Coding Short: Using Bearer Tokens in .NET 8 Identity

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hi I'm Sean welcome back to coding shorts today I want to talk about a new feature in.net 8. this one I've really been hoping would come sooner rather than later but in.net 8 they've made a lot of changes to the way that identity works and they wanted to be able to support building jwts from Identity without us having to hand write all this code that's finally come to fruition let's take a look at what that looks like [Music] so I'm here in Visual Studio I'm just going to create a new project and I'm just going to create an asp.net core app this could be an app that you already have and I'm going to call this map my identity for lack of a better name I'm going to create a solution it's important that you pick dot net 8. hopefully this will be out of preview soon and actually we'll get a released version sometime in November but you'll need to be in.net a for any of this to work and I'm going to turn on individual accounts now I think it's important to note that storing your authentication in your own databases and such is really common but that does mean that you're going to be responsible if that database is ever breached and things can be done that's why using something like like off zero or Azure ID or a number of other providers out there to do your authentication is a pretty good idea and interestingly it requires not a lot of change in your code to do that but that's not what we're going to talk about today I'll probably follow up with a new coding short about how to do that with the windows identity platform and more importantly Azure ID in another video but let's stick with this let's get rid of that and we can see if you've been doing.net at all this is going to look very familiar there's some razor pages in here there's an area for identity so you can change the layout page for those identity Pages if that's important to you and it has a DB context here that's just storing the data for our individual accounts so let's first open up a command shell and I'm just going to say make sure we're in the directory of the project yep that's perfect and I'm just going to say.net EF database update because this has migrations already for building a database and in fact it has a uniquely named database name already set up for demo databases using localdb we're going to get this warning about that I haven't updated the tools yet to 8.0 but it doesn't matter all worked we should have our application so if we run our new application before we run it I'm going to actually open up the launch profiles I want to change the build that we're using to run this this HTTP Runner and I just want to give it a friendly port number because I'm going to be writing some individual tests so I just didn't want to have the copy and paste and not remember what it is so let's go ahead and make sure that we're going to run it with Microsoft Edge that's perfect and here's our brand new application right it's nothing in it it's a blank slate there's a privacy page there's a home page nothing much to see here but because we added those individual accounts it has the notion of registering and logging in and so let's make that work before we talk about how we're going to protect apis so I'm just going to create a new account for me at aol.com feel free to try to reach me there but I will tell you now that may or may not be my actual email address go ahead and register since we've registered I should have I should be able to log into the application and there it says hello Sean shows me a profile all of that is fine right we have all of identity working we have a particular problem here and that problem is that while we can protect our individual razor pages and such with authentication now that we have it supported it's going to be harder if we are using an API and I'm going to use a minimal API here just to be simple so I'm going to just create app.map.mapcat API Foo and I'm just going to return some very dumb data right I'm just going to say return new one two and so all this is is just a really simple API this could be any API that we want to secure let's go ahead and run this since we're going to be working with the API now let's go ahead and just change those settings to not launch the browser we just want this to be nice and simple and I want to create a new new file here and I'm just going to call it test.http this is a file that I've covered in one of my other coding shorts I'll actually leave a link to it right here and I just want to say get HTTP localhost this is where one of the reasons I wanted to include a friendly port number so I didn't have to go look at it I'm just going to say API Foo right this is our API and I should be able to just send a request and it should work right if I send this request works just like you'd expected it gets a 200 or return on our data all is good with the world right now but what if we add on to this require authorization right we have by default identity setup as our authorization but we're gonna say we can't get to this unless we're authorized and this is where for years I've been teaching people how to write and generate their own jwts so there's sort of two problems here one when I go there this minimal API isn't treated any differently than any other page so I actually have a 200 but what did it return it returned the login page probably not what you want when you're calling that API so there's a few different things we need to do here so in other cases I would have and set up our own authentication here to support this and even if I were and even if I were writing my own and not using identity I would want something here that would handle that and we'd often do that with Builder Services dot add JWT Bearer that is one of the options that we've used for a long time to use jwts but in our case we're not using gwts we're actually going to say add Authentication this is a new call as part of the new identity stuff and here I could do things like add cookie add oauth Etc and I'm going to add Bearer token and I'm going to use instead of JWT Bearer constants I'm going to say identity constants dot bear scheme so I'm telling it I have an authentication scheme here and I want to support Bearer tokens this doesn't mean we're only going to support Bearer tokens default identity is still going to do what it wants but there are going to be cases where we're going to want to support this and in order to do that we actually have to create a policy we're going to use add authorization Builder they're going to add a policy we could do this with default If This Were an API only project and we'd be good to go but because we have web pages that we want to leave alone we want to create a policy that we can just apply to our apis I'm going to call it our API policy and then I'm just going to configure it and what it does is it passes in a new policy object for us to go ahead and add options first thing we're going to say is we're going to require an authenticated user now this you could have a lot of different kinds of limitations but usually this is the first one make sure if I've applied this policy somewhere that that API is going to require Authentication and the other one is I'm going to add authentication schemes and much to your surprise I'm going to say identityconstants.fair scheme and I'll simply come down here to our require authorization and give it the name of the policy that this is going to follow right all we're doing is setting up Bearer tokens to be used by our apis in conjunction with the identity so if we run this again and we send that request again we're going to get an unauthorized because the bearer token knows that this is for requests that don't need to be redirected to a login page instead it needs to return the status code so we're sort of halfway there now we have an API and what we want to be able to do is say authorization Bearer and then some magic number right that's how we want to be able to access this but we have to have a way of getting that and this is where and this is where a lot of effort can be put into having an endpoint that generates the JWT and then adding the JWT middleware to check for the bearer token to make sure it's valid but because identity wanted to simplify this we can actually just come over here to where we're adding default identity and adding a new piece that says add API endpoints what does that mean that it means that these API endpoints are going to support logging in and registering and some of the other things that you would normally do through the UI through the API so let's assume that maybe you're using a spa as your front end instead of having to write all these this is these are just going to add those API endpoints we still need to map them though so let's go ahead and say app map API identity and we need to give it our user the class that represents a user's identity user normally you would derive this and do some different things but we can say identity user for now and this would work but this is going to add them to the root of the website and so what you're usually going to do is actually say map Group which allows you to create endpoint that has other endpoints and so I'm going to say this is going to be API off and then we're going to map all of our identity apis from that group that's just going to allow us to put these API endpoints for identity prefixed by some Earl that's really all it's doing for us there so what does that mean if we run this now that we have all this working we should be able to create another call get localhost 8088 again API off login so this is adding on to that group a login and we're going to say content type is application Json and you if it's up to you you can misspell or spell it correctly and here I'm just going to say username and these are documented what the data that's expecting but for login it should be pretty obvious username and password I'm going to say Sean aol.com remember this is the user that I registered with the website password equals password and if I send this request we're going to get a method not allowed and that's because we're generating something we're generating a token so this has to be a post and what it returns is an object that contains the bearer token as well as a refresh token we're just going to grab that Bearer token It also says how long it expires and by default it expires and 3600 seconds which if I could do the math I would do better so we should be able to just replace our Bearer token with this token we just got from the server right well we can now it works if we get rid of the authorization header and send it unauthorized but as soon as we include that authorization header it works and so at no point in our program do we get our hands dirty building jwts validating jwts but this only works with identity accounts this is where you're using identity stored in your own data stores to store your own data in the case of something like Azure ad or auth0 or any of the other providers that are out there they're going to be responsible for generating the jwts for you and so you wouldn't need this in that case anyway make sense what I really like about this is that net 8 is finally exposing this idea of simplifying identity for a lot of users a lot of users aren't going to use third-party providers like Azure ID and they have existing sites that use this that they want to simplify in being able to secure their apis this provides a really simple way of doing it without having to necessarily understand everything about how jwts are generated how refresh tokens work any of that it just works and because of that I'm pretty happy if you ever get to this part of the video you know that I'm usually asking you to register and like And subscribe and all of the other stuff I want to save it all the you viewers who have watched me before I want to thank you we hit 10 000 subscribers small number in YouTube terms but a big number in my heart really happy we're getting there spread the word if you think the content I'm making is useful to your co-workers and other things in if you haven't subscribed go ahead and do it go ahead and ask any questions you have in the comments and I will do my best to point you in the right direction for coding shorts this has been Sean wildermuth I'll see you next time [Music]
Info
Channel: Shawn Wildermuth
Views: 3,189
Rating: undefined out of 5
Keywords: JavaScript, TypeScript, Node, Node.js, Web Development
Id: owoy6DG0UG0
Channel Id: undefined
Length: 14min 30sec (870 seconds)
Published: Thu Aug 31 2023
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.