Deconstructing Blazor (.NET 8) Authentication - Authentication State Provider

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Applause] [Music] [Applause] [Music] [Music] [Applause] [Music] [Applause] [Music] [Applause] [Music] hey good morning good morning Rich it's March 22nd 2024 yes that's 2024 still sounds a little weird to me we almost the first quarter into it yeah yeah I know so that's even weirder but here we are uh live on the dev talk show and if you uh haven't seen us before uh have co-host Rich Ross and then uh also hosting me oh sorry easy to easy to point to me this one I still did the thing where I was like do it go across this way that way it does you're right you're right so if you uh joined us last time we we took a journey to begin what I could only call deconstructing Blazer authentication by starting a new project uh with no interactivity basically I kind of thought that I was trying to start with the the least featured project possible no interactivity no authentication and then what does it take to add it back in or to add at least something back in that resembles understanding who is logged into the app right right and we learned some interesting things which I think we'll go over um and hopefully uh hopefully if you watched you enjoyed it now this time just to set the stage for people who are deciding uh if they want to watch the rest of the video there's G to be a little bit of review um I think to basically say hey here's here's where clearly you have to get this far otherwise it's going to crash and burn and and tell you that you don't have authentication State provider set up correctly and then try to push forward with both talking about how to do this server side and um and then and then maybe maybe if we have time start getting to to the end one of the end goals here which is have a login component instead of login Pages uh and talk about the implications of that so yeah I I I'm I'm checking my things here because there's it's funny it sounded like my mic was left on during the during the intro yeah I think so I think I heard like I might have heard like a A can open or something I'm not 100% sure yeah very bizarre um no cans unfortunately just my coffee okay well again I just thought I heard like and it's who knows it could be a pencil running across the desk or it's funny we should do identify that sound because it could be very interesting what uh what it actually is so identify the hot mic sound so anyways um yeah I will I don't have I don't have a typical tool or something like that uh this time around um because we did four shows this week this is show number yeah cool um so it's been a busy week but I will since it was kind of like on the stream yesterday I will mention I will kind of reuse my tip from yesterday and that was uh registration is open for Microsoft build which is our developer conference so go register it's free to register to see the uh to see all of the digital content or the online content uh if you have um if you're interested in going in person there is an inperson component as well uh highly recommend getting out there if you've not been there before because the interaction and the people you can get to talk to at a live conference still uh is is makes it worth going so uh yeah there's and so and most of the content uh winds up being streamed as well so if you can't make it uh can't travel whatever the condition might be uh there's certainly the capability to show to see a lot of that uh technical content and actually to be able to interact remotely as well uh so that is uh yeah that's the site there that's cool 60 days counting them down all right in may look at that it'll be here before we know it yep yeah and that is one of my favorite conferences having been there a number of times prior to joining Microsoft um it it is a it is a great uh great environment and great place to be yeah maybe someday maybe someday I I was at PDC in 2000 the predecessor I would say to build y so it's been a long time yeah I going back what was that that was XP days right it was the conference where they announced net to the world ah even okay that's an auspicious one it it was it was yeah in fact it was on channel 9 for a very long time uh part you know again I don't know I don't know the specifics but it sounds like some of the general keynot is sessions may have been lost in some way but um so the way that they structured that one was is there was this General Session for everybody the first couple days and it was when they just were really pouring it on about net and introducing their brand new language and and VB notet is now a first class Citizen and all of that and it was just it was really a transformative time so it was just dumb luck to go to that one because it was not it was not specifically like oh I got to go to this one because of this thing they're announcing um so um last time we specifically created a app a Blazer web template app with net 8 and aspet core 8 and specifically chose no authentication and no interactivity and then quickly discovered a couple things that was interesting uh I think we discovered really fast that we could not um we could not use the authorized uh uh component so for example there's some jury rigged code here right that seems to be working but the standard Blazer way of an authorized View and then you put in here uh authorized and you can and and I love how it's like filling it in because it's this is pretty much what I'm looking for right and that this this method allows you to in your razor uh had it it had it in your razor templates for a comp allows you to to basically switch back and forth and the moment we added this uh or even just tried to use the authentication State provider it would say what what authentication State provider you don't have one of those and sure enough we did not but then when you go look at templates with with interactivity you're not seeing that service getting added anywhere and when we dove into this particular method ad cascading authentication State um that didn't work either so what ended up happening was is as we' talked about on this show if you the way that you add Blazer server is you align a code here and then you got to come down here and uh add interaction active server mode and that's basically the difference between a well it's one of the differences between a Blazer template uh that's purely server side rendered and one that has Blazer server support and then when we did that it all started working and that was mysterious a little bit so the reason I want to review this is because folks who are watching may not have known what shortcut keys I was using uh this Happ happened to be in Visual Studio IDE you could do all of this from from from Visual Studio code as well but the way we figured out basically the mystery was is where's where's an authentication state where is it where why where's an authentication State provider being added if it's complaining um you know like if I take this out take this out of course now I got to put the sem cols back in and I think take this out then try to run I believe we're going to kind of be back to where we were I guess we're about to find out um this is going to open up in another window for me off oh no there it is right there and here we go yeah is it says look I can't use authorized view can't can't do it so uh see is that enough is that enough to bring that back that would be cool because then at least we would kind of know yeah see that's enough that was enough just adding interactive server render mode I could have also done interactive web assembly at least I believe so so for folks who don't know you might know if you watch the show and appreciate it um or even if you just know because you're a veteran Visual Studio developer um that if I if I rightclick here and pick uh I could either say go to definition or go to implementation uh sometimes I will I will and I I I use these shortcut ke so control F12 here is is the trick um getting a little bit better with zoom it there you go but we also have F12 and sometimes I'll just hit F12 sometimes I know that I'm G to it's going to take me to an interface and I go no no no let's go all the way to the concrete implementation so if I hit contrl F12 while my my while I've clicked here so the mouse is blinking contr F12 and here we are we have moved in to uh you know using the source server we've jumped right into the code written by the team so this is an our code and the only reason I wanted to say this is just to make it clearer if somebody was either watching the last show or or maybe they've said W how did he get to that code so quickly it's really control F12 and we are looking at the real ad Interactive server components um uh extension method which then says okay well we're going to go to the services collection on Builder and add server side um Ser side Blazer which I know I can navigate to can't I it's interesting that it's fighting me there um that doesn't make sense because I know that we went further I know we went further and we found uh the authentication State provider getting created so I find that interesting that it's kind of yelling at me here let's try that again go to definition okay um add server side Blazer go to definition oh huh I don't know that's kind of strange but that is weird yeah and last time when we were here we we got all the way down to we actually saw the authentication State provider getting added and said like oh okay service to services and see this isn't doing much more return the new default service side Blazer Builder which okay um makes me wonder can I can I get here no this is the implementation and then um interesting it shows what it supports and then but yeah I it's funny because we did this last time so yeah we did see it yeah I wonder was it here was it this was it this thing maybe that's what it was the ad cascading yeah yeah so it was you needed interactive server components and then you needed add Cas skating authentication State I think um so when I come here I I hit F12 just now uh the point here is yeah now we're seeing that it's saying well this is saying get a required service but it's still not telling us where it's coming from um but it is eventually we're seeing seeing that it's like okay we're going to add a cascading value an authentication State provider uh well I take it so what's happening here is we're adding a cascading value and and we get to add it by way of a Lambda and so what the Lambda is doing is the lambda's going out and saying go get an authentication State provider and then return it but the question was is like okay well where's that coming from and I think we figured out that um you know I'm not it's funny because I've still seen that this is going out and getting the required service right but where it's actually coming from is a different story right it's nothing we've wired up inside of the program.cs yep yeah I feel like we got a touch further last time so in any case um we'll get back the interesting thing yeah is if I take this out and go back to just pure server side take that out go back to Pure server side um and then we run we run this I I think we get in trouble here where it says yeah add cost add cascading authentication state says but I can't get that required service right we saw in this code and I'm going to F12 into add cascading authentication state that it says first thing it says is well let me go get this required service and it says it's not here doesn't exist there isn't one uh which I think we can verify simply by putting a breakpoint here and then run it we're going to get to that breakpoint and we can I can just dot I can just put my mouse over the builder. services look at that 155 services so I'm not going to be able to just scroll through this very quickly but I amagine that if I did we would not find an authentication State provider in here so I would say that's fair yeah I mean I I was hoping there'd be like eight because then we could just look through it and and we could probably write a little code to figure it out but let's not get too sidetracked no so but as you're finding out it's all a bit of investigation and yeah R kick thanks for joining us uh yes we are you know we've got our sleuthing hats on here this morning yeah yeah so let me also morning to ver verl ker good to have you on board as well hopefully we'll have some uh good conversation here as we uh dig deeper into authentication yeah so let's comment this out and go back to what we were doing to get around it so for now we are we are precluded from using the authorized view which I and and I want to make it clear is that that even though I'm trying to kind of live without this stuff I am not coming to any kind of conclusion that you should okay it's more of like okay when it's late at night or you're just that's been a long day at work and you don't know why this isn't working now we know the dependencies we know authorized view this really key component that we are going to use a lot requires an authentication State provider and you say well where's that getting added in program CS well it's it's a combination of picking an interactive mode and then adding C adding cascading authentication State like those two things work together to light this up okay so we were getting around it in serers side pure serers side mode we were getting around it by saying we're just going to dive in ourselves and we're going to say to HT get me HTTP context let's get the user let's get the identity let's find out if they're authenticated and we'll show if they are we'll show if they're not uh we were able to add HTTP context as a cascading parameter and then look the rest of it goes there's no there's no no interactive magic happening no nothing else and I think I think this now works so let's see if the app comes up for us here it is yep we're not authorized of course yep because we've done nothing so so that's so that's all if you are 100% pure server side now I I don't know what your observations are on that I I have a couple one of of them is is that I don't know how many people come to blazer for Pure server side rendering true I mean a lot of the story around it is interactivity so there's that yeah previous versions of Blazer especially where where that was part of the ball game but what always fascinated me about Blazer in ASP net core 8 is the fact that the the foundation is server side rendering like that that is what you get in the box and then you layer on top of it and in fact thanks to the pre-rendering story unless you do more work you you're always having some server side rendering happening for your components so I found it very important I find it very important to say I really want to understand how this works because like it's the foundational layer and yet I could just gloss over it by adding interactive server or interactive web assembly and then everything works and I just never stop and think about what that means H this is kind of interesting right it is it is um so let's see what we do next and uh what I want to find is it turns out in the docs and we'll make sure we share this with everybody uh I I thought that I had this okay yes so let's take a look in the docs here we'll make sure we share this in the show notes this is ASP netcore and net8 and there's a whole uh what you do is is you're you're in Blazer and you scroll down to security identity overview and you get a very large article um about this and it talks about how this works and it says here is the authentication State provider the built-in authentication State provider service obtains authentication state from HTT P context. user that's server side Y and this explains how it integrates and then they talk about what an authentication State provider service looks like uh they're like you typically don't use this directly instead you use the authorized view component and we have thoroughly now addressed how you can use that y so um then they talk about uh how you can roll your your own so that's interesting let's see if uh in fact this is the article that talks about rolling your own so what we're going to do um is we're going to see if we can do just that for the purpose of making uh server side rendered completely serers side rendered Blazer functional with some kind of authorization okay so we're not so so we're not doing the interactivity which we know would give us the ability we're kind of you know like you said rolling our own instance of it right and and I I want to make it clear that I I really don't know the value of this because I think I think even in my most serers side rendered app I will probably have an island or two of interactivity I think but but if you do that you're not doing so if so and help me wrap my head around this if you're if you're adding interactivity you've still got to go back to the program file and say to the program Cs and say add interactive server even if I'm only doing it in one little control that made it okay that yeah that helps right right um okay it it makes me wonder if there's value here and the reason I say it is uh what if you want wanted to build essentially a kind of a static site generator uh maybe not really a static site generator but but instead of instead of the Blazer app generate instead of your app generating a static site that's just HTML files and whatever and you just plop it on a service and it it's done you want to go just one step above where you say well it's still a Content management system so there's an app and it's pulling stuff I don't know where it's pulling at a database or whatever what have you but I don't need interactivity I'm just splatting documentation out there so server side's great and you run to Blazer and you say server and you say and you say you know n and then you just start getting stuck because you said hold on I still need people to be authorized to view this okay so interact so interesting because your site doesn't necessarily have quote unquote interactivity and that I'm adding content modifying content or what have you but I do have some kind of authentication authorization I still want to put in place right right which is which is a very I I mean I'm not saying it's not it does seem reasonable but it also seems like if you think of all the use cases around interactivity a large portion of them are going to re are going to involve the user adding or modifying or editing some kind of form field data in that environment and just the consuming of content is kind of a small use case important right but small when in the grand scale right so we had a couple other comments we have hello from the Philippines that's awesome I love that's great I love that yeah and then again Ry kicks I think is is knows where we're going yeah still possible to use server side rendering but not clear on the fact that you have to implement a custom authentication State provider so we're going to do that and I want to try to not Jo on it too much because I think there may be some more value in doing some other things but let's um let's add a class and I'm just going to put it in a Services folder I am not trying to say that I I'm sorting out the best practices in the world but we're going to say that this is a I'm even going to call it the the dev talk shows authentication service provider and so we're going to get this thing and the first thing we want to do is we are implementing authentication State provider so that worked except that it gets kind of unhappy and so I'm going to just ask it well why don't you just implement the abstract C class for me and it says okay sure and interesting that it returns a task which is cool because that means it's actually async ready it's async uh implementable and that could be important if your authentication State provider maybe has to go to a database or to another service to to get an answer then I would do one of these numbers right mhm I would uh I would change this from a task to an authentication State and I'm and and I got I it's not working because I haven't returned anything but that's that's good to go but it turns out for our example we're going to be totally cpub bound and just do some stuff here okay so I don't need to be async and in fact if I add an async keyword it's going to say like oh where's a away now um what we're going to do and quite frankly if you are following along and you see the Implement a custom authentication State provider totally cutting and pasting this code uh and we but but it it gives you an idea in a way of what's Happening under the hood um where your true your real authentication State provider is creating a claims principle it is adding claims to it it's creating a claims identity and it's basically saying okay let's return that user so that that way the rest of the system knows uh the author the authentication status of the user yep so I'm going to say we're just going to create a new identity here and um we'll say new CL oh look it it's already trying to fill stuff in which is cool so helpful cool and you know what claim type the name is John do I'll go with that uh and then what else do you add in here when you create a claim um when you create a claim's identity first you pass a a a a uh a list of claims which we're doing using an array and in fact it's kind of interesting how it's telling me I think what it's telling me here is use a collection expression is what it's saying I could do instead which looks like that okay fine whatever and then the second parameter you pass is the authentication type and and I don't care if it says test authentication type that's totally fine with me so we've got John Doe that's cool and then um I need to create a user because the most important thing is and that's the code I was going to write anyway is if we want to see what this is is this is a claims principle I need a claims principle that I am going that the authentication State provider is going to to return so this method get authentication state async is getting called by the framework and I suppose specifically probably being called to determine which of those authorized view yeah choices to show yes yeah and uh and and it's saying like oh okay so because we are not an async method we get to use task from result which basically says hey uh I know I need a task but I don't actually need to create and start and run a task I don't need to do that I have the answer yeah so let me make a task from this result and so what happens is you get a completed task it's done no exceptions it works you know and and I don't want to say tricking this isn't totally right you're basically the rest of the system thinks well you must have gone off and done a lot of work and you're like oh yeah I got I got it covered yes took me all this time to write how many mons to it's great so we have an authentication State provider but un but but but this has not been registered yet so unlike this method where we uh unlike the method where we used ad interactive server components and we got one of those let's now say Builder I wonder if it was going to figure it out I didn't give it much of a chance though Builder doservices no not quite not add authentication core that's not what I'm looking for I am looking for for a scope service though and uh that's that's it Bingo great job that's awesome it even I even love how it says well you've implemented one of these so you probably mean yours right and it's like yep that's correct there's a little bit of using magic to do here so that's in and then another little bit of using magic to do here so that's in our own services and the the actual abstract class now I believe but I I believe that this now allows me to come back here and bring back this section I think pretty sure so we're gonna find out yeah we're about to find out and I also believe that none of this is going to work unless I add cascading authentication State because I think this relies on it but let's do a little bit of red green yep and watch it fail or maybe which is fine I maybe it won't fail but here's the answer to run it there you go yeah here's the answer it did blow up cannot provide a value for the property authorization prob on this component the authorized view component there's no registered server so I think I think that's what's happened I agree is it's just like but wait a second I don't you didn't Cascade it down to me the component that wants to figure this out now we'll see if I have egg on my face here because we've just added that line back in and ah look at that still did not work entirely okay so there's more to it than that it's saying I don't have an authorization policy and um it could be because what I'm not 100% sure about I wasn't 100% sure about is do I actually have to go to the routes so if you're not familiar every Blazer project has this router component and uh I mean this is provided for you in the template um and you know we may have people in the chat like shouting like I know the answer and I'm not even paying attention I'm watching it oh okay so what I actually do kind of like about Razer is this is app. Razer and what I like about this is it is it looks like the base web page I like that yeah that's a nice switch from uh the previous version yeah I like this where in the previous versions that was buried in www root and so it just felt a little disconnected to me maybe it didn't bother anybody else so the routes component that is kind of dropped in here this is responsible for kind of displaying you know here are the pages that you can visit uh and then it provides all the routing for that too so you want a route you want your routes component but your routes component is your own this is your own component so that's sitting right here in routes. Razer and what I did not do here is I did not say see I didn't I didn't know that I'd have to do this though that's the thing um but maybe maybe this will become clear in a second I want to say authorize route View and the route data Oh see now that's interesting it got when I I think what oh well now it's saying is this what you wanted so let's go with that for a second okay the pro one of the problems here is we need a using directive sure I I could go put this in the uh imports. raiser I could do that maybe we'll move it in a little bit as long as we find out we need it yeah right and this is complaining because it's not closed okay so we'll close that now the question here is I don't think I want it to look like this I think uh route view route data I want to say that this is going to drop in here I think it probably has to be in authorized that doesn't this doesn't make a lot of sense to me because I actually don't I want an anonymous path okay we might have to look at another template to because I feel like this is going to prevent me from seeing anything oh this is oh interesting it accepts content through h there is the authorizing state which we have not covered all that much authorizing authorizing right we haven't covered that very much and it's it's a state that I've just started to discover which is what you can show to the user while you're out figuring out whether or not they're authorized hold please yeah so no that didn't work either it's still not happy no Reg service of I authorization policy provider um let's see is that because let's think about why this is is that because I haven't let's see there's some things I might not have done yet for one thing for one thing back in this particular view I have not injected an authentication State provider so is that part of the issue is that am I kind of barking up the wrong tree and the authorized view is saying hold on if if you just injected it no no that's not it because I still got the authorization policy provider issue so the next place I was going to go when we talked about this was is is what if we go create a new project and uh and say no interactivity but we want authentication how does it set it up and I wonder if we'll get a clue there interesting I I could flounder around for a little bit but let's see if that works let's see if I can get a clue from saying file new project and if I go to new project because this is this will kind of even recap how we got to where we're at so Blazer web app and we're going to say Blazer SSR um but with off right because previously we didn't so the last time the way we got to where we're at is we started with authentication type none and interactive render mode none yeah let's try this and see if we get a clue about how it works out so interactive render mode is none but yet we have login support what does that look like and and so here this is interesting it started dropping in a bunch of stuff it dropped in a server authentication State provider huh okay they service side rendering yeah they dropped it in for us instead of what I've been doing is I've been going out and saying well let's add the blade your server components they said well you're not getting that so let's add it in I am not quite ready to add this stuff in this stuff will be important this will be important um and then of course they go a little bit further they go ahead and they add a cookie scheme they and and here's the database and I was just trying to say like let's let's find out all that stuff works later including this which is important stuff map additional identity end points that's all really important but that is an interesting uh piece of news but now let's go look at how their router component looks routes. Riser so oh I see yeah there's a lot going on here we have an authorized route view which looks like it is uh this component Supply a cascading parameter which makes the user's current authentication stay available to descendants so you don't have to add the cascading parameter because it does it for you authorized route View and if you're not authorized they're going to redirect to login which is not going to work for us because we don't have any of this code in what the other thing that's interesting is look at that codes that's a that's not a Microsoft component so quote unquote it's yours this is your project redirect to login oh wow it's code that's been written for you so where was it again it's um components account shared redirect to login okay qu quite a bit of stuff gets dropped on you and part of what the deconstruction has been is to say like so what gets dropped on you right it's going slower than I kind of wanted to but but uh I I think it uh it also surprises a little what it did try and drop in in this yeah instance yeah it added cascading authentication State that's interesting this is equivalent to having a cascading authentication State component at the root of your component hierarchy but yet over in rout straiser this says that it supplies the cascading parameter that's interesting I wonder if there's some redundancy there I don't know that there is and now let's go look at the home page that they generate I'm sorry wrong spot let's close account and go to pages and open the homepage and there's just like nothing there so that's fine but this page requires authentication and the authorized view just works huh you're you're just happy so okay all right let's some let's see if we can add some of that stuff back in so we are now for people following along we are back in our project which was kind of built from scratch yeah and let's see what this takes we know we have razor component we added our own authentication State provider so I don't necessarily think that we want to change that uh add cascading authentication state in their template is first I I do not know if order is going to matter here but I don't think like it doesn't feel like it should but well doesn't the ad cascading authentication State need the author authentication State provider I don't know maybe I mean because that was when we right when we started going down that path yeah I thought the cascading State um something in that tries to get your authentic State provider you know what you know what that's a good point is when we F12 into it get required service and it maybe it was blowing up there so so let's make that the only change okay I was going to add this line too but let's make that the only change and see just where it moves us to and uh we still have this issue about can't provide a valid prop value for property authorization policy provider so I'm I'm kind of interested here is like okay where is this authorization policy provider coming from now um but let's see now in routes. Riser I'm going to compare it to what they did and they do so we have an authorized rout route view yeah and we have a not not authorized and then oh you know what might have been interesting is maybe I don't want to have a second route view although I don't think that's the issue but now we kind of look a lot like what dares does sure found context we have an authorized route view for not authorized we're not going to redirect we're just going to say you can't come here and focus on navigate so I still think we're missing something though okay still not still same spot yeah but where we still differ is here in home. Razer and the way we differ is oh sorry not home. Riser o. raiser the way we differ is I I really don't want an authorized attribute right um because I'm trying to allow this page to be viewable by both so I really don't want that yeah because that I mean it doesn't matter that you've got that authorized view wrapped in that control because everything on that page is authorized view yeah at least that's that should be correct um that should be correct so here's where I think it could be I think this could be what we're missing add authorization okay let's F12 into it and see if we can figure it out uh interesting that is it going to let me go to an implementation that would be really cool no I'm having trouble getting to an implementation um let's go back and try straight from here go to implementation okay cool now we added some services including authorization policy cache H we added authorization core which I'm going to try to control F12 in two let's go see what's in there H it didn't it's not doing it oh I didn't do what I wanted Okay add authorization core and look at this one oh nice okay called auth policy provider so I think we might know where some of that Magic's coming from okay and it does explain why at least to me it explains why when I created a brand new project even though we got all this other Gunk this was a line of code that we hadn't been used to seeing yeah we did not need it if we said add interactive server components and I just feel like that add interactive server components is doing some it's doing extra stuff it's it must be setting this up it's setting up an authentication State provider it's doing a little bit more than one would expect right so now after saying all that build succeeded that's cool it builds and look at this so um authorized you are not authorized let's go take I I'd like to believe that that is uh I'd like to believe that that's just mistake on the page but we could have learned a lot by building a non-interactive app with authentication right but I'm almost kind of glad that we didn't because what happens is you get you get this and while this is cool um you're just getting you're getting the database you're getting cookies you're getting stuff that's like I'm just not ready for that yet I just kind of want to see how this works so why is it saying that um I think we're authorized I think we're authorized but not authenticated because this app does not require authentication I'm sorry this page does not require authentication so uh I think that's what's happening here and and we can there's ways to to work on this to build this to say like hey you can only get in here if you meet a certain policy we haven't done any of that we haven't defined any policies we haven't done anything like that yep what's interesting to me though is we are still not getting this part which I was hoping that it would say you're logged in as a certain user we're not seeing that which would to your point because since we're not authenticated we never get into that block at 23 so that's true but I had hoped that our custom auth authentication service provider would say yes look here's your user here they are so I mean it might not do that let's um I want to set a breakpoint why can't I set a breakpoint here oh I can set one there oh and it doesn't even trip no cuz it's not because it never gets to true yeah you're right that's where you need it you're right so let's so if context there is a context but I guess running interact because they're running on the server the user is not authenticated interesting user authenticated equals false even though let's see if there's an identity in here though that John Doe identity no it's null it's null it's got claims okay go back to it that no no claims at all right interesting okay there is an identity so it's almost like it didn't pick up that identity yeah and uh uh I don't know that I needed this is that so is that so it persists the identity oh why did I have that injected yeah I I it was kind of an onalar thing okay so let's try a couple other things um we have a custom authentication State provider okay fine and then we've I I wonder if we have to also Implement let's go to our custom authentication State provider do we have to also Implement and this is straight from the docs so just cutting and pasting here and then we'll deal with the consequences we have to implement this where we say authenticate user because it really looks oh okay so the code changes a little bit so we have this authenticate user method that looks a lot like the one from earlier yeah um except except that what happens is this code changes and this is this is just coming out of the doc so I'm going to go ahead and just paste it in so instead they say when you when you call get authentication State a sync let's create a new identity let's create a new claims principle uh and when somebody calls authenticate user with a user identifier we're just going to create an identity notify that the authentication state has changed the interesting thing to me is how do I get someone to sign in maybe this is the whole I wonder if this is leading me down a way where yes you're teaching me something but it's not really where I want to go I don't know for sure so this authenticate user method could now be called to basically create a user uh and then notify that state has changed notify that the authentication state has changed yeah and pass it along go ahead that code in there uhhuh at some point would get replaced point to whatever your actual implementation is the real signin code yeah this is sort of the I don't really want anyone to have to sign in version yep yep so what if it make sense for me to override on initialized and then in here say uh uh what is that thing called called um it's called authenticate user but it's not going to be that easy no called authenticate user I don't know is it going to be able to help us no it's like I got no idea what you're talking about and let's say that the username is me and I don't need anything else but we're going to have to call this thing and uh we want the tdts authentication State provider is that what that was called yes yep PS authentication State provider which it's now complaining saying hold on you don't even have a using for that so now we do yeah I don't I don't know if this is really what I want but um does it say what it's complaining about seems happier it kind does but what I'm doing is I'm basically saying can you go grab an authentication State provider but see now it's complaining because it's saying hold on this is a type so that goes back to this whole thing where let's go inject it again and probably not the way you want to use this long term and and now I've never been a big fan of injecting this stuff with the same exact name I know a lot of things do that but then I feel like it's not easy for me to tell am I providing a class or am I providing an instance yeah and I'm providing an instance so let's do that and so on initialized I don't know if this is going to work this is saying let's go authenticate a user with this name let's do that okay so one of our you're not authorized things should go away if this works yeah as you can see it did not oh so so it's possible um there's some other things that might be going on here too well do we still have that break point on the authenticate user I right here uh I guess that's the so we have the context context as a user the user is not authenticated so the other possibility here um we got about last five minutes yeah last five minutes I we might be getting far enough away that maybe we've discovered enough I don't necessarily want to give up but no no but I think like have we discovered enough that we could move forward um I don't know yet because I think where I'd like to land is I'd like for there to be a login component I would like to not necessarily have to use the the database although I've gone back and forth on that because even when you use external off it's like I'm probably going to want to store some data about it so I'm not trying to say that that's totally a waste of time but let's see here now can I can I do this when I say can I do this you're like on the edge of your seat what does that even mean um in on initialized HTTP context has this helper method at least uh I thought it had this helper method maybe it's an extension method see what happens when I right click on it yep yep so aspnet core is offering an extension method on HTTP context called sign in a sync huh okay now let's go back to our authentication State provider we created a claims identity and we supplied the claims and we called the scheme custom Authentication we need that we need that scheme name so first thing it takes well one of the extension methods takes let's try to find the one that I want is it takes a scheme all right and then we need a claims principle but claims principle see this is where I think it's weird that claims principle I I I wanted to get out of the authentication State provider that was my take was sure that's where I should get it so something's not right here but I suppose this doesn't feel like it's a good long-term answer um if I create all that right here and then user identifier is going to be my name and then uh whoops I double oted there so this isn't even going to be important and what else to sign in take you got to provide the principal which is user you have which is user yep and then I want to provide do I have to provide anything else or am I good I don't think so I think it was just those two it's the semicolon complaining about yeah yeah okay there's another thing you can provide which is properties on the authentication which will be useful later if we want things to be uh like if you want to have like a check me a remember me type box we have to await this async I needed the uninitialized async one is that yeah oh wow from memory one last try although that still looks funny oh it's a possibly a null reference okay sure it might be and no it's not it wasn't happy a service collection add authentication that's weird though because I thought we did that yeah but did we interesting yeah oh no add authorization is here oh has that been my problem the whole time has that been my problem the whole time that I said add authentication oh wow that would be in fact let me go back to oh no okay it might be that you really need both see this add authentication part yeah we didn't really deal with that all that well so let's let's let's try this and then we'll if it doesn't work then we know what we're we're up to because maybe maybe the authenication State provider is like I'm trying you just didn't give me everything no it still did not work oh but it's close though no signin authentication handlers are registered did you forget to call AD cookie it's basically I love it I love when it's like like hey you know nudge nudge here you go did you forget to do something and um sure I keep saying that that's the last one right that's okay I mean is it it okay and you can just say add cookie or you can add the scheme and our scheme is called custom authentication I think okay that's a whole interesting World about this off schemes and how they're all they all hang on strings yep custom authentication custom authentication and look at that now they're both say not authorized so we didn't go the direction we wanted but we certainly we're certainly kind of back in business so um it could be that we need to to sign in now that I've quote unquote though run that sign in I wonder I wonder let me run this again look at that so on initialized a sync did the work but the page was already rendered because we didn't have interactivity yeah yeah the page was already rendered and so when I all I did was hit refresh and the app is like yeah you're logged in I've got a user yeah and uh now that's obviously not an experience that we want but that's interesting that um but let's be honest right if if I authenticate I'm going to go to a page where I log in and authenticate myself and then I'm going to go back to this page with context that says hey you need to be authorized you're authorized yes right so right I and I know you want to get to the point of having that control in the corner that does that but if we think about typically service side how it happens there's a separate login page and then you come back yep yep so I think those last few minutes might have gotten a little confusing and I certain those last few minutes yeah we certainly tried to push pretty hard at the end there um trying to find my uh my little control booth for the stream so definitely yeah I got it so we definitely kind of pushed there at the end but so unlike the last episode I anybody watching I'm not 100% confident that we've totally kind of backpedal into uh into something that that you want to put in on your own but I wonder if we're closer to being able to say okay here's the file new project can we take things out so that I don't have my I'm not managing my own usernames and passwords um that's not even an option on my site you come in you show up it's external off and you might ask why do I want that because I think there's a lot of developers who might be building an app for internal use and they just want it to work they just want to say like you're already logged into your computer at at work like shouldn't it just work it's a scary proposition well I mean there's a lot of I don't know that's not something that you've seen it um I think that's I think that's classic security it's the castle moat thing right we've got our castle and there's a moat protecting and once you're in the castle it's all good but if somebody gets into the castle everything's open to them in that kind of a scenario so it's really not it's it becomes almost a and now I'm blank on the term we use but essentially it's a um everything everything is still locked down even if you're in the environment yeah um no I certainly know what you're talking about where okay so there's a lot of services that are used at places I work that they tie into your corporate SSO and so even if you're logged into your laptop it still makes you click and then the click might or it might not go authenticate you again but I guess what I'm driving at is that if you use the default Blazer templates it it's you're getting a a create a new username password experience that I'm trying to get rid of because I think there are a lot of folks who are saying I've been tasked to build a project for work and I want that single sign in to work yeah so maybe you're right that it's not a just an automatic experience but at least it is there isn't any option that says create a new account give me a new because that none of that stuff is useful in that particular scenario absolutely yeah that I agree with yeah so hopefully we learned a lot today I did I think we saw some good stuff there I think it was fun yeah I I thought it got a little jumbled at the end and I'm still a little unclear as to whether we even need to implement our own authentication State provider anymore because the template provides that server authentication State provider so maybe we don't have to do that um I'm sure there are great use cases for it but I wonder if that was a little bit overreaching where it's like oh we can just use the one that that they put in for you when you use Blazer server but still trying to stay completely serers side for at least as long as possible yeah um I don't know how useful that is only because even even the apps that I've thought of there's some interactivity that I like here and there and you could certainly bypass a lot of this by just saying like Okay let's just start working on the component because we've that before we've built a login component yeah uh it wasn't complete but it did certainly sign in and sign out yes which is what we needed so yeah all right cool cool awesome stuff thank you CHR nine yeah thanks everybody who joined us online and don't forget you can watch all the replays we're at youtube.com thedev talk show um any comments that you have anything you discover if you like this content hit the like button and uh you know we're continuing to exp you did a lot of work again back with uh the open AI um and Dolly project which is really cool and I think eventually you wanted to see if we could drop authentication into it so yeah authentication and authorization so so cool all right awesome sounds fun want take us out yeah everybody uh it's Friday have a great week it is Friday right yes it is yep have a great weekend baseball's starting up I just happen to notice there are some games I don't know if it's I think I think it's opening day maybe I mean there was some games in uh South Korea but I I don't know maybe today is today might be the uh our side of the ponds opening day if you're an American uh or in North America so other than that like verl creger says it's Friday night game night that's a video game night right which is awesome that's could be true for a lot of people too no matter what you're doing have a great weekend and we'll see you all next time on the dev talk [Music] [Applause] show [Applause] [Music]

Info

Channel: The Dev Talk Show

Views: 1,138

Rating: undefined out of 5

Keywords:

Id: uVCzdDrXh0Y

Channel Id: undefined

Length: 71min 44sec (4304 seconds)

Published: Sat Mar 23 2024