuth (using Twitter) credentials

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

creating an asp.net MVC site is a lot of fun but sooner or later you're going to have to deal with the idea of security you can't just let everyone have access to your data the problem is that setting up an authentication system can be intimidating either you make your own homegrown system that probably isn't secure but you understand it or you try to implement some crazy complicated system that you don't understand and then you spend every day after that just hoping it doesn't break at least that's how I felt fortunately the smart people at Microsoft have done a pretty good job of helping us out today we're going to be taking advantage of those streamlined processes to set up both a local authentication system and also an OAuth authentication system using a person's Twitter account before we do though I should probably introduce myself my name is Tim Corey and my goal is to make learning c-sharp easier if that sounds like something that interests you I've got two recommendations for you first subscribe to this channel and make sure you hit the bell to get the alerts I am always working on new content based upon the suggestions of my viewers second join my mailing list the link is in the description below I don't send out a lot of email but you don't want to miss it when I do you get insider access to me and in my courses now whether you're new or have done this channel since the beginning don't forget to give this video a thumbs up and let me know what you think in the comments below alright so that's enough about that let's get to some code now here I have Visual Studio 2017 and rest our new project we're gonna go a new project right here and go to a web and choose the asp.net web application now if we can expand this out a little bit notice I'm doing the dotnet framework now a lot of you asked what about dotnet core I want to see dotnet core we'll get there but I really want to teach the foundation stuff first before he gets the core stuff yeah that is ads one your layer complexity on to our application so let's deal with the majority of what you're gonna do first especially in the business world the business world hasn't yet gone fully core most of the stuff that I've seen out there is still the full dotnet framework so again we'll get there in future videos but for this video we're going to do the full dotnet framework all right so we're going to choose a name for the application and also solution name so let's just call this the MVC demo and we'll call the solution name authentication duo just to have a different solution name than the product name it's always good to separate those two so you don't have confusion as to which one's the product which one is the solution just keeping different name so authentication demo this will be our MVC demos the actual project so that's step one we've chosen dotnet framework version of the asp.net web application I'll give it a name let's hit OK and now we get this second dialog now it's a little bit shrunk because or had been because of my I increase the font size for this video so by default since we chose MVC we have MVC selected we could choose Web API or single page application or as your API or as your mobile app or web forms or empty where I choose MVC will not choose Web API for this video it's not really something we need for this video but if you wanted to have this application work both against MVC as well as maybe a WPF front-end or a machine-to-machine friend kind of thing that you want to have Web API as well to support it with Web API will allow you to make API calls so that's kind of nice for a lot of web projects in fact typically when I'm when I go into a business and consult one of the first things I say is you should probably put your code behind I it just makes life a whole lot simpler when it comes to changing out your front end so they say I want on mobile app no problem most your codes behind the API you just create a little mobile UI and plan to all of our API endpoints so that's kind of a side note but for this video we just need MVC we're not gonna do docker that'll be a future video and we're not gonna add unit tests for this so let's leave those alone so it's just MVC but over here on the right we have change authentication because right now it says no authentication let's change that we're a select individual user account now this will store everything in a sequel server which we'll get to but we can also register and sign up normally just through sequel and I say normally means just inside MVC ax itself but we can also enable logging in using Facebook Twitter Google Microsoft or another provider today will enable Twitter but that's just one of the options we can do you'll see it's very very simple to do and adding Facebook Google or Microsoft is pretty much just uncommenting a bit of code that I'll show you now we're not going to touch worker school accounts or windows authentication because those two are less common from a standpoint of you had to set up a cloud authentication system through office 365 or Azure Active Directory or something like that or have a Windows network that does centralize login system so those are a little harder to demonstrate especially and they're also less likely for you to be able to do at home so we're going to do the individual user account which is the most common so we hit OK so make sure it says individual user accounts here so MVC just NBC checked over here an individual user account we hit OK and what this will do is will scaffold out our project if you notice in the lower left hand corner we see all these nougat packages that is bringing in now if we've covered nougat for but essentially nougat just allows us to bring in different bits of code and keep them up to date in fact the first thing I'll do is I'm going to go to my references right click say managed NuGet packages and then go the updates notice it says 27 updates these are all the nougat packages that can be updated for example bootstrap the version stalled is version 3 but version 4 of bootstrap is out we can update that if you want for some of these are dramatic and some of these are not I mean this is a a minor version update whereas jQuery has two major versions updated so there's quite a few updates here what I'm gonna do is I'm just going to say select all the packages and hit update and this will go through and it will get the latest version of all of these and bring them in kind of merge them into our project which I don't recommend you doing this if you're doing this to a existing project don't just update everything because you need to make sure that it's going to work with your application you've tested it and that it's not gonna break something all right let from it go ahead and accept the License Agreement so don't just do this on an existing project go through one by one and update then make sure you want the update update it and then test it but when you're starting out fresh like we are it's a great time to do an update all because it's not really a big deal because if it doesn't work we just redo the package so now a couple things first of all it says multiple packages failed to install restart visuals so you don't finish the process we'll go ahead and do that and we'll also update this as well so update that that's finished let's go ahead and restart visual studio shouldn't be a big deal all right well just check in and make sure that nougat is good to go no packages need to be updated all right and all those packages are installed and you may look at this and panic a little bit and say oh my goodness it got so much stuff install I need to remove it all don't I there's a reason why a lot of stuff is in here and it is supporting your application now if you really know what you're doing say you know what I don't want that then then fine go ahead and remove it but don't just say because there's two men gonna remove some all right know what you're doing and why you're doing before you do it okay now in here there's the identity information to any core and more as it's growing really fast here but there's the Oh insecurity for Facebook Google Microsoft account there's the OAuth stuff there's a whole bunch of stuff that's that is supporting our authentication so before we do anything else I'm going to do is just run this application gonna hit run I'm running in Google Chrome that depends whatever your default browser is if you have more than one you can actually start it in more than one browser at the same time so this is loading up it's going to compile a project make sure it works and then startup now looks a little different than normal just because I have installed the bootstrap 4 and that's actually something that's caused a little bit of problems they normally have a menu up here I don't have the mini right now so I'm gonna do is and I'll show you how do this right click go my new get packages let's go find bootstrap bootstrap to four and I say you know what I know not a big fan it's causing some problems so going back to 3.37 when it went to four they changed a lot of their class things and other stuff in it makes some breaking changes it's a it's a great system tonight I encourage you learn for don't a stay on three but for our purposes I don't want to have to redo the entire demo the friend for it's me I'm a downgrade to version 3.3 so he get update in such a move was backwards in the chain and that should and it says okay I can't find a file let's see if that's actually a problem or not so right now it says we're on 3.3 X 7 and if we run this again let's see how we do on our user interface all right so our user interface looks radically different than it used to and notice up here we do have our bar this shows our links we can go to the about page the contact page as well as the home page we also have these two links over here which are important for this demo the first one being register and then second one being login if we click register we get this page right here really simple just email address password and confirm password that's all we need to do so and we also just login button if we click here it says okay here's your email address and password if you already have one go ahead and log in you can also register as a new user which takes you back to this register page and over here on the right it says use another login service and right now there are no external authentication services configured so oops I clicked on that article which is great they actually have an article right here telling you how to set this up but I'm gonna walk you through it so ignore that article until later alright so the one thing I want to start off discussing is what's the difference between registering and using a different service well when you register you're going to give them a login name and password and to create all that locally but when you use a service like Twitter what you're gonna do is actually it's gonna pop a window up and have a Twitter login on the Twitter page and so you're gonna put your login and password in or if you're already logged in and have your authentication system saved or authentication information saved in your browser then it will just say do you want to authorize this app this particular app right here to view this stuff about you and we're gonna show you how to actually how to kind of trim that damage just the basics we're not gonna be able to tweet from a person's account we're not gonna have access to even read their tweets already have access to is to know who they are and what we're doing by that is saying we don't want to control who you are we want to let somebody else take care of changing your password whatever you need to and if you've lost your pass or all the good stuff gets handled by Twitter not by us so that's the difference with this system right here it's kind of more homegrown it's it scaffold it up a bit by Microsoft and there's a lot of stuff here to handle all that stuff but it really is stuff that we control if we log in with a different service they control all the stuff that surrounds that authentication system so the lost password the expired password all that good stuff gets handled by say Twitter and all we do is say hey can you log into Twitter and using this special link and we'll show you how to do that or I'll show you how to do that I'm not sure why I'm a wee today but if you use that link then we go out to Twitter we ask them to log in when they do Twitter sends us back our application back a thing it says yep they are who they say they are and so you can go ahead and let them in so we'll set it up but for right now let's go ahead and register as a new user so I'm going to use my email address and I will first socially a bad password so if I is a test all lowercase and no confirmed password I hit register and it says no couple of errors first of all the password must be at least six characters long second of all the password and confirmation password don't match so let's do testing all lowercase I hit register the password must have at least one non letter or digit character all right so now I'm going to do testing the capital T and it's a one not let our digit character I forgot that so testing one at least one non letter or digit character well I had one of those but how testing one dot and there we go so now I'm logged in and I had to use testing one dot with a capital T so and yes you have my password there don't worry you can't get to it but so now it says hey hello me at Timothy coryon.com so now I'm actually logged into the system the register and login buttons are gone and instead we have a log off button if I click on the hello me at Timothy calm I can see that I can change a password here I have 0 external logins associated with its account and not using two-factor authentication and again there's an article for that which is great so we've found a couple things first of all there's a little bit of messaging we needed to modify or tweak which we could do but essentially what we need to tell people is you need to have one upper case one lower case and one number and one special character versus saying we need to have one or the other so we need to have both but that's not a big deal so we've now log into our site and knows who we are we can log off we need to log in and use my email address and my password and now I'm logged in so that's essentially the right out-of-the-box haven't touched a thing notice I said this was supported by sequel but yet we haven't set up a sequel database okay everything here is just out-of-the-box working so let's see how this actually works all right so if we go into the content folder I'm sorry the apps Start folder there's a couple of config files I want you to look at first let's look at startup OCS in here is where a lot of configuration for your authentication system is in place there's a whole bunch of stuff here and by and large you can leave this as it is and it just works like I said we've got a working system right now without touching anything the really cool thing is we come down here near the end you see these sections uncomment the following lines to enable logging with a logging in with third-party login providers that's kind of cool so for example Twitter we just uncomment this right here now nois consumer key and consumer secret we don't have those so we're gonna get those and set this up but if I wanted to use Facebook well I'd get a Facebook app ID and app secret put it there and then uncomment this section pretty simple stuff and that really is pretty much all it's going to take to do any of these now Twitter is a little bit harder just because there's some quirks to it and so I'm gonna show you how to get around those quirks or fix those quirks and that's one of the reasons why I use Twitter another is it seems like everyone has a Twitter account in a tech world at least so that's a pretty safe one so that's the first place to look for and it's kind of look around and see what there is for example the login path is a count slash login there you go and there's some validation information here we can check but then also there's this identity config dot CS file over here so in here there's a whole bunch of stuff and if you scroll down it's a little bit you see this this create method inside here we have validation logic for user names we could say only allow alphanumeric user names which is set to false which is great with my username right now is my email address we also have as require a unique email address which is set to true which means you cannot have two users with the same email address which is kind of nice because otherwise you might have for users that have a same email address and they you don't know who is who now validation logic for passwords this is where we kind of got branded that wall required strength of six that's not very secure maybe you want to bump that up to eight well just put an eight there require non letter or digit yes require a digit yes require a lowercase yes require an uppercase yes see the problem we have we require a digit and we require an on letter or digit which I'm pretty sure this one is saying we have to either a second one a second digit or we have to have a special character so there may be some tweaking can do it turn one of these off and say false we could also tone this way down turn everything to false and set to require length of two and then have a really insecure system or unsecure system but for right now I'm gonna leave it eight and I'll set these as they are now this does not affect current passwords this only affects new passwords which means if I were to set this to a required length of 20 that'll run just fine I can still log in with my current testing one dot password even though it's not twenty characters but when I go to reset it it's gonna say you can't use testing one dot again or testing two dot because that's just not long enough so that's a little ridiculous they required 20 I think it's fine so there's some other stuff you can go in here and you can tweak there's a whole lot configuration here we're gonna go into even more depth this is a really kind of skim the surface video I don't want to get too deep into the weeds we'll get into that in future videos but I want at least get you going and give you some direction to kind of poke around to find other stuff on your own so those two places to look are the startup off CS and identity config dot CS both of them are in the app underscore start folder and they come default out of the box so that's that's the C sharp side of things but remember I said this is support by sequel and we didn't set up a sequel database so where is this data going well for that ways go to web config in here we have a connection string we have one connection string and this points to our sequel server in this case it says the data source is a local DB and it's called it's in the app directory or data directory and it's called asp net - MVC - whole bunch of numbers MDF this is the local database in a file that Microsoft creates by default for you when you create this identity templates or you use this identity template you could get by with deploying this but I wouldn't because it's just not the full power of sequel and it's not as secure as you'd like and all that good stuff so let's go ahead and not do that for production but for our testing purposes and for maybe a little application you create for your friends your family whatever no big deal go ahead and and use this so let's actually explore the data that's in here so they go to the View menu and look for the sequel server object browser we open that up we're going to see a couple of sequel servers but the one you want is the one that matches our connection string and that connections tray if we scroll over here it says MS local DB which is this one right here inside here are a couple of databases I created a previous demo of MVC but if we come over here and look at our our file it says that the initial catalog is a SP net - MVC demo - and a whole bunch of numbers this one right here so in here is a full sequel server as far as content goes so we have tables we don't have stored procedures but I believe you can add them if you wanted to but for right now let's look at the asp net users table this is where all of our users live you right-click on this and say let's view the data now so I get a little squirrely with all my different windows open here so let's kind of shrink things down a bit so here we have just one record notice the email address let's there we go email address is my email address now check us out password it's actually called password hash that's my password hash this represents testing the capital T 1 dot now notice they're not storing that in the database this is one of the reasons why this is a large step up from you creating your own login and password system in some quirky database you're probably sore in the actual password microsoft does not do that microsoft says that's not a good idea instead we're gonna hash that password and store the hash and so what will happen is when you log in with a login and password it takes that password that you've provided and it hashes it and then it will compare that to this hash and if those two match that it will say ok you're allowed in it's never decrypting this password this password is not it's a one-way encryption now I'm really simplifying this I'm skipping some steps this is not a primer on how the authentication system works it's just a kind of brief overview to kind of show you that yes this is a much more secure system than what you'd roll on your own so there's a password hash there's also the security stamp which is used with the password hash and that's all you see with that now there are other fields here phone number two-factor authentication is it locked out and the username which is my email address so that is the user that's all we have going right now that's kind of cool though we have a system in place that's already built a database for us with one two three four five tables this one is a migration table which tells us if we need to change these table structures and that's an entity framework thing and for those of you who've been watching my videos for a while you know I'm not a big fan of entity framework but in this case we kind of have to use it so we're using entity framework just a little piece of it though not not a huge part of it so v2 created for us the data is going in just fine we've got even the the forms there they're pretty basic and pretty plain but they work and there's pretty much all the structure we need even a forgot password structure in place for us so we can stop right there and we already have a really big step up for our system in that we now have the ability to log into our application now we haven't used that login or restricted access yet and we'll get to that but first I want to get on the next step further and actually enable that Twitter authentication just to kind of show you how easy it is and also how you would go about sing it up and what the difference is in the data that comes through here so let's go ahead and do that I'm gonna close this down unpin my sequel server I'm gonna reap in my solution Explorer and come down here to this startup dot off dot CS remember there's a commented out section down here for my Twitter authentication now the first thing you do is get our consumer key and consumer secrets or secrets that comes from Twitter itself the way I do that is to go to apps dot twitter.com and bring that over here on this screen so here I've logged into apps twitter.com is my login and I actually already have one app created and that's a little application I created for myself but let's create a new application for this demo project so create new app and the name has to be unique and so let's call this Tim's MBC demo or demo that plural Tim's MBC demo and the description this was shown to the user this is the MVC authentication demo app for YouTube the website we don't have one yet so we'll do is we're going to do HTTP colon backslash backslash local hosts and we'll leave that just as is and we'll do the same thing for our callback URL now when you actually deploy this into a production site what you do is come back here and change this to your actual URL so for now these four set and we'll check the box that says yes I have read and agreed to the terms so we'll create application and it's it's not a valid URL format no problem so we can do is change it to a if I can type out and change it to my my one or 127.0.0.1 is actually just essentially localhost so let's go ahead and create our application again it's been created so we had changed that website to the IP address not the actual URL because it didn't like just localhost it wants to have like a www.samael.org we go settings we can look it through the the settings here one thing to be careful of make sure you have a callback URL of something and make sure this enable callback locking is unchecked for demonstration purposes but in production wanna check this once you have the right callback URL in place you can change your icon if you want which is kind of nice it shows off that yes you are who you say you are instead just doing a default Twitter icon you could have your company logo or the application logo or site logo or something like that and then here we have our keys and access tokens now this should be private and I'll actually blur out the actual key and secret because that's not really something you should be seeing because you could use that for nefarious purposes but down here if you say OOP we had a problem you can go ahead and regenerate the key or you can change the app permissions we're gonna go ahead and change this app permissions right now it has read and write permissions it's gonna modify that and say you know what I only need read only and I'm gonna leave this unchecked for request email address' musers but you know what we could check it let's go ahead and check it and request that just so we give that then we should bypass need to ask for it but but we'll see so read-only and I will check the request email address so we don't need to actually oops we we must provide a URL for both application so let's just go ahead and say read only but not check this request email address and that should do it alright so a moment for the changes to be reflected let's go back and get that key so I'll go ahead and copy that and then I'm going to for right now I'm not gonna paste it into into here because there's one more tweak or problem we have to deal with when it comes to Twitter authentication specifically and that is right now as of this video the is a bug with HTTPS which is like I suppose you use for this obviously for talking about authentication but there's a bug where it doesn't accept the client certificate and it says it gives a 401 error and says even though you have the right consumer the API key and secrets we've got a problem and so I will link to this in the description there is this stack overflow post about it if you don't know about Stack Overflow you get the notice Stack Overflow com it's the place to get information about programming now if you have a question instead of posting a question search for it most likely it's been answered about five times so if you do decide hey I can't find it Eve I've looked at I've looked and I've looked I can't find my specific problem when you post a question make sure that you give a lot of information don't just say I'm having a problem with this period because what'll happen is your question will get downloaded and removed from a site and you'll feel like an idiot you'll feel like people hate me you know people don't like the questions I ask they they talk down about me they tell me all these bad things which unfortunately is true sometimes people are a little harsh but the reality is if you ask a good question you'll get a good answer so and and don't take it personally they're just trying to protect the site there's a lot of people on here that really work hard to make sure this is not a junky site and so you need to honor that by also not providing poor questions make sure you provide enough detail and any code snippets that are important and any error messages you've tried and what steps you've tried to reproduce the issue or to get to go away so that's just a little side note I'll actually have a video in where my course is coming up that covers how to ask a great question on Stack Overflow so but this is this is a good question it's saying hey I'm getting this problem where it says the remote certificate is invalid according to the validation procedure which is what we would get if we made this call I know you have tested so come down here to the answer and the one that has a green checkmark is the one that the the person who requested the help said was the right answer it's not always the best answer especially over time because this is answering back in 2014 and there is a later answer but this person says okay here's the solution instead of doing this which looks familiar do this instead which notice there's a whole one who stuff here for back channel certificate validator we're gonna use this in fact we're gonna copy this directly into our code these right here will allow us to validate the certificates that are coming from Twitter correctly so let's copy this we're gonna paste this whole thing into our code I'll go ahead and and fix the formatting here and we have to do a control dot here on the new Twitter authentication options and make sure we say using Microsoft OS Acurio Twitter and then down here for a certificate again control dot and add the using statement for Microsoft and those two things being done we have now updated our call it's a little bit different notice instead of use use Twitter authentication and then is passing in two values we still use Twitter authentication but we're passing in a new Twitter authentication options class instance and so that takes in a consumer key and our secret but also the back-channel certificate validator with a number of certificates we don't need all these certificates as of this video we only need these bahama two right here four digits Oh but leaving them in it's not a problem it'll still allow us to validate against these all those certificates so it's up to you if you want to keep them in or not I personally since it doesn't hurt anything feel like just leave them in all right with that being said and come back over I'm going to grab my consumer key and my consumer secret both of these are from Twitter and I'm just gonna graze out but these are my it's my key and certificate or secret from that app on Twitter I close this out and just hit run so it's all I've done is I've added that one section for Twitter with the two pieces of information that Twitter gave me that's gonna build we're going here to login and notice in addition to my login over here I now have use another service to log in and Twitter is listed since we've added Twitter it's intelligent enough to say okay then we'll go ahead and put Twitter over here as an option we click this button or I get this page right here where it says do you want to authorize this for your account notice it says Timmons MBC demo this is the MBC authentication demo app for YouTube and there's that icon so that's all a stuff that we set up so that the user can identify that yes you are who you say you are and then down here it says this application will be able to read tweets your timeline and see who you follow that's it it will not be able to follow people or update your profile or post tweets or access your direct messages or see your email address or see your password so a lot of things you will not be able to do the only things we will be able to do are see your tweets and see who you follow which is pretty much just if you have any login to Twitter you can see anybody's tweet history who they follow pretty much but we're gonna we're not even going that far we're just going as far as saying you are somebody so in this case I'm going to log in if I remember a password correctly I will sign in and nope I don't read my password let me go ahead and check that all right so I don't even copied it from somewhere else and paste it in and so now it says okay you've logged in and I am Who I am I say I am I'm Tim Cory do you want to authorize Tim's MBC demo to use your account again just for these permissions in our case we are going to use those permissions but we have access to them if we really wanted to so in this case we're going to say yep I'm gonna authorize this app and we'll go back to our original author our application and we do it says hey you've successfully authenticated Twitter please enter a username for the site below and click register to finish logging in it's an email address so Tim at I am Tim Cory comm register done hello Tim I am Tim Cory calm so I have the same setup as my me at Timothy Cory calm except the difference is I don't have a password so it's just it says create but I do have one external login which is Twitter all right and again no two-factor authentication which we're not doing today so that's it so now I have successfully logged in with Twitter as well as just directly onto the site so let's close out of this and let's look at our sequel database so go back over here to the sequel server object Explorer we are right click on asp net users and say view data and now we have two email addresses the first one is my me at Timothy quarry outcome the second one is Tim at I am Tim quarry calm notice the password hash for the first one I actually have password hash the second one's null remember it said create a password I don't have a password on this site I just log in using Twitter so it handles the idea of yeah we don't know who you are as far as your password goes but we do know who you are because Twitter says that's who you are so we've used Twitter to store a password and deal with all those hassles instead of us dealing with all the hassles of storing that password locally so it's read up to you you can actually blend the two like I said you can you can create a password for this person and then they wouldn't have to login using Twitter they could log in with just a username and password or they can log into Twitter either way to work it's the same account so that's kind of nice but that's the difference between the Twitter login and the just regular user login it's whether or not we store and handle the password ourselves all right so so far we have logged in with our regular login and password and also Twitter but that really hasn't affected anything about the site so let's go ahead and change that now so let's go to our controllers folder inside the home controller and then show off how you lock this down based upon who a person is or whether or not they're logged in so let's start with just the really simple authorize if you spell it right I'm going to put that this attribute right above the about method now remember with with MVC this about method in the home controller will have a path of slash home slash about and the views we have a home folder inside there we have an about page so when they say when they call the about page it's gonna call this controller which is going to launch the view which is this right here this is about ICS HTML so it's just an about page no big deal but let's pretend like this is a page I didn't want a non logged in person to see in that case I just put authorize over that about page and say you can't get there unless you're authorized meaning you've just logged in that's the very foundation basic as matter who you are you can register right now and then see that page it's just you have to be logged in you can't be an anonymous user so let's run this and once it once it launches we're gonna try and go to that about page before were logged in so I'll make sure we're logged out so we're not we're not logged in as it says register or login let's go to the contact page which the contact page is fine let's go the about page doesn't go there instead notice URL it says slash account slash login and then it says question mark which question mark on a URL means okay here's some parameters afterwards which is a key value pair so in this case the key is return URL and the value which is equals the percent to f means slash slash home slash about so that's the page we're trying to get to it says okay nope we're gonna send you to login page but the return URL is home about so let's see our Twitter login it's in as easy as you go okay no problem I'm already logged in it's got that cookie on my site so we don't have to actually say yes authorize again so I'm logged in now as hello Tim I am Tim Korea come and took me back to the home about page so since I couldn't go there initially without being logged in it took me to a login page but then remembered where I wanted to go so that once I did login it would send me to where I wanted to go which is a common nice little feature all right so that's the about page which I'm so glad we secured that we log off now notice if I go back to you about it won't go there anymore all right so that's that's pretty simple but now let's go ahead and take it up a notch let's actually cut this out from here instead put it over our controller so it's over our home controller what this means is that now everything in the home controller has to be authorized meaning happy logged in in order to have access to any of these things which very important note here we're not authorizing the account controller okay because the account controller notice it says authorize above it but then down here where we have the login we have allow anonymous so you couldn't have the the authorized at the very top and not have allow anonymous on the login page because we can't say you can't get to the login page until you log in because how you logging up getting the login page it's kind of a circular problem there so make sure that you don't try to lock down the login page that's an important page to keep open but in our case it's the home controller the home controller doesn't have anything like that there's no login in this page that's again the account controller so we can just say authorize everything which means that index about and contact all need to be accessed only by a logged in person let's run this again and see how that affects our site so once we log in here instead of going to our home page which actually does but notice the return URL now is just a slash which means home we can't go anywhere until we log in so if I try about nope contact nope home nope we have to login first I login once I come back now I can get everywhere home about contact so that's how we use very simply the authorize it's just a decorator that says this either this controller which means everything in here or one particular action in the controller needs to be accessed only by a person who has authenticate the reason you would do this is because you say you know what I don't want to allow anonymous access to this particular thing it could be as simple as you know we have an internal schedule for a company of when things we've done but we don't want our web users to see that schedule well you put authorize on that particular action but everything else is publicly accessible you know our our sales page and about us and all that good stuff anyone can get to but you have to log in or see our internal production schedule but we don't care who you are just you have to be a company employee which only in company employees then would get login names right now we allow anyone to register we probably turn that off and say you have to be registered by somebody else and then you can have access but that's another story for node a so that's the authorize but now let's add the next step which is to say you know what I want to say that anyone in particular role can have access to a page but not somebody a different role and we'll make it really simple we'll keep it to an admin role which admins have access to everything and then there's the standard user role which they have access to only a smaller percentage of things so to do that the first thing you need to do is set up roles so let's go back to our sequel server object Explorer and we're gonna go to the asp net roles table well right-click and say view data we have an ID field and name field now is this is actually a pretty simple table to use especially since it has just two fields we have to give it both an ID and a name so I'll give an ID of 1 and a name of user and I'll tab down and say ID of 2 and name of admin that's it so now I have two roles user is one an admin as to next let's look at the asp net user roles table view data and it has user ID and role ID so what this does is it ties this users table to the roles table this is okay what's your user and what role do they have so let's open up our users table and again that's user ID drunk graph so let's grab my my first one my Mia tivity cork um I'm gonna grab the ID ID copy that and go back over to my roles table and say that that user ID I'll paste it in has the role of one which is a user that's it now come back over here and grab the other user ID which is my Twitter login and I'll say that user ID has a role of 2 which is admin all right I'm done now I've sets all I have to do and now my Twitter user is an admin and my my normal login my me at Timothy comm is a user role which right now we're not doing anything with those so let's change that so instead of saying just authorize well you know what let's leave authorize on the whole controller but let's actually fill it down even more and say authorize rolls equals and let's say admin so it's about we're gonna say you actually have to be an admin in order to see the about page so it's not as authorized it's authorized with a particular role and we'll do the same thing down here for contact but instead of admin we're gonna say you have a user in order to see the contact page let's run this okay so the first thing I see is no matter who we are we can't go the home the about or the contact so it's gonna and login that's got read your test back and notice I was trying to go to contact well contact is a user only let's go about I can go about I can go home home has no specificity so I see logged in as someone for contact I have to be a user on my user I'm an admin but for about I have to be an admin and I can go to the about page so now let's log off which again trotty back to the login page because I can't go anywhere from not logged in and let's login as my other account testing one dot I can go the admin or the home page I can go to the contact page but I can't go to the about page so now I have limited my access and based upon Who I am what we'd normally do and this is obviously a demo but normally an admin would also be a user but maybe we don't want to do that maybe don't mix those two and say they are totally separate you know there's the sales team and there's the the marketing team and you know sales has access to certain things marketing has assets different things they don't really they're not a superset of one another like an admin a user is but maybe there are some things where you say you know what everyone should have access to contact so or at least these two teams should so we're gonna say comma admin so now roles is user or admin so as long as you're in one of those two groups you'll have access but not if you're just logged in and I'll demonstrate that as well so let's log in log in with Twitter remember Twitter didn't work with a contact page let's go to the contact page now I can get there I can also go to the about page where ads if I log out and log in with my other accounts I can get to the contact page but not the about page still because the about page is just admin nice log off again and we're gonna register instead and let's just do test it test comm and a password so now I'm logged in as somebody but remember I had to add my users to a group I haven't added tests at test comm to any groups so the about page nope there's a contact page nope because both of those require me to be in a specific group either the admin group for the about page or either user or admin group the contact page so because I've just registered I don't have any of those groups that's how you get around or allow anyone to register and yet limit certain things you could say that you have an employee group and every employee gets added that group so you could allow users to register and they could maybe have more insider access to your site but they wouldn't have the employee access necessary to see that production schedule you know or whatever it is but those access levels then allow you to kind of dial in what you can see or not you can even add the roles up here so we could say this whole controller you have to be say employee or a user or an admin or whatever role you created and those roles are pretty endless so you can create whatever roles you want I would suggest to try and keep it as limited as possible don't go crazy otherwise you have bajillion different roles and you have to you know keep listing them out here and that's just silly but that does allow you to kind of make a little more granular who has access to what without really doing much touching you just put a string here and you're done now one of the questions he may ask is how do I find out who it is it's actually logged in now remember we run this it says you know hi Tim I am Tim Cory calm or hi me at Timothy Cory calm that's the username we can get that fairly simply by actually using Microsoft code because a managed controller this is where you manage a lot of different things for a user account just scroll down here your SC user ID is captured by saying user dot identity dot get user ID so you can use that to grab the user ID who is currently logged in if there is a person logged in so as long as you have that authorized on a controller or action you could then in that action ask for the user ID and from that you could then get more information about the user and/or say you know this is who did this action so he log you know Tim was logged in when he deleted five users they could go ahead and blame me because you know who was logged in at the time when action was taken so that's just again this is tip of the iceberg stuff there is so much more we get into the authorization but I don't want to overload you especially that's since this video is already around an hour I don't want to get into two and three and four hours for one simple video but I just wanted to introduce you to the idea that it's not really that hard to set up an authentication system in asp.net MVC it really is a matter of just changing that option the very beginning the template to say set up the identity for an individual and then adds that little local sequel database and it sets everything up so that you have a login button you have a register button you have a forgot password button you have a you know all that change password button all the good stuff is already done for you you can then just go ahead and say well you know I don't like the the forgot password page go ahead and tweak it right there because that's all under the views account and there's all those different pages based upon what options you enable or disable so that's that's all right there you can make any modifications you want you can style it differently can change you didn't make it look a little more pretty or whatever but it's all done for you and then adding Twitter is just a matter of adding those couple lines and don't forget that link down below that's going to allow you to add the information about the SSL so but even that it wasn't that hard I want to stack overflow copied and pasted and we're kind of done Facebook is even easier so is the Google authentication Microsoft the authentication of course so you could allow your users to log in with you for different authentication systems pretty simply so it's up to you how you use us but I just wanted to kind of get in your hands get your feet wet in the idea that it's okay to add authentication to my system that's built by Microsoft and that by me if it does really significantly raise the bar of security this passes a lot of security tests when it comes to privacy and protection of your site so it's okay and all that in just a few steps it's not a really difficult complex system even if you want to use those those ooofff providers like like Twitter or Facebook so with that being sent me a wrap this video up here but if you have any questions or if you want to see any other areas of this you want to see a little more in depth in a certain area please let me know in the comments down below I'll compile those and maybe the next video or tour I touch on this I will throw those in as well to make sure that those are covered all right I hope you've enjoyed it thanks for watching and as always I am Tim quarry

Info

Channel: IAmTimCorey

Views: 146,962

Rating: 4.9207397 out of 5

Keywords: .net, C#, Visual Studio, code, programming, tutorial, training, how to, tim corey, C# training, C# tutorial, asp.net, asp.net mvc, asp.net oauth, asp.net mvc tutorial, asp.net mvc oauth, asp.net mvc oauth2, asp.net oauth2, asp.net oauth tutorial, asp.net oauth authentication, twitter, twitter authentication, best practices, tips, mvc, authentication, registration

Id: kpSwmLlMu9E

Channel Id: undefined

Length: 65min 28sec (3928 seconds)

Published: Fri Feb 09 2018