Let's Learn .NET: Auth and Identity

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] [Music] do [Music] [Music] [Music] [Music] [Music] [Music] [Music] hello hello welcome everybody thank you so much for joining us here today for the let's learn.net auth and identity event uh good morning good evening good afternoon wherever in the world you are joining us from we are so happy that you are joining us here today for this event i'm joining in from new york my name is jamie singleton i will be your host for today i work on the community program uh developer team at microsoft and today i am joined with some awesome experts as we're gonna walk through getting you started with authentication uh authorization and identity um so before we get started i just wanna walk through the agenda for today so if you want you can all head over to the let's learn event page and at the top of that there's a little link that says auth resources yep there we go thanks kim so auth resources that has all of the resources for this event it has a link to the event page uh it also has a link to both workshops that we'll be doing uh it has um uh oh yeah a blog and also a place to download.net and then if we go back to the event page cam thank you and we scroll down there's the event agenda uh here you are here with me jamie singleton uh we'll get started just a moment with cam soper to talk about the fundamentals of authentication authorization and identity we'll take a quick q a we'll do the first workshop another q a and the second workshop and then don't worry we'll save time at the end for more questions we want to make sure that we answer as many questions as possible we're here to help you uh we do have experts in the chat so feel free to ask your questions there and we'll do the best to answer all of the questions that we do so i'm gonna bring on cam who's my first host let's go here we go hey kim hi jamie how are you doing i am great i agree it is a sunny day and so i couldn't be more grateful um so why don't you go ahead and introduce yourself hi i'm cam soper i am a content developer here at microsoft i work on lots of different.net topics um i'm also kind of into doing the streaming and video stuff folks may have seen me on on.net live where uh we have a weekly uh webcast where we feature uh guests from the community lovely i absolutely love that yeah i work with camelot and i am so excited to have you uh for our first presenter today um so why did you give us a little rundown of kind of what you're going to be talking about and and i'll let you take it from there okay so um go ahead and share my screen real quick uh what we're so matt and i are going to be going through two different microsoft learn modules today um the first one is going to deal with asp.net core identity framework which is the built-in authentication for asp.net i'm sorry asp.core web apps um the second module we'll be going through will be the microsoft identity platform which is a third-party authentication that you can integrate into your application uh you can i'm matt's i'm sure going to show you asp.net core but the cool thing about microsoft identity framework is it's you know pretty platform agnostic it's a cloud-based service and you can integrate it with lots of different services so before we dive in we should talk about terms right let's talk about authentication what is authentication so authentication is the process by which the user proves who they are okay so there's lots of different ways we can authenticate we can authenticate with a username and password or like microsoft has done a lot if you use your microsoft account online they have switched to really pushing passwordless authentication where um you are authenticated by sending a notification to your phone a known phone that is a known device that you have there's lots of different authentication mechanisms but the the takeaway is authentication is how the user proves who they are now authorization is the process by which the app decides what an authenticated user is allowed to do right so is this user allowed to view this page is this user about allowed to make this change now because it depends on knowing who the user is that means you cannot have authorization unless you have authentication so i kind of alluded to the fact that we're going to go over two different ways of doing authentication in asp.net core web apps right the model i'm going to show you is the framework built into asp.net core but that framework is could be categorized as building your own i mean it's it's a microsoft scaffolded thing but you're building your own and you're maintaining your own and and it's yours to to care for and feed and and and patch and update and do security audits on right that's very important um so there's the care and feeding that goes into building your own right uh if you're gonna build your own again for asp.net core apps use the identity framework the built-in framework and that's what i'm going to be showing you uh if you want to use a third-party authenticator the you know third-party system like microsoft identity platform or surely there's lots of other ones out there on the market like octa and authy and identity server um that's totally an option too and i'll be honest in a lot of scenarios i prefer using a third-party authentication provider right because i don't i don't want to handle the care and feeding of building my own right totally an option and there's at the end of the day which one do you want to use well it depends it depends on a lot of factors right it depends on your organization what's acceptable for the security professionals in your organization um it depends on how much care and feeding you want to give your own uh authentication mechanism moving forward um it it depends on if you want to manage user credentials if you want to be responsible for managing user credentials and and protecting those user credentials um again the the the broad answer is it depends my preference in a lot of scenarios is third party but i could see why certainly a lot of people would prefer building their own um so that's really the the broad strokes of what we're going to be talking about today we're going to be talking about authentication and authorization both with the identity framework and with a third party authentication provider i realized that was probably a bit briefer jamie than than what the agenda called for for the introduction to the topic um but i i realized we were pausing for q a there so um why don't we go ahead and open that up for for questions before we dive in yeah absolutely so we did actually get a few questions already which is great um and no worries about the timing uh we're all just flowing here so a few of the questions um that we have received already is let me pull this down there we go um so uh how permissions affect domain roles so interestingly enough you bring up domain rules um and i'm going to i'm going to put a caveat on this that i am just a a i i i remember the old saturday night live sketch i'm just a simple caveman these things scare and confuse me um i am just a simple web developer and um my the the angle that i'm going to bring to most of this is um as a web developer that is consuming these services um and when we start talking about domains and like active directory controllers i know just enough to be super super dangerous so that's fine so um i i tend to avoid those topics now just to clarify what we're talking about is all web-based authentication right so when we talk about active directory domain controllers we're generally talking about you know authenticating on a local area network or a wide area network that's that's private um but but we're not talking about internet authentication right um we're talking about internet authentication in web apps now whether your app does the authentication or a third party does that authentication that that's up to you um but active directory itself doesn't really enter into this azure active directory which is a completely different beast that does and that and matt will be talking about that great yeah so matt will cover that later on in the event today uh great so another question we have is um that's a refresh token okay so um that comes to the third party app uh third-party authentication scenario that matt will be talking about a little bit later on to to define what a refreshed token is when you do third party authentication you go to a web app and the web app redirects you to the token server whoever's doing the authentication like say for example you go to office.com and it redirects you to login.microsoft.com or whatever that url is and that login.microsoft.com you enter in a a credential right and it redirects you back to office.com with a bearer token um and there is a process by which that bearer token can refresh itself over time and you don't need to make the user log in again i'm not sure if this is covered in what in the module that matt will be talking about later on but he can probably address that a little bit okay well thanks for touching on that i appreciate it um okay here's okay what's the best approach for a web api plus react regarding authentication and authorization okay that is a loaded that's gonna be promoted super super super loaded question um so the generally accepted practice with a web api and we're not really going to go into web apis today because they add another layer of complication with the absence of user interface um the the the probably the preferred approach with a web a web api and react is to um is to to do like these third-party authentications like we're talking about and um and uh uh set up the token exchange on the back end now i'm glossing over a lot of stuff because this is something that i have to look at like actively to refresh my memory on on a regular basis um because again i'm just a simple caveman developer um um but but it it it it is beyond i'll just say it's beyond the scope of what we're talking about today okay that's good to know um okay so i'm seeing a few questions um about like identity verse uh jwt uh using web apis so these are these are all topics that come in with the with the the oauth third-party authentication later on okay okay great so we'll save those for later then um all righty and then i have one last question and we can probably move on uh can identity be used with web apis and not uh nbc you know that's a very good question one that i don't know the answer to um i i as i'm sitting here thinking about it i think it probably can't because there's a lot of razor dependencies in there um but i'll be honest i've never tried so i i just don't know the answer to that one okay so tbd alrighty so i think that's all the questions we have for right now cool oh i have one more actually you ready for it sure okay all right so would you recommend microsoft identity framework for small or medium production websites yes i would absolutely um and this goes back to my personal preference right because i mentioned earlier so i'm going it feels a little hypocritical right i'm going to be demonstrating the built-in microsoft i mean the built-in asp.net core identity framework which is a great framework um it's it's been reviewed it's been um uh it's past security audits and and it's it's it's something that i would recommend doing if you want to maintain your first party authentication personally as a developer i love going third party i don't like managing i don't like managing credentials and i would actually recommend that for a website of any size personally okay good to know so microsoft identity it is um okay one last one before we move on to our first workshop of the day uh will manage identity be part of this talk and i believe you kind of just answered not mine um i don't know if managed identity comes up in the module that matt's doing i doubt it does a managed identity is this um is the the ability on azure for azure to manage a basically a service identity um to like for example you've got a website that has a back-end sql database and azure can manage the um the identity that's used for both of those azure resources that they run under um i don't believe that's going to come up in matt's discussion but um certainly a good question and that's um but it's a little bit outside the scope sure might be a little advanced for this for this audience but perhaps we'll touch on it when that comes along um okay great so i believe next you have a workshop for us um adding authentication and authorization to a web app using asp.net core identity asp.net cores native security framework yep okay great uh that sounds super exciting and i would love to get started so i'll take it away so um go ahead and share my screen please all right so um this is a microsoft learn module and this url here on the slide you can't really see it that's kind of a bad gray on the um on that backdrop but dot ms slash learn dash identity um here let me just i will actually give jamie that url on our backroom chat so she can share it out um that aka dot ms slash learn identity is a short url that will take you to this microsoft learn module um this is a microsoft learning module that i co-wrote originally and i uh recently rewrote it um the the module um is kind of long uh i i the the timing here says about an hour and eight minutes um if you take your time it's probably more like an hour and a half honestly and we will not get through it all today unfortunately uh i wish i wish we could but we just won't um so i'm gonna hop in to the introduction page i'm gonna go over just a few topics about what we're gonna be doing and what you're going to learn um so we're going to right off the bat we're going to configure identity support in an existing asp.net core web app so we're going to take an existing app and we're just going to wire it up so we can lock create users and log in with them then we're going to extend those the the identity framework we're going to customize it in such a way that we can take additional data beyond what the what the the boiler plate accepts from the user uh you know the the boilerplate just expects the user to put an email address and a username and password i think and we're going to also modify the app to take first name and last name that's probably about all we're going to have the time to get through the other things that this module covers that i would totally love for you to check out beyond you know the live stream that we're doing right now is we're gonna you can then customize the multi-factor authentication capabilities built into the identity framework and then you're gonna implement some policy-based authorization so the learn module walks you through creating a user who isn't a quote administrator and the administrator has special privileges so um the the very last unit of this is about giving that administrator those special privileges now just to level set um i'm going to be using a lot of terms and a lot of tools that i i kind of already just assume that you have some familiarity with um but you know basic c-sharp tools like the.net uh sdk um some experience with relational databases and sql server specifically um some familiarity with entity framework core now we have another learn module out there for entity framework core that i i strongly recommend uh that you review before you do this um the reason will become clear in a little bit but basically entity framework core is a dependency for identity framework and if you understand entity framework core it makes working with identity framework that much easier we kind of assume that you know a little bit about razer and we kind of assume that you have some knowledge about timed one-time password authenticator apps we'll talk about those a little bit later on um but uh again just like passing familiarity with like the whole concept of multi-factor authentication right so what kind of tools are you going to need to get through this well this is this is where it gets interesting so the the code that we give you at the beginning of this um module you could download the code on your machine and you could run through the exercises on your machine all on the bare metal on your machine and that's completely supported i tested it it works great but one of the problems when you're writing modules like this that have dependencies like for example sql server is as an author i often don't want you to have to go download sql server and configure it and all that if you don't already have it i i don't i don't like that i would prefer to ship the environment and back in the day we used to you know it was not uncommon to maybe put together like a vm for something like this but um but instead the uh what i have done for the for the source code the sample code for this module is i've created a dev container configuration right so you can clone this code and if you have a docker environment on your machine you can use visual studio code to open it as a you know within a container in visual studio code visual studio code will actually build the docker container with all of the prerequisites already configured for you right so that's actually what i'm going to show you today i'm going to be doing this inside the docker container um and i i i very much recommend this approach this approach is is my favorite approach because i have i've shipped the environment that with all the prerequisites you need all right so before we get started downloading code and all that let's talk a little bit about the architecture of asp.net core identity um so we've already talked about this is the build built-in you know boilerplate scaffolded identity framework in asp.net core it's a membership system uh that's just purely about login capabilities and uh authorization um it also supports external providers like facebook and twitter right it this is different from doing the third party authentication with like microsoft uh identity platform this is this is a third party authentication but this is actually a function built into the asp.net identity framework that makes it easier for you to integrate third-party logins with like facebook and twitter um the membership data that is persisted in your app is persisted in a database now that database i'm going to scroll down a little bit more here's here's the diagram of how of how uh the identity uh framework works in your razer app or your mvc app both are perfectly acceptable um in your app and you implement the identity manager like we're gonna show you it interacts with an identity store that is um abstracted behind ef core right now by default that that data store is c is sql server but you can use any kind of database you want in fact previous versions of this module let you pick we let you pick between sql server or postgres now when i rewrote this module recently i i i paired it down just the sql server just to keep more focus on the topic but you could use postgres um i can't remember i think you can use sqlite for identity i can't swear to that but you can plug in um you can plug in lots of different database providers just in the ef core and if you don't like ef core you can even pull ef core out and replace ef core with a different uh orm so like if you want to put dapper in there you could but the default is ef core and sql server so ef core uses a feature called migrations to incrementally update the database to keep it in sync with the app's code this is the default data schema that it builds and we're not going to go into great details about it but you can see it's pretty much what you would expect right there's there's roles and users and claims and tokens but we can extend this and i'm going to show you how to extend it so that's kind of just the overview before we touch the asp.net core identity uh platform that brings us to a knowledge check um so let's see who is paying attention what's the default data store for identity is it entity framework core and postgres is it dapper and sql server or is it ef core and sql server um do we have jamie or john i can't see the chat i'm going to guess that somebody was paying attention though you're muted jamie oh my goodness i was like trying to add myself back to the stream and it was not working um so unfortunately i think uh folks in the chat got it before me um but yes i would go with c e f core and sql server yep congratulations everyone in the chat you're much quicker than i am apologies about that all right so here's the fun part now we're going to get into the code so as you're stepping through this learn module again right here at the start of the exercise i i remind you that hey if you want to use the dev container that's totally an option and i want to show you a really cool thing in github that i just love um if if you have access to this now it's not free it costs like 18 cents an hour i think um don't quote me on that i am just i am just like out of the out of the air i'm out of my memory um i think it's like 18 cents though you can set up what's called a code space now you have to set up there's a little leg work you have to do first like your your github user has to be a member of a github organization and that organization is what gets billed for the uh for code spaces but what's really really cool is you can come in here into into the code this might actually take a little bit because i can see that my code space went to sleep while i was talking but you can come in here to the code in in github and click the code button and you can create a code space now i have already created one and it's named stunning engine uh stunning engine was running and i didn't name that by the way there's just it just automatically names it adjective noun uh stunning engine was running when i started talking and then it went to sleep i'm gonna click stunning engine though and hopefully i think he's awake now oh yeah look at that so that is that i just love this so much i just in github i clicked code create i could have create create code space on main but i already have one created but i have a complete environment right here in the browser right i can i can build right i can i have all my code i can edit i can do all kinds of neat stuff and it's a full oh check this out i even have a sql server that's pre-configured and already running it's all it's all there and ready to go so the github code spaces mechanism love it not free all right you have to pay for it or your organization has to pay for it um but i love it it's easy just go to the github and you can launch it that way if you if you don't want to pay and you have a docker environment locally the other option you can do which is what i'm going to show you right now is from the command prompt and i know i'm gonna head off the questions about my command prompt this is just windows terminal i've customized it with some powershell scripts so um it's just plain old windows terminal um actually i'm gonna clone where was it get clone there it is i'm going to clone that url right that's that's the url we were looking at earlier uh for the github repo it's it's what's on the url list so i'm going to clone that locally so now i have it copied local i'm going to type code dot i'm going to switch to the directory and type code dot and what that's going to do is that is going to open up this directory in visual studio code and open on another monitor i'll bring it over here now since i have docker it's going to think about it and as it opens stuff and does what visual studio code does on on startup eventually it's gonna prompt me and i'll show you the prompt when it prompts come on are you gonna prompt me ah there it prompted me all right so it says hey this folder has a dev container configuration file do you want to reopen it in a container and i do want to reopen it in container now if i click that reopen and container button it's going to take a couple of minutes to spin up the container and um we just don't have that kind of time so i actually headed this off of the pass and i have another instance of visual studio code where it's already created the container and we're already running in the container so this is this is the code this again the starter app for my learn module running in an environment that i've packaged in a dev container you can just run it like that has sql server and everything ready to go for you so with that we can actually start on our exercise so i'm going to switch back over to my browser so we already covered cloning the code we already covered switching to the code and opening it in visual studio code and then we covered opening it in a dev container and if you missed the prompt there is we call out the command that you can run in the visual studio code command palette to to force that open um all right so we're going to open a terminal pane and we're going to switch to the razer pages pizza directory uh then we're going to run it and well we'll pick up from there so let's switch back over to visual studio code all right so go back over to my explorer just so we can see all the files we can see that in the razer pages pizza folder that's where our code is so we'll switch over there user pages pizza we're going to make sure it builds and then i'm going to run it all right so it's running right now in my container now the container has set up port forwarding automatically so that when i so it says right here look at the output here on the on the run where it says now listening on https localhost port 71.92 i can just control click that i'm going to hold ctrl i'm going to click that down here in the text and it will it actually pretty sure yeah it opened in my browser which was behind the visual studio codes i had to switch back over so this is the app this is the app that is downloaded we've made no changes to it at all so uh this is this is all it is here's the home page the list of pizzas that razor pages pizzas cells right and we can add and remove pizzas from this list we have the privacy policy page that's just the boilerplate and then remember i said there's a unit later on that focuses on granting administrators privileges to do certain things for that exercise there is a super secret admin page right that is um if you're not an admin you shouldn't be seeing this page but obviously obviously we are seeing this page so um as part of the learn module you will lock this down all right so uh go back over actually before i do that let's look at our exercise again what's next so that's that's it so we've looked at the pizza list we've looked at home uh now we can stop the app so let's stop the app you can stop the app just by pressing in the terminal window you press ctrl c and you can see it stopped so i'll uh i'll even type the clear command i have a nice clean terminal again all right so the very first thing that we need to do and it shows us here um actually you know what i'm going to open this up on another monitor just so i have a guide for me to talk through um please bear with me as i find another there we go okay so the very first thing that we're going to do is we need we need the tools to um to generate asp.net code then there's a net tool called asp.net code generator to install that.net tool in the dotnet um you know for the.net sdk we're going to use the tool.net the command.net tool install not asp.net code generator and then i'm going to specify a version you don't generally have to specify a version but i'm specifying a version in this case because the container is using specific versions of everything just to make sure we have good control over the learner experience um you see in in this case in my container the tool was already installed uh you should otherwise you'd see a little green text that says it was successfully installed um now one question you might be thinking of right now is okay why are we doing this all in visual studio code and with the.net sdk and not visual studio now visual studio can do everything that we're doing today in visual studio code with the.net sdk what it can't do is dev containers what is so i can't yet ship the environment for visual studio like i can in visual studio code um so that was one reason why i chose visual studio the other visual studio code rather the other reason why i chose visual studio code is because it gives you the working visual studio code with the.net sdk gives you the fundamental knowledge of what's going on behind the scenes in visual studio and will equip you to develop on windows linux or mac os regardless of operating system um so um what you're gonna learn today even though code and the net sdk might be you know new and and and unfamiliar uh what you're going to learn today is still applicable in visual studio the tools might be a little different but the processes are all exactly the same um all right so we've got that tool installed we're also going to install a series of uh i'm going to bring my window back over here a series of packages that are dependencies new get packages now these packages some of them are code generation templates some of them are dependencies there's just a stack of them easiest way to do it is just copy the whole stack and uh and paste it into your terminal so that's going to go for a minute not even a minute a few seconds we'll wait for it all right that's done so now we have everything we need to run the scaffolder and generate um our our identity uh implementation so the command for that i'm going to clear i'm going to clear my my terminal just so we can see it cleanly the command for that we're going to say net asp.net dash code generator identity so we're generating the identity uh code from from the identity templates rather we're going to use the default ui and we're going to name the db context razer pages pizza auth so let's talk a little bit about what this command is doing so we're invoking the identity templates from the asp.net code generator and we're passing in this flag use default ui so that use default ui tells um tells the code generator that we want to use the identity raiser class library so a razer class library is like any other class library except it contains razer pages right they're not razor pages that you can modify you can override them and we're going to show you overwriting them later but there it's just a class library that contains pre-compiled razer pages so this is all just out of the box this is no modification whatsoever and then the last thing that we're doing is we're saying hey the db context that you're going to use to talk to the database will be named razer pages pizza auth now db context is a concept from entity framework it's the uh the the the gateway through which you interact with your database uh it's the abstraction that does all of the heavy lifting so if you're not familiar with db contacts and ef core i'm gonna again recommend that you that you pause right here and and go check out our entity framework core microsoft learn module that also uses dev containers just like this one to set up an environment it will show you uh some sql servers some uh sql lite and some postgres uh it's another one that i just rewrote recently and i'm really kind of proud of it so i i certainly hope it's enjoyable and informative for you all right so let's let's run that command so it's going to build first and then it's going to implement those templates it's thinking actually while it's thinking um i do have i just had to double check jamie is asking for a link to share with everyone about ef core and i happen to have it memorized all right so it's built um all right so what do we do now uh we we get back to where we were before we switched to a different learn module in our browser um so what what happened we ran this template it generated an areas uh folder in our in our project and put some put some files in that areas folder so it created this razer pages pizza off.cs and that razer pages pizzaoff.cs it inherits from identitydb context well identitydb context is a base class in the identity framework that implements a db context like what we were talking about in ef core um and razor pages pizza off in turn inherits from that and you can see there's it's just boilerplate this is just this is just a boilerplate uh standard implementation of a db context there's there's nothing special in here other than the one thing i will point out because it becomes relevant later on it's it's inheriting from identity db context of type identity user that identity user is the default um class used for uh used for identity we're going to customize that later we're going to replace it with a different class but that's later all right so let's look at what else it did so over here in program.cs at the very top it kind of made a mess and this is one of my one complaint about the about this code generator is it it makes a little bit of a mess and it doesn't it uses lots of semicolons which is are perfectly valid in c sharp but then it doesn't follow those semicolons with a line feed character so i'm going to come in here and i'm going to add some line feeds to make it more readable and in fact if you if you um if you're looking at learn module right now even in parentheses right above this code i even say i've reformatted this for readability it's just because the the template relies on those semicolons without line feeds but now it's a little bit more readable so let's see what we did so it added it added a few it added a few uh using statements at the top to to bring in some of our to resolve some of our references and it also added our razer pages pizza off uh db context as a registered in the dependency injection framework as a service along with the u sql server option in the connection string um and it added the default identity to the uh depend uh dependency injection uh registered in dependency injection to be used with um the uh to be used with our razer pages app and uh also added the entity framework store as a uh um as an option to that so that's that's what that's what it did that's that's all it did oh i take it back did one other thing it added a line right down here this use authentication that's super important app.use authentication uh uh adds the you know a microsoft identity uh platform i'm not microsoft platform asp.net core identity framework adds it to the pipeline uh so we haven't done anything so far other than on the scaffold just to be clear this is all stuff the scaffold did for us all right so you i mentioned earlier that we're wired up to a sql server database uh one thing that we need to do now is we need to set the connection string now i'm going to point out very briefly if i scroll down to this part where we talk about configuring the database connection with the connection string as of streaming right now and in fact it's probably going it may have just gotten fixed uh in in the current published we publish at 10 am uh pacific and like 4 p.m pacific so it might be fixed now since the last time i refreshed this page but um we discovered a typo last night uh there are a couple of spots in this module where i accidentally have the the term razor pages pizza identity db context instead of razor pages pizza off you can see why i shortened it i just screwed up and didn't update it everywhere we fixed it last night and it should be published like it might even be published right now uh but definitely for future viewers of this recording it should be fixed by the time you see it anyway we come back over here and we just looking at the instructions which connection string do we need well i'm not running locally right so uh let's hop over back over here to my app settings i'm not running locally i'm running in the container well by default it's going to enter the the the default connection string for local db right i'm not running local db i'm i'm running like full sql server in my container so i'm gonna get that connection string from from the learn module just to be clear i'm talking about the second one here the one that says if you're running in the container all right so that's if you're running in the container whether in visual studio code or github code spaces you're going to use the second connection string just don't name it razer pages pizza identity db whatever right just grab the connection string there plug it in make sure you have the right number of quotes and that is a valid json file save it make sure i got my program.css saved all right so those are all the changes that we needed to make to the actual app so we ran our scaffold we have implemented identity the one thing that we need to do is we need to we need to create the database right we need to set up the database now entity framework core makes this really easy with a with a process called migrations now again i'm not going to go into migrations but basically it's the the the idea that we're going to take the the codes idea of what the entity model looks like and we're going to translate it into an actual database schema and implement it and to do that we need another tool right we installed the we installed the asp.net code generator tool earlier so um now we install the net ef tool uh and i'm i'm hearing by the way i'm gonna switch back over to my browser a little birdie just told me oh look at that while i was talking our updates got published so hopefully i won't need to make that call out again right um the the update that i was talking about is is live so we can we can scrap everything i said earlier okay so we installed the.net ef tool and now with the net ef tool we are going to create a migration uh if you uh are familiar with ef you you're familiar with this command.net ef migrations add so that creates a new migration and we're going to name the migration create identity schema and it's going to build and then after it builds it will generate some uh some code that we can look at very briefly all right but generated our migrations um we won't go into this migration in any great detail but i just wanted to show you that the the migration code is is literally building a database right it's it's all about it's all about uh creating the tables um all right so now let's apply let's apply that let's apply that migration with the net ef database update command build started build succeeded and then we're going to see a whole bunch of stuff fly by um oh it looks like i already deployed that in this container so it actually threw an error at me which is surprising because i thought i was using a new container this morning but uh oh well it is what it is um let's hop over here to the to the database i have a if you're in the container you will also have the extension for sql server pre-installed so there's a sql server extension right over here that's what it looks like uh we go to the sql server extension and we can browse our database so there's the razer pages pizza database and there's that schema we saw earlier right with the the user tables and the roles and all that so we actually have a database now and um the only other thing that we need to do is if you remember come back over here to the app we don't have any login link on the app right there's no there's nothing there's nothing there so the one last thing we need to do is we need to add that and this is the only code change that we've done is if we go to if we go to the layout where's the layout dig down into pages shared layout.cshtml in layout.cshtml i have put a comment for you where i think you might like to add this login partial view that was created this login partial view this was created by the scaffolder this is basically your login link right this is if you're signed in it's going to say uh if you're not logged in well hold on if you're logged in it's going to say hello username getusername right uh if you're not logged in it's going to show register and login links so we're just going to add that to the layout and and i have already commented it for you there so all you have to do is just replace that comment with that login partial so make sure everything's saved since we're going to be saving i said we're going to be building manually make sure everything's saved and at this point we can dotnet build and run i'm just going to run all right so we're running again i'll just switch back over to my previous tab for the app and hit refresh oh so i'm already logged in it looks like let's log out all right so here's the home page for the app you see we have register and login links now so we could we could register and i could say i'm going to register as cool user at contoso.com so at this point we need to confirm the email address now the default implementation for identity doesn't have any way to send email so it's like okay look in a real world you need to do you need to implement this but for for the purposes of the scaffold we have just made it so all you have to do is click this link so we're going to click this link now we're confirmed so now we can go log in as cool user at concoso.com there we are hello cooluserconcoso.com now i'm running even shorter on time than i thought i was going to be at this point because it's kind of a broad topic what i'm going to do at this point since i'm i'm running kind of down on on code is i'm going to fly through just talking over the next sections and leave it as an exercise for the viewer to complete this module on your own um i it like i said it'll take you about an hour and 10 maybe hour and a half um but but it's full of great use great information and we're going to step through it now so the next part talks about customizing the identity model that i just showed you remember i showed you identity user is is you know where we're implementing that db context and it's inheriting from identity db context of type identity user uh we would actually extend identity user to replace it with a razer page's pizza user and what that razor pages pizza user does i'll just hop through and look at the code what that razor pages pizza user does is it adds the first name and last name properties to the class now you remember i mentioned earlier though that all of this functionality that we see in the boilerplate implementation comes out of a razer class library that razer class library doesn't have any code that's just like exposed to us by default because it's all coming out of a dll so we have to actually run if we come back up here to the top of the module again we actually have to run the identity scaffold again and this time we give it a list of files that we want it to generate now the command that i give you actually gives a pretty pretty full list so we're gonna we're going to include the enable authenticator page because we're gonna modify that for multi-factor authentication we're gonna include the manage index so that's for for changing your username or changing your email address and changing your first name and last name once we add that capability um and then we're going to actually implement a email confirmation now for purposes of of this module i'm going to scroll down the way that email confirmation works is when it gets to that confirmation page it goes to the dependency injection service and says hey give me an email sender type so what you're going to do in this module is you're going to implement um i email sender right later on so just like let's this is all about what i've talked about so far about extending that identity user i'm showing you how how it looks when you make the change to the database that's all handled for you by migrations all you have to do really to change the app is add the first name and last name fields to a few forms so that's really all the modifications you're going to do in the app at that point um scroll down scroll down scroll down scroll down we get to the part where we can configure the confirmation email sender i want to call this out so if you look at that register.css that's generated by the scaffold it generates this line of code it says send email async and it passes in the email address it passes in the subject and then it passes in the body encoded as html for purposes of this module i'm like no i'm not going to make you send email i'm not going to make you set up an smtp server and do all that jazz i'm just going to have you write your email out to the console out to the terminal in visual studio code so you can see that url so we we change that line of code to get rid of the html encoding because that breaks things and then we implement an email sender that just does exactly what i talked about it just writes that confirmation out to the terminal so you as the developer who's testing this can confirm your email address and then the very last thing that we do on this this page is we we add that email sender service to the dependency injection container so identity can find it so then we run through all that and um yeah basically this whole unit you've added first name last name uh first name and last name to the user registration and made the according you know the the the corresponding ui changes and uh then you implement the email center now in a real world environment your email sender is going to connect to an smtp service or some web service like a twilio or mailchimp or whoever um but this is this is the kind of like the bare minimum of what you need to do to get the link sent to you privately in your development environment all right so after we get through this then we get to do something fun right one of my one of my favorite things to play with because i get to play with an app on a phone and that's multi-factor authentication um multi-factor authentication is a um first of all i'm gonna say that it's something that you absolutely should be doing in all of your apps okay it's when we uh prompt for additional forms of identification so that we are combining um more than one and enhancing the security to be really sure you are who you say you are because that's the point of authentication is making sure you are who you say you are so these things include things like something you know like a password or a security question something you have like a hardware token or a usb like a ub key thing or something you are like a fingerprint or a retina scan or a face scan um the most effective way to do mfa is when you combine these different categories of authentication so like a lot of banks for example like to do just security questions in addition to your username and password well that's just something you know twice and it's actually not too hard to defeat that right an adversary can get information about you know things that you know it's much harder for somebody sitting in a sitting you know in a basement halfway around the world to get your information your personal information and use it against you than it is to get something like your phone or your hardware token or your your your fingerprint they can't get those so it's the the best security implements one from both of those categories now the the timed based one-time password is arguably one of the best mechanisms for uh something you have the the process is basically um we generate a token and we give you that token and you take that token and you store that token in an app on your phone and then from now until the end of time whenever you open that app on your phone it does a little math with that token and it generates a six digit uh a six digit code and the only way you can generate that six digit code at that moment in time is with the token that you were given way back when you set up multi-factor authentication um time-based one-time password is built into uh asp.net core identity it's implemented right off the bat all you have to do is i think even if i think my app is still running let's hop over i can go i believe all i have to do yeah i can set it up right now i can add my authenticator app but if we go in there you see it doesn't give me a qr code right it just gives me this this this token it's just this this key that i could type in well that's no fun we don't want to make our users type all that so we want to give them a qr code now we have docs on how to generate the qr code right and our doc shows you how to do it with a javascript library i took my own tactic for this microsoft learn module and i showed everybody how to do it with let's where am i i have too many browsers open i'm drowning in browsers so i showed you how to do it with a a third party library right i found an open source library out there on nuget called qr coder and we we have you generate the qr code on the server and then inject it into the razor page as base 64. so that's fun and it's kind of a different take on what you might have seen in the documentation um i i personally would prefer this approach but again it's up to you as a developer uh so we customize multi-factor authentication one other point that i want to bring up before we before we leave multi-factor authentication we everyone has experienced sms text messages as a form of of multi-factor authentication this is just me getting on my soapbox as a security hobbyist that's bad um the the sms text messages are the most common alternative to timed one-time passwords but they are unfortunately relatively easy for an adversary to defeat um it's it's not that hard for for a determined adversary to clone your sim and and go to town so um sms codes are not considered a secure form of mfa and and um and it's recommended that you not use the in your app that you not use them as a multi-factor authentication all right so the last unit of this module covers authorization and we talk we've already talked about authentication versus authorization authentication is who you are authorization is what you're allowed to do um and we talk about claims and policies claims describe a user this user is an administrator this user is um is just a regular user this user is a limited user this user is allowed to update this type of record these are claims that you can make like on a government id your government id makes claims about your attributes makes claims about your age about your type of the type of vehicle you're allowed to drive um the uh those attributes are used in enforcing a policy and we give an example about bars and taverns right if you go to a bar and you order an adult beverage the bartender is looking at your credentials and they observe the claim on that id of the birth date well you're 21 is generally the legal drinking age in the u.s you're 21. well according to the policy you're allowed to have the drink um so that's what a policy is we're going to check knowledge real quick and again i'm running short on time so i'm just going to fly through this which of the following is a true statement there can be no authentication without authorization there can be no authorization without authentication or claims describe what a subject can do i know this one [Music] so it is uh there can be no authorization without authentication correct before we can be concerned with what a subject can do we have to first know who they are exactly so the very last unit of this learn module and again i'm going to talk over this and and leave it as an exercise for you but i really recommend it i'm really proud of of of of this learn module and what it contains um we secure some pages so we use the authorize attribute just by adding the authorized attribute to the to the to the razer page the pizza razor page class that page will require you to be logged in before you can view it so that's the very first thing we do we add the authorized attribute and now you can't get to the pizza page unless you're logged in but then we take it a step further right then we we um modify the pizza list page to um to check to see if a user has a claim that that denotes them as an administrator and if they're an administrator we make some ui choices and and we do some uh we do some other stuff to prevent them from doing things that we don't want them to do um but essentially we give them the ability to add pizzas and delete pizzas if they're an administrator finally we add a policy that says adm administrators you have to be an administrator to get to the admins only page so a regular user can get to the pizza list but they can't modify the pizza list an administrator can both get to the pizza list modify the pizza list and get to the admins only page we implement that um as as a policy that is implemented um we require the claim is admin equals true uh we step through it um again it's all just some some little ui changes the way we the way we actually define a character a character a user as an administrator is we we add a flag to the to the configuration that says okay if a user registers with admin at contoso.com then that person is an admin and give them the admin claim uh however you determine permissions will ultimately be up to you but this is just the way we chose to do it for this module and um then we run through and we test it all again and we we have our admin user that can do his admin things and that is the whirlwind tour of the asp.net core identity microsoft learn module again i recommend it i recommend the dev container scenario because that way you don't even need to worry about setting up sql server i also recommend the ef core learn module we talked about earlier whew that was awesome cam i know that was a lot of information to cover you did do a very great job for those following along please feel free to head on over to that learn module so that you can walk through it on anything that we kind of rushed through community member cecil phillips also mentioned that maybe we should do another a second uh learn module on this so thanks for the feedback cecil um we do have a few questions that i really want to get to with you before we jump on over to the next workshop so if you're ready i'm ready go for it all right so first question we have so uh would you rather start with authentication and or authorization from the start or afterwards and add it in when the first version of the system is ready so that's an interesting question and i could see both approaches being valid but um i i would i would recommend like before you do anything else deciding on what your authentication and authorization is going to look like in your app and and make that the very first thing you tackle and that's just my recommendation as as a developer reason being then as you add functionality at every step um uh every step that you add functionality you are forced to think about authentication and authorization because if you don't do that if you do it the other way if you do all your functionality first and then go back and bolt on authentication and authorization what happens is you're going to miss something and you're going to leave you're going to leave holes so don't do that start with authentication authorization make sure that you're thinking about it in every step of your application and um definitely do security code reviews um and and find find a security expert to to review your code and and beat against it a little bit okay thank you that's good advice okay next question uh can i customize user model and delete email property and other properties that i don't need um deleting the email property i can't i i wouldn't actually delete anything from the boilerplate i would only add right everything that's that's um that is is in the boiler plate i i would i would consider as being required i wouldn't be surprised if there's a way to pull email out and just use like a username because that's the way it used to work a few versions back um but uh don't hold me to that okay all righty uh so a few questions around this um so why code generator notice he's using that a lot so that's just the that's just the way the scaffold is implemented now if you're if you're not using the dotnet sdk and visual studio code um and you're using visual studio visual studio has what they call um what is the term just scaffold new scaffold something scaffolded items that's what it is you right click on somewhere in the project and add new scaffolded item that's what the menu item says that add new scaffolded item is actually used remember those dependencies we installed of those those nuget packages that we installed early on and we said these are required for the scaffolding right the scaffolding in visual studio uses those exact same um dependencies and those exact same templates in those in those class libraries um the only difference is in the net using the.net sdk at the command line we need the code generator tool to you know to actually consume those classes whereas visual studio can do it natively automatically okay okay great so it's already right in there for you it's in the documentation it's in the learn module so that's why that's a good use and a good tool okay i think i have one more question for you cam um so if you have a profile page uh you should be able to edit the fields does that mean you have authority to edit users in general including other users no so the the the identity implementation when you go to the profile page and we can i don't want to dig around in the code because it would lead to those awkward moments where somebody's digging around in code you're like what are they trying to show me but the when you go to the profile page it is loading just your user and just your user is allowed to see just your user um you could build and some kind of administrator functionality to administer users but to my knowledge that's not part of the identity implementation i see okay all righty uh well that's all of the questions we have uh are for now uh but feel free to post your questions in the chat should something come up or you have questions on further on for kim um we'll save some time at the end for and now that i'm not now that i'm not presenting i'll hop into the youtube chat too oh perfect so we'll have cam in there in the chat answering those as well all right well thank you so much kim that was awesome we'll bring you back to the end all right and next up uh managing multiple roles okay there we go uh hey matt how's it going i'm doing well jamie how are you i am great i am very well thank you so much for joining us uh here today um it was a little bit of a last-minute transition but we are so excited to have you here as our expert for this and i i would love to know more about the workshop that you're about to sure yeah so thanks for having me cam that was a great job and um so you can see that identity is very nuanced it's very complex it's very complicated and especially when you're doing it the asp.net core you kind of get to see it from the bottom up and so what we're going to talk about here is doing it with what we call the microsoft identity platform which cam alluded to before which is the as he was mentioning the third party um stuff where we get to integrate the cloud and so i do a lot of um i'm a cloud advocate and so i'm all about the cloud and so we get to introduce things like azure active directory or azure b2c and azure b2b and all that other good stuff so that's what we're going to talk about today is bringing that the cloud goodness into our web apps so yeah great yeah let's get started so learn the basics of microsoft identity including the different types of tokens account types and supported technologies great perfect let's get started and i will let you take that away cool all right so i got my slides full screen so i can't see what's going on anywhere however we have a bunch of prerequisites right and i'm going to change those i'm going to change those right here because oauth authentication flows terminologies asp.net on the core level all that other stuff really the only thing you have to have here is a desire to learn there is a bunch of stuff that we'll cover and we'll go through it all at the we won't get too intricate we'll introduce what all the terms were but this is crazy like authentication flows and the terminologies all going into it that's just really that's a lot to know and just by going over what cam stuff was you can see it's really really um easy to get a lot of stuff thrown at you so i'm gonna try to keep it simple as possible so we'll gloss over a lot of the details but hopefully ask in a chat jamie feel free to interrupt we'll try to i'll try to keep it top level but we'll go down to the details as much as we can so with that said we are going to be covering the um the micro intro to microsoft identity learn or microsoft identity platform learn module you can get at that module with the aka ms link i saw cans was learn dash identity so i hopped out while he was talking and created a new one called learn dash more dash identity two workshops two aka mss you're gonna learn a ton of identity today all right so what is the microsoft identity platform it's an evolution of azure active directory developer platform so really it's just the next iteration of it and it's better and it has a whole lot more to it so let's kind of think about where everybody's coming from so right now we're not just locked in we just don't go into the office and they lock the door and we're just using our computers inside a room like like in severance so you gotta go down the elevator and that's it here we can be like in this room i'm in the office at home or we can be at a coffee shop or you can be in the real office or you can be working you know at the beach or something like that so you're all over the place so you're not necessarily in the same place at once right and and you could have vendors accessing your network you could have little devices accessing your network you could be going out with your network and accessing things like dropbox or going out and accessing like stripe or anything like that so you have just a whole bunch of different things accessing all at once right and so how do you keep them all straight and that's what uh i microsoft identity about it's by creating this control plane over things and so it's a way to handle your partners and customers who need to come in and have an identity your employees need to have an identity your cloud apps need to have an identity you need to control them all together and that's what the identity platform helps you do and even better when you think about this is um this is a great great uh event diagram is it called where you have the users you have the resources and you have the policies and when you lap them all together that's the identity so the users are people me you they could also be things like the like a device trying to get in the resources are what they're trying to get to and the policies like cam mentioned before like when you're going out and you want to um have a have like a drink out of at a bar you have to have it you have to meet the certain you have to meet the the drinking age you have to be 21 in order to do that or you have to be 16 in order to drive a car that's that's what the policy is and so make sure that those are all enforced that's where the identity overlaps now something super super interesting here is the policies especially now nowadays where you might be accessing a resource that is via a phone you might have little less policy restricted policy why that so i'm using my phone and i want to access microsoft email off of that well it lets me access the email but it's not going to let me access something on sharepoint so the policy is different versus what i can do over my laptop or the policy is going to be a little bit more expansive so the policy is limited based on the device i'm using for the resources i want and this identity platform can handle all that for you so it's abstracting all the things i can do so let's talk about then that first circle the top circle is the users and so you can handle those users in three different ways there's a azure active directory in the cloud and that's not like the enterprise the inter internal users portion of it and there's business to business um active directory so that means microsoft users have to go out and talk with um contoso users and so we can create an active directory so we can have trust between those two organizations and then there's business to consumer or b2c and look at this my slides are just not working today b2c all right and we can have b to c and what that means is that you can go me my my business microsoft i can set up an account microsoft's about my my previous business code mill technologies i could have an azure active directory and i could have a business or consumer facing app and that consumer facing app then i could have anybody log in like with their github account or with their um facebook account or with with with google account and then with that account that's their now identity into the resource i want to provide them as consumers so now i don't actually have to like cam was showing or taking care of everything internally with with the database i don't have to do that i'm going to let google or github take care of you know remembering the passwords for me i now get like credentials passed over that way so we won't get down to the nitty-gritty of how that's taken care of but there is a way we can do that create a consumer-facing app have people log in with their consumer accounts and handle it that way but we don't have to care about actually handling their credentials so to speak all right then there are the resources for things so the resources are essentially your apps right and the apps yourself can use the microsoft graph which pretty much tells you everything that you want to know about whether your app or your users through um active directory so we'll take a look at what the graph can do and it's a way to then show them different uh things of your data so let's say a good thing about um what the resource resources can do with the microsoft graft is let's say i wanted to create an app that sends email emails out based on like when you log in or a background process i can do all that with the graph and i utilize office 365 to do that so that whole resource um picture here is able to do that via policies and so policies is a is a trust um set up like i talked about before where based on what resources you want based on who you are is what you can do so whether it's the driving age or anything else that could be possibly restricted if you pass the policy then you can do it and it could be based off of what you want to do in the particular context that you want to do it too there's a lot going on right and it's really hard to control there's just a bunch of what-have-yous and everything is really nuanced and subtle and that's why we do have things like the identity platform and these huge backing applications these services like active directory and um to b2b and b to c behind it to help us out so now let's get into talking some more terms so we have first off our tokens so this the tokens are really about how we go through both getting ideating who we are and getting at things so the first one is the identity token or the id token and so that's what's going to happen you're going to get an id token you log in you enter your username password you're gonna get an identity token back when i say you i mean your application so your application gets an identity token of whoever's trying to log in back now if it's in a b2c scenario same deal they log in with their identity provider they go through github you get that id token so you get an id token saying who they are so for our purposes it's the same thing just think of it as if they're logging in through um your app username password when they want to get in to apis that are protected by azure ad you use an access token to do that and that's the authorization portion so id tokens authentication i am who i am authorization getting that access token i want to do something is the second portion of things now we get to more of our terms open id connect versus oauth 2.0 all that other stuff so when we're building an app you're going to hear about all this stuff so open id connect is what i the identity platform uses to get id tokens and you'll see a lot of things that are abbreviated oidc that's open id connect when you see that just keep that in the back of your mind so when you see that that's what is being talked about the open id connect protocol extends the oauth 2.0 protocol so that's another thing to keep in back your mind when you hear open id connect it's a child essentially of an inherited strum over oauth 2.0 so it's things get confusing going on which is why use a library that implements them don't create it yourself as cam mentioned in the previous workshop he a lot of times you just go with something that somebody else did like a microsoft authentication library it's been well tested people know what they're doing who created it don't go down to the bare wire and try to implement something that um to the open id spec that's you'll get something wrong let's somebody who's done it before um been well tested out in the real world so use a library that implements it and go off based off of that so microsoft authentication library for our purposes of net developers is the one that we would um we would go with all right so overall here's the flow that we would um go with and there's more to it than this because i know we were talking about getting refreshed tokens and everything about that before but sign in get an identity token an id token now ultimately we want to access some resources from that we're going to specify some policies that we want to get after we get our access token and then we get at the resources so this essentially is called the flow overall there's a lot more what-have-you and subtleties involved with this but overall this these are like the steps the five steps you can think of overall in the flow a lot of times if you have and i if you've already gotten an access token at one point you might be able to get a refresh token without specifically asking for it again and that's like it's already been cached by the library that you're using and then you can kind of skip the step between id token and resources you already had it so you don't necessarily even have to go through this whole thing again but the library's going to take care of that for you so it's already there you don't have to think about it but overall this is the steps that you're going to go through and like the first time that you want to log in all right so now what we're going to go through is take a look at some different types of tokens based off of the learn module so let's see what i have all cued up here all right so this here is the module that we're working with is the getting started with microsoft identity um the aka ms is uh i totally forgot it already but it's learn more identity i think it is and i will put it in the in the show notes for this but we're going to go down for the first one here different types of tokens used in microsoft identity and the first thing you'll know is this is a let's learn.net and we're going to create a node.js web application i was as confused as anybody else could be but there's a reason we're going to do it like this and that's because it's actually really interesting to go through and seeing it done this way with a node because you can one see how nice that visual studio or that net makes it for you and two because that net bakes in a lot of this goodness that we'll see having to be done manually with node so and essentially that's why we're gonna go through it and do with javascript first because it nice explains out and you can see how everything has to happen essentially manually first so what i am going to do then is just copy the commands in to build up our website so npm init run through and then i'm going to install express which is essentially just my web and then i can open it up in code which i have right here let's go down to projects and this is going to be in let's learn.net let's learn.net x1 here we go all right and so loads right up we can see visual studio code already identifies everything as um that we're running as a node project and like cam i did in the first portion of this uh of the show we're using code i'm running on a mac and it's mainly so we can all see kind of like at the bare metal on how we it would implement everything by hand visual studio does give us a lot of nice um shortcuts and i think it's well worthwhile to actually see how things are written out go to visual studio and everything's taken care of for you which is awesome but it's nice to see how things um work by hand all right so the first thing we want to do as we um create things up is just all we're doing is here's the reserver file which is essentially just starting up our server here which is going to eventually just send over an index.html file on line 14 here on a git so that's that's all that this is doing nothing too interesting there and it's being served on port 3007. interesting thing is that when we create that index.html file all right so now we have it coming up and so one thing i want to call out is that we are going to use this msel browser javascript library so that's the thing i was kind of alluding to before it's the third party in microsoft's case a first party um authentication client so just calling it importing it in here and then otherwise this is just gonna say you know this is the microsoft library for msl.js exercise and has a button to sign in and once it signs in it's going to do show us various things about us and when i say about us about the account and we're going to set up an application for this within azure active directory so our account within azure active directory cool so right now it is uh just that welcome message so i will make that a little bit smaller overall and then here there's not much to we're just detecting which version of uh edge we are running on i'll get to this config soon but and here to get who we are we have to talk to graph and this is just uh defining what the graph endpoint is and then what the scopes are that we're asking for and the scopes pretty much are saying what permissions do we want or what policies essentially so just user.read so we don't have to worry about that really yet we'll get there so what we're going to go through here then next is to start adding our uh our functions and our javascript functions and so i will do that copy paste them to a vs code from our learn modules doesn't do the inventing very well but the first one is uh just to update the user interface which does exactly that it just changes the login button from sign in to sign out and pops in a username so nothing really too fancy there in fact we don't do that until after we get something back there so the next one that we do though is this one's a little more interesting for us in that it's acquire inktober acquire token and get user great and you know what i'm going to just start entering all these in because it'll make more sense then so i can just talk through them all while we have them and so it explains the learn module they explain step by step what's going on and that's what i will do eventually but i like just having everything in here first so i can talk through it and we can just jump back and forth between the functions all right all right and that all right here we go so what happens here is on our sign in click of the button it's going to call sign in and then sign in is down here and so this msl application is from that library that i talked about that we imported before so it's where cam was showing you how how everything's done by hand before we're we're farming that out we're letting somebody else do that in this case the msl library and this login type pop-up versus login redirect that's all based off of which uh browser you're using um so really what we're gonna do is that we're gonna log in with the pop-up here and so if we are running let's just show it real quick where is it right here if we were running internet explorer we would do redirect but since we're going to be running an edge we're going to be doing a pop-up so right there all right so we sign in we're going to be doing a pop-up and so we're going to tell em cell show a pop-up screen with our graph config object which is up here the one i talked about before it gives me an endpoint and then what scopes i want to send over to it pass that over and then we handle the response when it comes back and so then handle response is right here it gets past that um a login response coming back from azure ad here all right so right there we sent it off we did login pop-up pops up they enter username password we essentially now have handed things off beyond our application we are letting em cell do it it's gonna display ascent really it's gonna display another web page that's being served from azure active directory at this point where we can log in and it's going to do its stuff including two-factor authentication if it needs to out of our control until this handle response comes back with a login response on it so if it's if it's not now we're going to get the account username is on it if it is now we're going to go through this is kind of specifics of what um emcell is all about how it goes through and you can get all the accounts because you could have more than one account on your um login at one time we won't worry necessarily how to uh do all that right now however just know that once active directory is done with it you get the handle response fact and then you can update your user interface and then we can do acquire and get token so the update user interface just shows the name gets that username variable and updates that and then acquire token and get user is when we call out to microsoft graph right here so again the request is our graph config object this time again request object and then what we're going to do is we're going to call the msl application get account by username that's our request account and then acquire token silent if we can do that let me bump this in this is our refresh access token do we already have it or do we have to ask for it and this by passing in this request object we're saying do we have the appropriate permissions for it that we want based off of that user.read that was in the scrap config before so very cool let's just call this get user from msgraph function if not we need to do a user interaction authentication again so it's like login type pop up the login and go through that whole whole thing again all right assuming we do have the access token we get it now we're just going to call off the mf's microsoft graph and pull back everything so we're just calling here we're sending a barrier token or setting the bearer uh authorization header the bearer as our um access token that we have so i hope that may i kind of breeze right through that essentially though authenticate m cell shows a a different web page outside of our application right that web page originates from azure ad azure ad comes back with a bunch of we've logged in successfully comes back with a bunch of information including an access token that lets us go get go and get additional information which in this case is from the microsoft graph and the microsoft graph information we're just going to be pulling down a bunch of information about ourselves from it so that's what's all going on identity first id token and second we get our access token and away we go all right but then we have to set up azure ad in order to let us do our thing we have to let azure ad model our application essentially how do we do that well there is a there's the hard way in the easy way the easy way is going to where's the website url right here aad.portal.azure.com it kind of brings you right into where you need to go otherwise you kind of would have to hunt through a bunch of different steps to get to this but this kind of brings you right to the admin center so you hit that and then you'd go to the azure ad and then there should be within here app registrations and so when you get there you can see all the apps that you have registered for yourself that you that you've registered your owned applications all applications would be across the entire microsoft tenant which you don't want to see because there's probably a lot of them so i'll hit new registration and we'll do let's learn friday and then we can say what account types we want to have log in so this is where i was getting at before whether it's uh just azure ad so just right here you need to have a microsoft account type to log in or maybe any organizational directory so this is where b2b kind of gets in this right here or or this third one down here accounts in any organizational directory including personal microsoft accounts so like skype or xbox or even if you had hotmail or if you just wanted it limited to personal microsoft accounts only we'll keep it at the first one all right and let's just register it right now let's learn friday so what we're doing within azure ad here we are creating an app to model what we just looked through in all the code great so now we're up here and we have a bunch of things here like called the application id an object id a directory and a tenant id cool we'll get back to them but just know that these these are important now we'll go to authentication and so here we are telling our application how we expect the clients our azure ad application how we expect clients to be talking to it in this case it'll be single page application and then a redirect uri so where because like i said before it's going to be opening up once we hit that m cell it's going to open up a web page it wants to now know where it should send information back to so here it's going to be http localhost 3007. like that and we that's all we have to enter for this one so i'll just configure it and that's all we have to do for this one we could do more um like make sure it sends back both axis and identity tokens i think we can get away with just setting it like this because i know we are getting close to time right now so i'll just run through and make sure i hit everything hello world identity yep yeah cool cool all right so the next thing then is to go over here my msl config i want to copy these things over so my first one is client id that client id comes from here it's the application client id so essentially what this is doing when i call azure active directory i have to pretty much say this is the application within it that i wanna that i want to talk to the next one is using this so let's actually highlight it but i can right click copy link and so this is saying the authority and so the authority essentially is like essentially the web address of who's going to be doing the authentication and it's going to be login.microsoft.online.com [Music] our tenant so the overall like if you had your like my old company codemail technologies they would have a different tenant id here and then finally for the um redirect uri again we're looking at localhost 3007. so it's just making sure we send information back to where we want it to go good we should be ready to run everything so let's give it let's give it a shot oh server.js all right let's give it a shot over here how about i do localhost 3007. all right i'm already logged in great let's try it now i think i already have one open and a private browser i'm not signed in yet private browser right sign in and now okay so before i briefs over it too quickly let's go back i was signed in already that's because emcell said you know what i'm going to go look for a token i see that you've already signed in in this web browser to this tenant before i'm going to grab it and use it right it's cool it no it's that smart it knows it for us this browser it doesn't have it yet so i do have to sign in pops up this window this window right here comes from login.microsoft online.com it's not from my app it's coming from active directory so i'm going to sign it hit next and all of a sudden this two factor off comes up so let me approve that and it's totally passwordless now we don't i don't have to enter my password i actually probably don't even know what it is because it's completely reliant on applications going through i'll trust the certificate and now it's asking for what permissions i want so these essentially are the um are the policies this is what it's going to want to do i have the consent saying yep that's cool i grant it those accept it and here we go so it says that it's i saw the confetti go up a perfect demo all right my name at microsoft.com and then it gives me all of this info as well so you're saying you know what matt why did it give you where's the it looks different here why why because i didn't hear i didn't there was no that consent wasn't granted here and it didn't pop up so yeah there we go and um cool that's the first demo right so we're getting close on time so i'm going to breeze right to the quick next demo let's see what else we had in the slides so i can talk oh account types so here we go real quickly single tenant apps like i kind of talked about before where we're just like picking the microsoft account great for line of business just you and everybody who works in your business can log in nobody else right so this one just anybody had a microsoft microsoft.com could log into that nobody else could multi-tenant though more can log in right so now we're giving trusted business partners can now log in they are much harder though to design for and get right because now you have to design all your optimization policies and such they're super easy to set up over on the aed side but now they're getting a little more difficult over on the on the code side to make things are all correct and everything like that so we won't that's really tough to get into so obviously we can't get all the way into it now but just know that it can be done but it's identity's tough it's really tough um applications and service principles okay we looked at setting up an application an azure ad right and so that models our application as a whole however you could set up a service principle for it as well so a service principle is like a specific representation of your overall application in a specific tenant okay and so and tenant is like microsoft.com or like codemilltechnologies.com it's this is where things get weird when you have multiple tenants or multiple uh tenant apps and you wanna have one app running on microsoft and one on a different one and how it's really hard to get things working correctly so yeah so anyways we looked at a cert we looked at an application setting that up getting that working in a single tenant but when you want to have other people log in and you want to have that application running in multiple tenants that's where service principles come in and we didn't get it touching in to manage identities which i know that was a question that came up before too managed identities kind of come into play here as well but yeah um think application is global it's a representation of your app and the service principle is the actual um the implementation of it all right so yes all right um here we go let's just go right into the next in the next demo then i'm going to create a new one and then close that so i have it at the ready and then the next demo has to deal with account types essentially setting this up for we we looked at the single tenant already that's what we already did but let's do it with instead of um with node let's do it.net and see how much quite honestly we had a lot of code here that we were writing but.net a lot of that's taken care of for us so i'm just going to open up a brand new vs code window here and then i am going to go to my backup one level and i'm going to make here ex2 all right all righty so what we're going to do here then is i'm going to just new up the code and then we'll go over to the web browser and do that so as cam was showing you we can set up a lot of the authentication already within uh.net and so to do that i'm just going to do a net new mvc application like so and i'm going to specify the auth to it so i'm going to say off single or and then let it do its thing all right so let's open it up in code now projects let's learn [Music] i'll make this super big and so what we get here is it is already scaffolded for me to start entering like my azure ad um stuff for me yeah let's download everything right away and so what it has like i have a login partial view for me and so it's like using azure identity or he's using the identity um stuff and if i look over here i'm using microsoft.identity.web and microsoft.identity.web.ui so everything is included for me so it kind of gives me this nice shortcut where i can start going right away and using um be up and running very quickly so let's get up and let's get running very quickly with it so let me rearrange my screen real quick and then we will just all right so what i'm going to do then is create so we have this app already up and running just let's learn friday and it's great it's what i exactly want i want it's it's the authentication single tenant and everything so the first thing that i'm gonna want to do is go into app settings and make sure i get everything right so i have to update the tenant id which is right down here like so get the client id out of it which is right there like that and the next is getting the actual domain name out of it and so the domain names is going to be like this like contoso.microsoft.com you you you know it when you set it up so once you set up when you go through and you eventually create your account azure account you know whenever that is you're going to know what your domain name is i can guess what the microsoft would they did that it's going to be microsoft.microsoft.com cool all right so i have the the basics the the metadata if you will all set up so next thing i need to do within this is make sure on my authentication section is that i have a new platform that i'm going to authenticate with which this is not a single page application it's just a regular application web app and so i want to enter my uh redirect url and so right here where do we have them it's going to be well i'm making it run on 3007 again but it's going to be if you can see it sign in oidc or it's also right here too sign in dash open id connect like i was mentioning before so let's https 3007 slash like so so this is my redirect url when i say hey i want to log in it's going to call this out for me and then i can have a log out reader url as well so i can log out of the application and that's going to be 3007 slash i'm pretty sure it's going to be sign out dash oibc better check to make sure sign in sign out dasho idc and i also want to make sure i get my id tokens because it's a little bit different flow um that i'm using here and i'm just going to make sure that we do 2007 just so we have everything covered great save it all right so all i did here is i have added a new type of configuration to use so we had single page before now i added a new one same application same overall application within azure active directory but it now i tweaked it a little bit more all right so i'll save this and i think i can go ahead and then change the properties make sure we run on 3007 and i'll just launch it up all right here we go all right again it knows who i was am because i was logged in msl took care of all that good stuff for me let's um try brand new i didn't restart my browser so i'll just sign out i want to sign out here all right so what's cool is it's taking care of all that for me it's it knows i'm signing out it did all that for me i didn't have to worry about it and still did all that i'll sign in again who am i i already remembered that i had been signed in with this account i don't want to forget it but i could if i wanted to this is not coming for me this is coming from azure ad approve 97 [Music] sure i'll stay signed in and here i am again and so now if i go back over to here it'll give me some information copy it that i can put into the uh [Music] the home view into the index i'll just save that and then changes get reflected automatically and i can see various claims as cam was saying before this is who i claim to be i claim to be mad soca with my email on it as well cool um so yeah so what we could do then is uh create a if i would try logging in and let's do it i know we're running over time we probably got cut off on one but we'll keep on going because i'm having fun right now let's see i want to sign out of here hang on a moment come on all right so i'll sign in but i'll use another account and we'll say it's a personal account so it'll say 70 i'll approve that one [Music] and i'll say whoops we're having trouble sending you in because i didn't set the app up to allow it within azure active directory cool right i think it's cool we could though we could go through here and when we set up a brand new one had we wanted to we could just go through new and then where's my app right here new registrations and then if i would hit this the second one down i didn't could have signed him with my other account great and so that was what the third exercise was going to be all about going about setting up a new one that way and actually there's there would be no changes at all within our code it all just work so it's all done and maintained up here nad so yeah that's it we did it like 40 minutes jam-packed of information that was amazing that was really jam-packed but oh my gosh that was super informative oh i learned so much just now um we did run a little bit over so i want to be quick with a few questions we are capturing it all in the recording uh on youtube and our docs pages so uh it will be available um but uh in the interest this time let's jump right into those questions um i'll bring cam back onto the stream uh just as an additional expert if cam's cool with that all right great so there we are and alrighty so i know there was a lot of talk about um 80 btc b2b stuff like that so i just want a couple couple quick questions on that um so does azure b2c use json web token behind the scenes yeah yep great so yeah you always get a jwt back from it um and that's when you when you saw like all those claims and everything that was like that was a jwt being pulled apart and displayed nicely so when you get the jwp back you can actually use something called jwt ms a website which does the pulling apart of everything it shows shows you things nicely so okay okay great so you can use it for that um so there were several questions around um w sorry jwt um like identity verse jwt uh using web apis um yeah which one would be better and when uh we also have another question around that um is that good enough to have like uh the api controller create the jwt so is there any sort of clarity you can give around that and also what uh for those of us who don't know what does jwt stand for um cam what does it stand for is it javascript java web token java javascript web token i'm sorry yeah it's uh looks like json um kevin do you know that last one like the x 509 certs and so so this gets into that whole area that is definitely one of the questions that comes up the most that i never have a good answer for to to be quite honest and that that is the the whole scenario with spas and web apis and and what do we do there um that unfortunately i'm a little out of my depth on that um so i i don't i don't want to go go you know just pulling answers out of the air and mislead people fair i'm sure we all appreciate that all right so we'll have to look into that a little bit more a couple other questions that we have um is so matt you just finished up showing that so how is that different from identity server four um i'm going to defer on this question or diemer because i can't speak to identity server four so i i can just a little bit um identity server um in in the whole flow of things identity server is a secure token service that you can implement on your own or i think they also offer a like a cloud uh implementation of it i could be wrong on that don't hold me to that um that that fits in the same spot as azure ad or b2c basically microsoft identity platform right so if it's in that same spot as a third-party um authentication service that you can use and it used to be that in the asp.net core uh web api templates um if you wanted authentication you click the little authentication box you got an implementation of identity server right next to the web api and um json web token say i was i was wrong i okay um anyway um so anyway usually that identity server you would get an implementation of it sitting right next to the web api now identity server is still open source but they've changed their licensing so that organizations above a certain level need to actually pay for it now so i'm honestly not really a hundred percent sure what that um what that does to the to the web api template and like if you turn on authentication and web api now i haven't gone down that rabbit hole um certainly this there's a lot of rabbit holes in off and and that's just one that i that i admit that i get a lot of questions about it but it's not one that i've dived down a lot okay well we appreciate your your knowledge and expertise on the subject regardless um okay so i'll just ask uh one more for each of you um cam so earlier you had mentioned creating roles and users do you ever rebuild and or port the old ui system for those users and roles you created um you know i i don't know it might be out there somewhere i haven't seen it i haven't had reason to to dig into it um i know who to ask um but unfortunately i i don't have them you know the ability to to pull them up like right this second um but i would so take a look at i could i will ask um the security expert for asp.net core who kind of owns that whole identity system um is a is a gentleman named barry uh barry dorens i will actually hit him up and um if if if there's anything to share there i will post it on my twitter oh well there we go john galloway answered for us thank you john our our man behind the curtain running production here for our event today thank you very much okay and and uh last question in the interest of time um i believe it was this one that i wanted to show and this one's for matt uh matt can we implement identity uh with a custom login page i think you touched on that yeah you can change um on yes quick answer is yes and there are a whole bunch of uh we didn't get into where you can customize the entire flow or the journey as i think they're being called now with the new identity platform of way folks run through the blog yeah and they can change the way everything looks and feels as as they run through it too including is where cam was getting into what information you collect as people sign up like if you're doing a b2c application so yes you can uh customize it to exactly what your company's branding and that's once that's also true that's true of microsoft identity platform but it's also true of the asp.net core identity framework right because you you so um that's that second big set exercise in that uh learn module that covered identity framework where we add the first name and last name we we show you how to customize the registration form to add first name and last name but you can replace that registration form with whatever you want as long as it still does the same stuff behind the scenes all right well thank you so much both of you that was absolutely amazing we really appreciate your time here spent dedicated to helping us all learn so much about authen identity thank you uh for those following along these are where you can find all of the resources for this event and more um thank you all for those who joined us live we really appreciate you spending two hours with us plus to learn all about this uh thank you so much we can't not wait to see you for our next event in july on blazer hybrid maui so looking forward to that and thank you again take care everyone [Music] [Music] you

Info

Channel: dotnet

Views: 33,463

Rating: undefined out of 5

Keywords:

Id: SFLG-gStXC0

Channel Id: undefined

Length: 130min 1sec (7801 seconds)

Published: Thu Jun 30 2022