New .NET 8 Authentication Features in ASP.NET Core

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
welcome to the Rock coding YouTube channel my name is Anton and today we're going to be taking a look at changes that are coming to asp.net core in the.net 8 update David Fowler has been tweeting about them we have some Bearer stuff we have some changes to Identity the bottom line is if you don't want to have a UI and you just want to have an API that is dealing out some kind of token to authenticate with that is becoming a lot more easier don't forget if you're enjoying the content leave a like And subscribe if you have any questions leave them in the comment section don't forget to check out the description follow me on Twitter and let's go ahead and get started here I have a very simple asp.net core application we are on version 8 and these packages are what I'm going to add a little bit later to demonstrate some new functionality we have an index.html page again to just demonstrate a couple of things and then we have a program CS if I ever do asp.net core authentication videos this is basically the minimal setup we're adding authenticate station we're adding the cookie schema and then we work from there you know we got authorization we know the middleware is added automatically we get an endpoint to just see the user we have a secret endpoint and then we want to be able to log in the application is running and let's go ahead and check this out so this is how this usually works I go ahead and log in I take a look at the session somewhere in the response we're gonna get a cookie we know this cookie is getting stored in the browser and now we can go ahead and access the secret endpoint if I remove the cookie we refresh the secret endpoint you are gonna have to go and log in and this is one of the most annoying things that currently happens if you're building an API and you haven't authorized endpoint is you're going to get redirected to the login screen even if you're using an HTTP client like the fetch API or something like that you're not necessarily navigating to a page right and the only way to disable that functionality is you need to be aware of some headers that you need to attach to your request and how do you know about those headers well you either decompile the source code or you need to take a look at the fine print in the documentation so that's the situation that we're currently in what is actually changing if we go ahead and duplicate ad cookie we're just gonna comment this out we're gonna take add cookie and instead we will specify add Bearer token we're not going to change anything else we're gonna restart our application we're gonna come back and first of all let's check out the EXP experience where we just hit secret you no longer get redirected you get a 401 as you should right and then if we log in you no longer get something in the response header you just get a token and the response body right so we can see it here I'm not sure why I'm showing it to you here but let's go ahead and close that so you got the access token and now for my demonstration purposes this is not very convenient but I'm gonna go ahead and type out this fetch request to the secret endpoint so secret and then this configuration headers you gotta have an authorization header then you they do better token slap this on here I don't have the response there but yeah this request has gone through and we can see secret so you just attach the token as a better token to the authorization header and you're authenticated and for people to not get the wrong idea this token over here is not a JWT token it's just a your user session encrypted in a string same as the cookie the only difference between this and the cookie the cookies managed automatically by the browser and is attached to it automatically to the requests here with the token you're gonna have to do everything manually the downsides for using the token in the browser is that you're gonna have to use local storage you can't use cookie storage Which is less secure right you're not going to be vulnerable to cross-site request forgery but if your application is vulnerable the cross-site scripting JavaScript will be able to lift up your token and send it somewhere else you can't do that with a cookie cookies are actually a little bit more secure in the browser so so I would not recommend using this for the browser even though that this looks convenient for Native applications where I don't really develop in that space But I hear that their HTTP clients are all messed up perhaps this is going to be the easier option let's come back to the application and let's take a look at some additional changes which are coming around to making your API authentication just that little bit better we're gonna add these packages in and as you can see here from the identity package these changes are tied to the identity framework and asp.net core so let's see what this looks like first of all let's go ahead and add a DB context I'm not going to be creating any of my own DB contexts we're just going to use the the default identity DB context and we're going to register it with the identity user for the options we have using memory database and we'll just specify DB now for when we're registering ID identity we're gonna add identity core the reason you want to add identity core and not identity well you can register identity and actually this would be a little bit cool to see let's say you have the current identity setup what it's going to look like can you extend your current solution right so we add an identity we have identity user and identity row we add Entity framework stores let's go ahead and copy the type if you're watching my videos you know that under the hood ad identity will add authentication with all the relevant schemas and this identity application schema is what's really going to be doing what your authentication instead of registering your custom advert token you get add identity Bearer token and then here you specify your user it doesn't actually do anything with the user under the hood all it's doing is registering your bear token with the same configuration that you can specify on this call right this really is just the same one liner that we have been specifying over here all it's doing is adding this Bearer schema over here and now instead of specifying our own authentication schema on this login endpoint we would have to do this I'm going to duplicate this endpoint I'm going to say that one authentication endpoint is for cookies and I'm gonna go into add identity down here where it's identity constants application schema so with this I'm essentially enabling authentication for both authentication with cookies and authentication with the bearer token when I'm using identity so this is how you can currently extend your identity solution to allow Bearer talking token authentication the samples that they would follow is showing on Twitter he's using add identity core if you look under the hood it doesn't add any authentication schemas so if you're rolling with ADD identity core you will need to add identity cookie for cookie authentication and identity Bearer token if you want to enable just the bear token authentication so we'll leave identity core over there we have identity we're hooking it up with the DB context we're not using it for too much it's just that if we don't do this it's going to explode because we don't have a user store we're not you really using a user store at this point so the application is running if we attempt to log in we can still get a token and we will be able to authenticate with that token so let's just double check and obviously I just lied and this just has to do with when we're registering ad identity the default authentication schema is the cookie authentication schema I'm not going to go through configuring the authorization and stuff like that to make this endpoint available for both authentication schemas just know that currently that is the reason that it's breaking if we then go to login with cookie in the network tab if we take a look at the login with cookie there we get the quickie and because this is the default authentication schema we're going to be able to reach secret so this is kind of like the Bare Bones solution where you can just extend your current solution to start dealing out Bearer tokens because what you're going to have is you're going to have a sign in manager for your identity user and on here you're going to have something like sign in async where you're gonna be able to pass authentication properties with the authentication schema or the authentication method which is also the authentication schema so you get the user you check the password and then you use the sign in manager to sign in with the appropriate schema and then the appropriate authentication token whether it be a cookie or a bearer token will be returned in the response alright so that is how you can start dealing out this new shiny Bearer token now onto a little bit more of a controversial topic for myself is this add API and points and what this is going to give you is map identity API again you pass the identity user enter here and this allows you to just get rid of your login endpoints and what you get is after the application restarts let's say yeah the current user is Anton and that is because I have a cookie so let's just quickly get rid of the clicking you have a register endpoint which is a post endpoint and I'm not going to be able to reach it unless I actually post something in the console so let me just type out the request real quick I'll make this a little bit bigger here's a fetch to the register endpoint it's a post and I'm posting Json and it's a username of Anton and password let's post test I'm gonna get a response internally this is going to use the identity DB context that I have to create the user in the database and how that happens we'll take a look at it in just a second the next thing is to log in so here I have a login call again it's a post we're posting Json and it's a password on the registration you don't get anything back right so if we take a look at the response nothing is here let's go ahead and log in that is successful we're going to go to the network tab the login request and here we have the bear token you can use the API to actually deal out cookies so you can say cookie mode true and now if we take a look at the network call the response to this we don't have anything in the body but if we take a look at the headers the request headers and then I'm dealing with quite a little real estate here but here is the cookie that represents your authentication session so you can use your API to deal out tokens and you can use your API to deal out cookies some of the questions that you may get is how do I know that the register endpoint exists how do I know that the login endpoint exists how do I know about the cookie mode flag well this is the part where I said this this may be questionable is when I encountered this type of solution it when I was trying out spring boot I and that was very confusing because you're essentially Flying Blind it's cool if you went ahead and built those endpoints and you just know it but when you don't see the code when you don't see the model that you're posting uh you kind of just have to trust that and this is as much as you're posting and you don't really see the boundaries right you don't understand what box you're in so with asp.nicore this was actually really good so map identity how does it work I opened it up oh here are the endpoints so I know there is a register endpoint I know there is a login endpoint and there is actually a refresh endpoint to which I can post a refresh request what is a refresh request that just contains a refresh token so this is how easy it is to find out what kind of endpoints you're registering and what are they actually doing the problem with this solution is it is very good to basically just stand up basic Authentication and again this is not production maybe they're gonna add more end points into here but let's say you want your register endpoint to actually authenticate you right you don't want to get redirected to the login screen you just want to sign in straight away this is not doing it for you what's the solution to enabling that kind of sign in process what do you do do you specify the options over here or do you go to API endpoints you say oh I want my configuration I want to sign in on a register you know whatever spelling true all right do you say some kind of other option a new strategy for doing some kind of other flow or then you're gonna have events that are you know whatever Supply a Lambda do you really want that where you know in here the method is let's say I don't know 55 to 42 10 lines of code you're gonna have to learn about all of the if statements all of the essentially switches events handlers to configure them over here or you can learn about the framework and write the 10 lines of code yourself and have the power to customize it as you want again maybe the point for this is to just get up and running as fast as possible but these endpoints are something that you can write yourself today and this refresh endpoint is particularly interesting when I was looking at the ad bear token solution at the beginning when we had this enabled because I opened I opened it up I was like all right we get in the response we get a token and a refresh token how do we use the refresh token right does is this going to do the same thing at auth is doing with the Callback endpoint right if you watch my videos you know in add off if we open it up and we take a look at the add oauth Handler on the remote authentication Handler the class that it inherits from there is actually a should handle request function which checks if the Callback path equals to the request path right so there is a background check which checks if the request is some kind of request that you should intercept and if it is one it goes ahead and handles it so when I was opening up the ad bear token authentication in here where token when I took a look at what this inherits from which is essentially almost the same as the cookie authentication Handler I was surprised to see that it doesn't handle the token it doesn't have that route redirection or handling the route I was expecting it to see there from how the add-on solution looks like but it's not there so if you just add ad bear token you're not going to be able to use the refresh token the refresh token will only be able to be used over here another limitation that we see with the map API endpoints is that it's using from body for both registration and login endpoints if you you want to post a form which is not maybe not even really a problem because you can import the Razer Pages package with the controllers and stuff like that right if you're still posting login and registration forms I just know you're not going to be able to do this right so may or may not be a problem for you and perhaps this is not designed for that kind of functionality and speaking of limitations limitations is all that you're going to find because currently this solution is not really configurable and it allows you to do just what is written in here create a user and then sign in as a user and get back a token or a cookie perhaps that is all that you're ever going to need and your code will be one line instead of a couple lines chances are you're going to want to add external authentication depending what industry you're working perhaps audit logs Etc my opinion for these kinds of things is it should belong in a library let me actually come full screen for this round kind of like the same as the c-sharp programming languages just getting bloated with features they're not really well they are adding some new stuff but generally for the general population shorter syntax just more ways to write the same thing maybe a little bit more succinctly you get the picture nothing really new but we're getting more and more features the language is getting bloated with the framework I really believe this sort of stuff needs to be a library I have a solid base identity framework has so many tools password hashers people just don't know about it just because they've been taught in the documentation to use the cookie cutter solution of identity framework add the service at these endpoints or heck even just download this Razer Library you are forced into using jQuery bootstrap whatnot hopefully my stance on this is clear I don't dislike the feature I think it's alright it's a 20 feature that come covers eighty percent of the use cases as long as it gets to the balance currently I don't think it does that I but more more endpoints need to be added there and perhaps some minimal configuration where you can control things like can I sign in on register and this is going to be a balancing act I hope Microsoft gets it right my personal view is this sort of thing should be a package and really Microsoft and the esp.net core team should be promoting the underlying tools that they've used to build this sort of service because again well let's actually take a look at this if we open up map identity and we take a look at the login endpoint the endpoint is surfacing AI user claims principle Factory 99 of asp.net core programmers don't even know what the service is how it got in there and that it actually exists so this could be very good to explore the code or get an idea for how to build your own solution but if you're not teaching these underlying tools the developers are going to be right back at square one for gearing out well I have this use case that I gotta cover the map identity API endpoint isn't helping me what do I do you would search YouTube or asp.net core authentication and you would find my channel so if you would like a more asp.net core content and authentication content go ahead and subscribe if you have any questions make sure to leave them in the comment section don't forget to check out the description I have a c-sharp course that is out if you would like to know c-sharp as I do I highly recommend you take a look at it a very big and special thank you goes out to all of my patreon supporters you help me make these videos if you would like the source code for this video as well as my other videos come support me on patreon as always thank you for watching and have a good day
Info
Channel: Raw Coding
Views: 7,411
Rating: undefined out of 5
Keywords: .net 8, asp.net core, new, autentication, token, bearer token authentication, minimal api
Id: XBV1gZNF_S8
Channel Id: undefined
Length: 19min 26sec (1166 seconds)
Published: Sun Jul 16 2023
Related Videos
Simplest Blazor Authentication Setup
Raw Coding
1.7K
Login System in TWO Lines of Code - ASP.NET Core 8
gavilanch3
8.8K
Background Tasks Are Finally Fixed in .NET 8
Nick Chapsas
48K
How To Send Emails With .NET in Under 10 Minutes - Tutorial by Mailtrap
Mailtrap
1.7K
Blazor is Getting Revolutionized In .NET 8.0
AK Academy
7K
Coding Shorts: Simplified Configuration for JWT Bearer Auth in .NET 7
Shawn Wildermuth
9.8K
Token Authentication In ASP.NET Core 7 With JWT | Clean Architecture
Milan Jovanović
59K
What's new in .NET 8 for Web frontends backends and futures? | BRK200H
Microsoft Developer
63K
Entity Framework Best Practices - Should EFCore Be Your Data Access of Choice?
IAmTimCorey
760K
Asp.Net Core AUTHORIZATION Made EASY
Codewrinkles
3.8K
One Blazor Template to Rule Them All in .NET 8
Isaac Levin
8K
Asp.Net Core Web API CRUD with Angular 16
CodAffection
11K
.NET 7 Web API 🔒 Create JSON Web Tokens (JWT) - User Registration / Login / Authentication
Patrick God
39K
What's New in Blazor for .NET 8
dotnet
44K
What's New in .NET 8 ?
Gavin Lon
7K
Want to build a good API? Here's 5 Tips for API Design.
CodeOpinion
67K
ASP.NET Core Web API Authentication and Authorization with JWT (Json Web Token)
Code with Julian
138K
Google authentication in asp.net core mvc
Ravindra Devrani
4.8K
User Registration - Verify/Confirm Email with a .NET 6 Web API
Mohamad Lawand
12K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.