I am finally in AUTH stage now! I have planned my databases clearly, using my personal NF rules. 1. Can be many to one? New Table 2. Only one to one? Same Table I am about to do start getting freaky freaky hands on when I realize that, hey, I need auth. And Now I'm here. With just 3 videos, ASP.NET MVC, Data Access and OAUTH, I feel like a professional now. I must say ASP.NET Core MVC is much more clearer and simpler now that I understand that models in ASP.NET MVC is just for views. Sorry for long text, you are the best.
@@IAmTimCorey I have been looking for a tutorial like this . Can you help me with a tutorial that explains how to set redirect pages for different users when using default login in MVC with entity. Hopefully one that can also explain how to hide certain tabs in the nav bar based on user roles. Thank you in advance.
For those confused: The local authentication is also (still) called "Forms Authentication", although it's not about Webforms anymore. It's somewhat different though than the Webforms thing.
I don’t think it was ever about WinForms. It may have been a reference to WebForms, but I don’t think so. I think it is just about needing a login form.
Great video! It would be really handy to see a follow-up to this detailing how Authorize works behind the scenes and how to take more control over what entity framework is doing.
0:00 - Intro 1:41 - ASP .NET Framework demo app with authentication 13:01 - Register vs Login explained 15:25 - Built in user registration and login 18:28 - Registration C# code overview 23:45 - Built in SQL 29:45 - Twitter authentication setup 45:37 - Implementing user restrictions 52:48 - Restrictions based on user role 1:01:03 - Who is logged in? 1:02:20 - Summary and concluding remarks
Yeah I tried taking the ApiHelper/Token idea that you did an MVVM app with, took a while but was able to login. Then I decided that Owin was the next thing to learn, but I couldn't figure out why it didn't work out of the box. It turned out, that when I moved it from local to a named instance locally that I had the wrong connection string. So if you run into that issue, check that. I love your work Tim. Really helpful to shake off some of that rust.
Thanks Tim. I know everyone has different opinions and you’ll base your future videos on the majority , but I think the level of repetition is spot on and the content presented in a very clear manner. I am one of those people making my way up to mvc core, so this has been very helpful. You mentioned that you weren’t a big fan of entity, I’d appreciate a video on your take on this and what you do use.
Great video man! Thinking of making an app into an asp.net MVC style and I was worried that authentication would be a nightmare. Thanks for making it more simple!!
Brilliant! Thank you so much, Corey. Amazing as always. It would be really nice to see more about Access Control using MVC and C#. Security is super important, but also one of the biggest error zones where developers (especially new developers) make mistakes, often costly ones. In these times where there are hackers, trolls and ghouls all over the place, educating people on security and how to make it easy, but good, is relevant. Thanks, Martin.
Sounds almost like we should have a new start to finish course that is more MVC-focused from the beginning so we can see how to implement this stuff in the real world. ;-)
Hi Tim. Thank you very much for the videos that you provide - I've already watched a bunch of them, and found that they help me a lot. Just recently I read the book "Patterns of enterprise application architecture" by Martin Fowler, and figured that you haven't covered much of those patterns as is - other than of cause, general architectural principles that developers should adhere to, i.e. SOLID and DRY. When I read the book, a bunch of these patterns were sort of abstract. I understood the general ideas, but personally it would be extremely helpful to see a seasoned .net developer like you, show them in practical setting, and give your personal opinion on the most common ones. Additionally, now when we talk about patterns... When I see this video, i cant help thinking, how to implement this "out of the box" user authentication system in a common 3-layer application, where we don't use a local database but rather one on a server. How would you implement it in your business logic? would you even do that?
I will be covering more patterns and practices, although a lot of them are much more specialized. As for using this authentication on a remote server, you would just point your connection string to that remote database. I'm not a fan of how tied it is to the UI but that's a personal preference.
Hi Tim. Thanks for great video. I wish I'd seen this a long time ago. I've read numerous tutorials but you've made a seemingly complicated subject a lot easier to understand, this video was perfect for me as a starting point for further study into the subject. Thanks again. :)
Gone are the days where one could download a shareware copy of Hotdog HTML editor and publish a site with having just a few files. (Which IMO, is a good thing. I feel the internet became convoluted with junk because people could just keep adding trash to the pile not having any technical skill or understanding what's going on under the hood.) Great video!
Thank you for the video! I didn't know they made Authorization/Identity stuff so easy! If possible, I'd love to see an expansion where you talk about requiring authorization for Web API. Show how someone that wants to use my API for their own applications can authorize themselves for access.
"leaving authentication to Microsoft" can also mean leaving it to your local active directory, not only to Microsoft online services such as azure. However, you may still build your own AUTHORISATION system if you don't want to create AD Groups for everything. Tim, as always, correct me if you shouldn't build that on your own either :)
I'm loving this ASP.NET series. Thank you. Request: If you decide to make a lesson about EF, can you do a database first approach? Using Stored Procedures in EF would be nice also. Again Thank you.
I doubt I'll be doing an EF video any time soon since I'm really not a fan of EF (check out my video on connecting C# to SQL) but I'll keep it in mind.
Thank you for good video and for redirecting me here. Once again I have found less information than I expected but presented in great way. You showed here how to use this generated things but I am a bit afraid of using something I don't understand. Menage controller has almost 400 rows, there are also some models that you didn't even open here. I understand that in this video with your speed it wouldn't be too good to speak about it because it would be too long, but I would really be glad if you could make 2nd part of this with more details. The most important thing for me right now is how to work with outside database. I'm not sure how to link my database in Web.config. I have found how to add my outside database to SQL Server Object Explorer and how to find its Connection string but even for the default database connection string here is different than the one used in Web.config and only first part (Data Source) is the same. I'm interested in this topic and will wait for more about it. Also I will subscribe you to not miss it.
I have two videos that might help you. First, I have a Connection Strings video that gives you a good overview of how to set up a connection string and where to find what yours is. Second, I have a video on Connecting C# to SQL. That will show you how to configure your web.config/app.config file so that you can connect to an external database. As for showing more details about the authentication side, I will be doing that in future videos, although I'm not sure I'll ever go line by line. Some of this is EF Code First and I really don't want to get into that whole issue. As far as setting up your own database to do the authentication, if you point your connection string to the right database, the first time the app runs it will set up the proper tables. I would recommend that you not mix databases though. Keep a separate database for your authentication vs. your other data. It is much easier to secure that way. You can still have them on the same server though.
Sorry for the multiple questions, but I have some gaps I can't fill. I've always built my sql tables on a server first, then coded my application, so I am apprehensive about building on localdb...every tutorial regarding identity I have come across starts with tables on localdb and assumes we magically know how to move it to production at some future point. My process before (I have never implemented authentication) has always been to first get database on a real server, build tables there, go back to my app , set up helpers, a dataaccess class and connection string, build model, build controller, build views...in that order. If I miss something I go back to sql build the table, then go back to the app, rinse and repeat. Now, I am thinking of starting a new db on azure and want to implement identity. If I were to follow this method of implementing identity locally first, what do I need to do to get the all my tables (including the other ones I add to the db) in the server instead of localdb, assuming I coded the whole thing locally first instead as in the demo. Is it possible to change the connection string before installing the owin nuget package and running the package in order to sidestep all that so I can continue working the way I have before (ie the table structure for identity stuff would just be created in the production server instead of localdb)? Or is there some easy button for moving that all into a production server after you have coded your entire project locally?
It does! Thanks much! I also appreciate the clear and distinct instructions your videos usually include. I do a lot of research and find your videos the easiest to understand, the most comprehensive, and have lead to a lot more ah-ha moments for me. I think I would still be scratching my head on a lot of ideas if it weren't for your channel.
Great series of videos. One thing I like to do is put my Authorize attributes in a base controller and inherit from it so that I am not having to put Authorize everywhere, and I don't run the risk of forgetting to put Authorize on some controllers. Some might argue that I could also forget to inherit from the base controller, but in my case, the base controller does a few other things that are essential to my app, so I wouldn't get very far without inheriting from the base controller.
Good tip. Then, if you need to have something not protected, you add the AllowAnonymous tag instead. Essentially, your application is secure by default. I like it. Thanks for sharing.
Nicely explained... Please make a video on other functionalities of identity, e.g email verification before login, reset password, forgot password, Two-Factor Auth. Thanks a lot for providing such great contents.
Hello Tim Corey, I would like to suggest for you to create a complete website or system using asp.net mvc just like the retail manager. That would really help us,me specially to learn a lot from you.. thank you very much
Great video. One thing to add - if you stack the Authorize declarations on a function/controller you can require the user to have all of the roles specified (AND), rather than just one OR more of them. There's an example here: docs.microsoft.com/en-us/aspnet/core/security/authorization/roles
Please can you provide a short video in regarding of adding authentication and authorization to an application created previously. when I do so, it doesn't work. thanks
Hey Tim... I can't thank you enough for this awesome stuff.. I'm using some of them in my teachings at university :D Will you be doing anything soon on Xamarin??
Hi Tim, thanks for the wonderful tutorial! I am new to authorization and bit confused as to use third party tools like Auth0, IdentityServer5 , okta vs the Identity Framework provided by Microsoft. Is the Microsoft Identity really that unsecure as people on the internet say? All the third party auth tools are black box and have not so good documentation, where as identity is easy to setup.
Hi Tim,Thanks for this video,however i am just curious to know how [Authorize] works behind the scene.How it gets to know the user details and token and authorize the user.. It would really be helpful if you could provide me any pointers .
This is very helpful. Can you please create a video for allowing users to register using localdb but requires admin approval before they can start logging in? Thanks!
Hi Tim, this is great. Would love to see an example of impersonation following on from this video. i.e. login as an admin (with admin roles) and then impersonate a user already registered in the system to see their data. Or indeed any pointers on which classes etc. to read around to do this.
Excellent video and very timely for me. I do have a question. You mention that the local database is not the preferred storage for account data. What is involved in moving to a MySQL database for the account storage information rather than the local SQL database?
It would be easier to just move your SQL database to a "full" SQL Server (or Azure SQL) but here are instructions on using MySQL: docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/aspnet-identity-using-mysql-storage-with-an-entityframework-mysql-provider
I don't have any exam-focused content but anything I've done with MVC will help. I do have an add-on course that uses ASP.NET MVC at www.iamtimcorey.com that might help you out. It is an add-on to the main C# Application from Start to Finish course, though, so the add-on only covers MVC, not the business logic or data access since they are already covered in the previous course.
Hey Tim, I saw couple of your videos and you doing awesome job. How ever, I'm just curious you said in this video you are not a big fan of entity framework. So what you suggest in alternate?
I suggest Dapper. Much easier to use, much simpler, and it does not interfere with good database design. You can see more about it in my video here: th-cam.com/video/Et2khGnrIqc/w-d-xo.html
Hi Tim! Love your tuts. Will you ever do something about Auth, without Microsoft Identity Framework? I would love to build my auth without any pre-scaffolded code. Thanks!
Ugh I spent 2 hours searching and replacing my callback Url but I just can't get it right. I keep getting the 403 Error. ***EDIT: fixed it by adding: localhost:44388/signin-twitter Amazing content as always Tim, Thank you!
Hello Tim. Great works there! Questions (1) Is it possible to to change the database name? How do we do it? (2) How do we create ASP.Net identity database in SQL Server? Thanks
Good question. To change the database name, just change the connection string. If it is a LocalDB, it will create that new database. If it is a SQL database, it will look for that new database but crash if it does not exist yet. As for creating the ASP.NET Identity database in SQL Server, the easiest way is to create an empty database in SQL and point the connection string in C# to it. Then run the application and try to register an account. It will see that the tables do not exist and it will create them.
Trying to follow this with the new project template in Visual Studio 2019 and the Register and Login pages blow up with a Null Ref Exception on the model straight outta the box!
Thank you Tim: A couple of questions. Is it possible to capture additional user data in the EF authentication process such as first name, last name, employee ID number, etc? (Would it be easy / possible to modify parts of the system to hold additional data for example such as the items mentioned above? If I understand this correctly, we are fine to develop this using the local SQL server and then when it is ready to be deployed, one can just say change the connection string to point to a SQL Azure database (for example) and the local database will be recreated in the cloud? Finally, if you want to manage the creation of the user accounts and not let people just come to the site and Register, could you create part of your app that would allow an admin user to create new accounts? (i.e. I get the feeling that you strongly recommend using this authentication system as opposed to building your own and storing the username and password data in a database. Thank you so much for your time and all of the videos that you do, they are wonderful!
Excellent video Tim, but I have query, all this stuff is inbuilt projects code provided by Microsoft. What if I want to use my own tables like Users, Roles etc. What kind of changes need to be done? e.g. In a code you have shown Authorize(Role=Admin) what if I want to use my own roles from my own role table? Do I have to create my own Authorize attribute for the same?
Thank you so much. I feel I learned so much, and I even fixed a few things on my website based on what you covered here. I was under Bootstrap 4, and was wondering how to change the button look. It was so small. I read the Oath RFC a number of times, and like you said it does a lot. I am trying to map the functional components between the rfc and the video. Twitter would be the authentication server, the client and the user agent would be our application I guess. The rfc was talking about one scenario where the client asks the user to authenticate with the server so then the client can get some services from yet another server. Is it possible to create a tutorial for something like this please? I definitely followed what you covered here, and it helped me a lot with understanding of the RFC, but I want to be sure. I know understanding the RFC is job of pros, but I got to try. I also tried to refactor my existing ASP.NET project to enable Oauth and could not find a way yet. I wonder if that is possible or I should just start from the beginning.
It's really good explanation, I like when you showed the Role based authentication as well. Do you have a complex tutorial how I can implement with all Identity Register and Login , Forgot and Reset password and =>/ Facebook, Gmail etc / to an existing website with publishing too!?
Interesting I find the Role-Management. I have to do some research, if you always need to specify the Roles by a String "User, Admin". It would be much easier, if it could be done with the UserID, because then you can easier group them, like saying Access to RoleID > 2... But I guess that is also possible somehow. Anyway, thanks for the very clear tutorial.
You can assign permissions to a user, not just to a role, but that is too specific and hard-coded to be very useful. You can't apply conditional logic to the role decorators (without dropping the check into the code), so >2 wouldn't really work well.
Hi Tim, great video. I am working on setting up external login with ASP.NET Core 2.2 without using identity. Do you remember if you have made a video for that before? Thanks
@@IAmTimCoreyThanks for your attention Tim. I'd be so thankfull to you if you take your time to pick up on it. I have really had a hard times to understand how this middleware and its properties behave after each request.
Hi Tim, I tried entering Authorization as you did by editing the database, but I am not able to get access for specific roles even after repeating the same procedure. Access Denied page is popping.
Not sure what you mean. I use Dapper with SQL, I use MongoDB, I use CosmosDB, I use Redis - basically, I use whatever database solution is best for the situation.
Hi Tim, This is a really great video! Thanks for that. Quick question, I've followed your steps, using local authentication only. If I run my VS project, register and/or login, stop the VS project and then run it again, then I am still logged in. I need to run some code just after successfull authentication. Clearly this shouldn't be done in public async Task Login(LoginViewModel model, string returnUrl) since this only runs when the user clicks on the Login button. Where should post authentication code be run ? Thanks again for your work, helps tremendously!
Good question. You might find success running it on the homepage, since the user will hit that first (check if they are authenticated). The only problem is if the user is not logged in and attempts to go to a secured page. When they log in, it will direct them to the page they attempted to go to instead of the homepage. So if you can do it in two places, the homepage and the login would be the two places to do it.
Is there any video or article explaining every step of the logging process such as register, change password , log out for identity authentication in MVC 5?
Hey Tim! Thank you for the great video. I really appreciate the explanation as most people do not explain in such tutorials. However, just my personal opinion - I feel like while it is great to re-iterate on a point a few times to place a strong emphasis on a concept, you tend to repeat yourself a little too often. I believe most users would appreciate it if you repeat just once or twice less than you already did to make the video more concise! I hope this feedback is useful to you and thank you once again!
I appreciate the kind feedback. I do work on the balance of repetition. I want to repeat for emphasis enough to show the importance and give clarity but not enough to be annoying. I also try to come at the same point from multiple directions for added clarity. I know I don't always get it right but I'm working on it.
Hello Tim, thanks for the video! Could you please advise how can I configure the default user role to be assigned for new users automatically after registration?
Hi Tim - i noticed the scaffolding code produces a lot of excess code which a develop may not use. Is there a way of modifying this, like deleting excess code, changing table names, adding extra columns etc to make it more specific to a business case?
Tim, would it be possible to use Dapper to connect to SQL Azure in this scenario? I assume it would be possible, just wondering if it would be a good way to go. Any Dapper related videos planned?
Yes, Dapper can connect to SQL Azure. You just need to change the connection string. Everything else is the same compared to on-premises SQL. As for more Dapper videos, yep, they are coming.
Also to say: If you store the password in a database, always HASH it (like SHA), never just ENCRYPT it (like, say, with AES). There is a BIG difference. There is a difference if an administrator is able to RESET your password, or if he is able to SEE it. He should NEVER be able to see it. If it's just encrypted, and he knows the key, he can read it. If it's hashed, no chance for anybody.
@@IAmTimCorey You're right. I have to correct myself: Hashing is not enough. You need to "salt" it as well. I watched a video "How to not store passwords". After that, I knew more.
This is the same still for .NET Framework. For .NET Core (.NET), things have changed a little bit. The TimCo Retail Manager course covers those changes.
Sir please make a video for Identity in ASP.NET Core I spent alot of time trying to tweak identity in ASP.NET Core and since you can't access the controllers for identity in asp core I ended up implementing the controllers again myself so I'd be able to customize identity If there's an easier way please make a video and explain it. I love your channel and thanks for making C# easy to understand and learn for us.
Hi Tim, awesome video as usual. I've learned a huge deal from you in my steps to become a software dev already working on my own project now. In this one however i have a problem and i cant get the twitter login to work no matter what.I have added the code and even found some other Digicert keys as in some forums they were saying the one in this video have expired, but still i cant get it to work getting always the same error with the secure connection. Any ideas? Have they changed anything, is there a place to find the current keys?
I am not sure what you are referring to. Do you mean having WPF authenticate against this provider? Because that is what the WPF app in the TimCo Retail Manager system does.
Hey Tim. Thanks for another fantastic tutorial. What if I wanted to use my own sign up form, and database configuration, kinda like the one you created that one in your other MVC database access tutorial, but also implement a social authorization such as Facebook or Google. Wheat would be the best way to What would be this best way to achieve this?
The password hashing part at 27:57 - It doesn't appear as if the passwords are being salted prior to hash, do you reckon this would be easy enough to implement? For instance, adding in a "salt" column in the Users table and when a user registers, a cryptographically secure RNG value is created for that user which is then stored within the new column. The trick would be finding where, in the C# backend code, the passwords are being hashed.
You could do that. My big thing is that when I start messing with authentication code, I have the potential to make it worse. This has been tested by Microsoft and a LOT of other companies. My custom changes have not. I get concerned when we start talking about overriding parts, since that means I really need to know the system intimately in order to ensure I do it right.
@@IAmTimCorey Ah that's a really good point, if I were to implement a salting system, I'd need to conduct some really thorough testing to make sure I wasn't making the system insecure. I'm just really worried about rainbow table attacks against an application I'm developing. Many thanks for the reply!
Again, Excellent video, thanks - I was going to ask about roles (e.g. Gold, Silver, Bronze membership) but you covered this at the end. :) Quick question on the Twitter App ID/Secret keys - I know you covered them up, which is good - but if you delete the app from twitter after creating the video, would these ID/Keys be valid still ? If not, then does it really matter to blur them out ? - No I'm not after your information, just curious on how secure it would be... unless you forgot to remove the app from twitter of course.
In theory they should be fine. In practice, it might tell you more about my account than I would prefer. I decided to err on the side of caution. I could also request that they be reset and I wouldn't even have to delete my app for them to be invalid. It was just the abundance of caution.
OK, thanks for that - I wasn't sure as I don't even have a twitter or facebook account. On the Roles, you assigned the roles to the users manually by editing the database, I take it there is function to do this in the code? Could you do a quick video on how we would assign roles to users when they (a, create an account, b, pay for a better membership (gold, silver, bronze roles).
Well, the unfortunate part is that some "teachers" tell users that if they see a lot of plug-ins, etc. then something is wrong and they need to stop doing that. It is an over-correction for users who get a plug-in for everything instead of writing any code. The key is context. If you have that many plug-ins because you forgot to code, yes, try to remove them and start over. However, if you have no plug-ins and try to do everything manually yourself, that will take too much time and negates one of the big benefits of programming. Instead, you need to know what your balance is and hit it.
Hey Tim, I was watching this video (amazing btw) and came up with some issues, since Twitter has changed some stuff from this video release until today, and actually got to solve it. My issue was on pressing the Twitter button, it showed me the error "an connection has been forcibly closed by the remote host", there was nothing in the comments here, so found this answer: stackoverflow.com/questions/57271345/twitter-api-responds-with-an-existing-connection-was-forcibly-closed-by-the-rem The solution that worked for me was to add this line: System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12; just before setting the TwitterAuthenticationOptions in the startup.auth.cs file... given my limited knowledge of ASP, I really don't know if that was the correct place to add that line since in the answer don't mention it, but it worked nonetheless. I hope this helps future viewers with the same issue as me.
Hi @IAmTimCorey, I notice that once we get into twitter signup page, it asks us to have/create a developer account? Did you have to do that too or is this a new step that Twitter has just created since your video was published early this year. Thanks.
I think I've got a good handle on this locally. How do you change the Database connection for this so it adds these tables to a database on a hosting server?
You just change the web.config file's connection string, which you can do even at runtime. However, usually what you do is when you deploy it, you transform the deployed web.config file to have the correct connection string.
*** FIXED READ BELOW *** I did everything described in this video in regards to Twitter. I keep getting 403. Response status code does not indicate success: 403 (Forbidden). Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden). However, with the new signup procedure for a Twitter Developer account, I had to assign a URL for my website and an organization URL. I don't think this is the issue, but worth noting. I used the URL to my twitter profile for these values. I tried adding more callback urls 127.0.0.1 localhost:44306/Account localhost:44306/Account/ExternalLogin localhost:44306 That didn't seem to work either. Am I missing something? Is there an extra step in 2020 that I am missing? ***FIXED*** append "/signin-twitter" to your callback URL. In my case localhost:44306/signin-twitter. Now it works. Whew. ************
awesome job. how do you do SSO with another website other than fb twitter etc. so its an existing web app for a company that we want to autkmatically login to a new mvc web app once u are logged into that other webapp?
I am finally in AUTH stage now! I have planned my databases clearly, using my personal NF rules.
1. Can be many to one? New Table
2. Only one to one? Same Table
I am about to do start getting freaky freaky hands on when I realize that, hey, I need auth. And Now I'm here.
With just 3 videos, ASP.NET MVC, Data Access and OAUTH, I feel like a professional now. I must say ASP.NET Core MVC is much more clearer and simpler now that I understand that models in ASP.NET MVC is just for views. Sorry for long text, you are the best.
I'm glad it is sinking in for you.
Tim is King!!!. you make everything easy. I normally dread long videos but this one seemed like it was 5min the way I was enjoying it.
Glad you enjoyed it
@@IAmTimCorey I have been looking for a tutorial like this . Can you help me with a tutorial that explains how to set redirect pages for different users when using default login in MVC with entity. Hopefully one that can also explain how to hide certain tabs in the nav bar based on user roles. Thank you in advance.
For those confused: The local authentication is also (still) called "Forms Authentication", although it's not about Webforms anymore. It's somewhat different though than the Webforms thing.
I don’t think it was ever about WinForms. It may have been a reference to WebForms, but I don’t think so. I think it is just about needing a login form.
@@IAmTimCorey Sorry, I corrected it to "Webforms". I always confound these terms.
Great video! It would be really handy to see a follow-up to this detailing how Authorize works behind the scenes and how to take more control over what entity framework is doing.
I noted your recommendation by adding it to Tim's list of possible future topics, thanks.
0:00 - Intro
1:41 - ASP .NET Framework demo app with authentication
13:01 - Register vs Login explained
15:25 - Built in user registration and login
18:28 - Registration C# code overview
23:45 - Built in SQL
29:45 - Twitter authentication setup
45:37 - Implementing user restrictions
52:48 - Restrictions based on user role
1:01:03 - Who is logged in?
1:02:20 - Summary and concluding remarks
Thank you!
Yeah I tried taking the ApiHelper/Token idea that you did an MVVM app with, took a while but was able to login. Then I decided that Owin was the next thing to learn, but I couldn't figure out why it didn't work out of the box. It turned out, that when I moved it from local to a named instance locally that I had the wrong connection string. So if you run into that issue, check that. I love your work Tim. Really helpful to shake off some of that rust.
Glad its helpful, and thanks for sharing.
Thanks Tim. I know everyone has different opinions and you’ll base your future videos on the majority , but I think the level of repetition is spot on and the content presented in a very clear manner.
I am one of those people making my way up to mvc core, so this has been very helpful.
You mentioned that you weren’t a big fan of entity, I’d appreciate a video on your take on this and what you do use.
I wrote a blog post that addresses your question about EF: www.iamtimcorey.com/blog/137806/entity-framework
Best tutorial on OAuth. Clean and to the point explanation. Thank you TIM !!
Glad it was helpful!
Great video man! Thinking of making an app into an asp.net MVC style and I was worried that authentication would be a nightmare. Thanks for making it more simple!!
Great!
God loves me so much that I have found your channel :)
I'm glad you enjoy it.
Brilliant! Thank you so much, Corey. Amazing as always. It would be really nice to see more about Access Control using MVC and C#. Security is super important, but also one of the biggest error zones where developers (especially new developers) make mistakes, often costly ones. In these times where there are hackers, trolls and ghouls all over the place, educating people on security and how to make it easy, but good, is relevant.
Thanks,
Martin.
Sounds almost like we should have a new start to finish course that is more MVC-focused from the beginning so we can see how to implement this stuff in the real world. ;-)
Hi Tim. Thank you very much for the videos that you provide - I've already watched a bunch of them, and found that they help me a lot.
Just recently I read the book "Patterns of enterprise application architecture" by Martin Fowler, and figured that you haven't covered much of those patterns as is - other than of cause, general architectural principles that developers should adhere to, i.e. SOLID and DRY.
When I read the book, a bunch of these patterns were sort of abstract. I understood the general ideas, but personally it would be extremely helpful to see a seasoned .net developer like you, show them in practical setting, and give your personal opinion on the most common ones.
Additionally, now when we talk about patterns... When I see this video, i cant help thinking, how to implement this "out of the box" user authentication system in a common 3-layer application, where we don't use a local database but rather one on a server. How would you implement it in your business logic? would you even do that?
I will be covering more patterns and practices, although a lot of them are much more specialized. As for using this authentication on a remote server, you would just point your connection string to that remote database. I'm not a fan of how tied it is to the UI but that's a personal preference.
Hi Tim. Thanks for great video. I wish I'd seen this a long time ago. I've read numerous tutorials but you've made a seemingly complicated subject a lot easier to understand, this video was perfect for me as a starting point for further study into the subject. Thanks again. :)
Awesome! I’m glad it was helpful.
Gone are the days where one could download a shareware copy of Hotdog HTML editor and publish a site with having just a few files. (Which IMO, is a good thing. I feel the internet became convoluted with junk because people could just keep adding trash to the pile not having any technical skill or understanding what's going on under the hood.)
Great video!
Thank you!
Thank you for the video! I didn't know they made Authorization/Identity stuff so easy!
If possible, I'd love to see an expansion where you talk about requiring authorization for Web API. Show how someone that wants to use my API for their own applications can authorize themselves for access.
I will be doing authorization through WebAPI in a video in the near future.
"leaving authentication to Microsoft" can also mean leaving it to your local active directory, not only to Microsoft online services such as azure. However, you may still build your own AUTHORISATION system if you don't want to create AD Groups for everything. Tim, as always, correct me if you shouldn't build that on your own either :)
Thanks Tim, Finally found someone that can explain how this works.
Excellent!
I will explain you how it works > 19:00 by large you can leave this as it is and just works
Wow, awesome explanation
I'm loving this ASP.NET series. Thank you. Request: If you decide to make a lesson about EF, can you do a database first approach? Using Stored Procedures in EF would be nice also. Again Thank you.
I doubt I'll be doing an EF video any time soon since I'm really not a fan of EF (check out my video on connecting C# to SQL) but I'll keep it in mind.
Thank you for good video and for redirecting me here. Once again I have found less information than I expected but presented in great way. You showed here how to use this generated things but I am a bit afraid of using something I don't understand. Menage controller has almost 400 rows, there are also some models that you didn't even open here. I understand that in this video with your speed it wouldn't be too good to speak about it because it would be too long, but I would really be glad if you could make 2nd part of this with more details.
The most important thing for me right now is how to work with outside database. I'm not sure how to link my database in Web.config. I have found how to add my outside database to SQL Server Object Explorer and how to find its Connection string but even for the default database connection string here is different than the one used in Web.config and only first part (Data Source) is the same.
I'm interested in this topic and will wait for more about it. Also I will subscribe you to not miss it.
I have two videos that might help you. First, I have a Connection Strings video that gives you a good overview of how to set up a connection string and where to find what yours is. Second, I have a video on Connecting C# to SQL. That will show you how to configure your web.config/app.config file so that you can connect to an external database.
As for showing more details about the authentication side, I will be doing that in future videos, although I'm not sure I'll ever go line by line. Some of this is EF Code First and I really don't want to get into that whole issue. As far as setting up your own database to do the authentication, if you point your connection string to the right database, the first time the app runs it will set up the proper tables. I would recommend that you not mix databases though. Keep a separate database for your authentication vs. your other data. It is much easier to secure that way. You can still have them on the same server though.
Sorry for the multiple questions, but I have some gaps I can't fill. I've always built my sql tables on a server first, then coded my application, so I am apprehensive about building on localdb...every tutorial regarding identity I have come across starts with tables on localdb and assumes we magically know how to move it to production at some future point. My process before (I have never implemented authentication) has always been to first get database on a real server, build tables there, go back to my app , set up helpers, a dataaccess class and connection string, build model, build controller, build views...in that order. If I miss something I go back to sql build the table, then go back to the app, rinse and repeat. Now, I am thinking of starting a new db on azure and want to implement identity. If I were to follow this method of implementing identity locally first, what do I need to do to get the all my tables (including the other ones I add to the db) in the server instead of localdb, assuming I coded the whole thing locally first instead as in the demo. Is it possible to change the connection string before installing the owin nuget package and running the package in order to sidestep all that so I can continue working the way I have before (ie the table structure for identity stuff would just be created in the production server instead of localdb)? Or is there some easy button for moving that all into a production server after you have coded your entire project locally?
I decided to answer your question here: iamtimcorey.com/ask-tim-database-authentication-setup/
I hope that helps.
It does! Thanks much! I also appreciate the clear and distinct instructions your videos usually include. I do a lot of research and find your videos the easiest to understand, the most comprehensive, and have lead to a lot more ah-ha moments for me. I think I would still be scratching my head on a lot of ideas if it weren't for your channel.
Great series of videos. One thing I like to do is put my Authorize attributes in a base controller and inherit from it so that I am not having to put Authorize everywhere, and I don't run the risk of forgetting to put Authorize on some controllers. Some might argue that I could also forget to inherit from the base controller, but in my case, the base controller does a few other things that are essential to my app, so I wouldn't get very far without inheriting from the base controller.
Good tip. Then, if you need to have something not protected, you add the AllowAnonymous tag instead. Essentially, your application is secure by default. I like it. Thanks for sharing.
Nicely explained... Please make a video on other functionalities of identity, e.g email verification before login, reset password, forgot password, Two-Factor Auth.
Thanks a lot for providing such great contents.
It is on the list. Thanks for the suggestions.
Hello Tim Corey, I would like to suggest for you to create a complete website or system using asp.net mvc just like the retail manager. That would really help us,me specially to learn a lot from you.. thank you very much
That suggestion is on the list. Thanks!
@@IAmTimCorey thank you Tim!
Great video. One thing to add - if you stack the Authorize declarations on a function/controller you can require the user to have all of the roles specified (AND), rather than just one OR more of them. There's an example here: docs.microsoft.com/en-us/aspnet/core/security/authorization/roles
Good tip. Thanks!
Thanks and you really made it so simple. One word for this. Amazing!
Awesome!
Please can you provide a short video in regarding of adding authentication and authorization to an application created previously. when I do so, it doesn't work. thanks
Thanks for the suggestion. Please add it to the list on the suggestion site so others can vote on it as well: suggestions.iamtimcorey.com/
RequireNonLetterOrDigit means Require Non(letter or Digit) or require something other than an alphanumeric character (So, a special character).
Yep, you are right. Drew a blank when looking at it.
Great video. Can expand it include user and role management via a webpage.
I'll be covering this in future videos. Thanks for the suggestion.
I'd like to see that too!
Hey Tim... I can't thank you enough for this awesome stuff.. I'm using some of them in my teachings at university :D
Will you be doing anything soon on Xamarin??
Yes, I am ramping up my development work in Xamarin so I will be ready to teach it soon.
Hi Tim, thanks for the wonderful tutorial! I am new to authorization and bit confused as to use third party tools like Auth0, IdentityServer5 , okta vs the Identity Framework provided by Microsoft. Is the Microsoft Identity really that unsecure as people on the internet say? All the third party auth tools are black box and have not so good documentation, where as identity is easy to setup.
Hi Tim,Thanks for this video,however i am just curious to know how [Authorize] works behind the scene.How it gets to know the user details and token and authorize the user..
It would really be helpful if you could provide me any pointers .
It uses the header token and converts that over to identify the user. From there, it figures out if you have access privileges or not.
@@IAmTimCorey Have you covered this in any videos? Would be very useful to get more insight into how asp.identity works!
Extremely well explained. Very top level as Indian Eng. haha who save my butt more than once.
Thanks!
Thanks for making these tutorials! Fantastic content
You are welcome.
This is very helpful. Can you please create a video for allowing users to register using localdb but requires admin approval before they can start logging in? Thanks!
I will add it to the list. Thanks for the suggestion.
@@IAmTimCorey You're the best!
Hi Tim, this is great. Would love to see an example of impersonation following on from this video. i.e. login as an admin (with admin roles) and then impersonate a user already registered in the system to see their data. Or indeed any pointers on which classes etc. to read around to do this.
Thanks for the suggestion.
Excellent video and very timely for me. I do have a question. You mention that the local database is not the preferred storage for account data. What is involved in moving to a MySQL database for the account storage information rather than the local SQL database?
It would be easier to just move your SQL database to a "full" SQL Server (or Azure SQL) but here are instructions on using MySQL: docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/aspnet-identity-using-mysql-storage-with-an-entityframework-mysql-provider
Tims your works alwalys kills me .
Hopefully in a good way. :-)
Great work. I am preparing for Microsoft 70-486 exam. Any hints on what videos are must-watch? And books perhaps? Thanks.
I don't have any exam-focused content but anything I've done with MVC will help. I do have an add-on course that uses ASP.NET MVC at www.iamtimcorey.com that might help you out. It is an add-on to the main C# Application from Start to Finish course, though, so the add-on only covers MVC, not the business logic or data access since they are already covered in the previous course.
Thank you. I like your videos. Keep posting please
Will do.
Hey Tim, I saw couple of your videos and you doing awesome job.
How ever, I'm just curious you said in this video you are not a big fan of entity framework. So what you suggest in alternate?
I suggest Dapper. Much easier to use, much simpler, and it does not interfere with good database design. You can see more about it in my video here: th-cam.com/video/Et2khGnrIqc/w-d-xo.html
I agree with Tim now, I used EF a while ago and hated it, I find Dapper much easier now (after I saw it on one of Tims Videos) - Thanks Tim.
God bless you tim! we love you
Thank you!
Hi Tim! Love your tuts. Will you ever do something about Auth, without Microsoft Identity Framework? I would love to build my auth without any pre-scaffolded code. Thanks!
It is on the suggestion list.
Ugh I spent 2 hours searching and replacing my callback Url but I just can't get it right. I keep getting the 403 Error.
***EDIT: fixed it by adding: localhost:44388/signin-twitter
Amazing content as always Tim, Thank you!
I am glad you figured it out.
Hello Tim. Great works there!
Questions
(1) Is it possible to to change the database name? How do we do it?
(2) How do we create ASP.Net identity database in SQL Server?
Thanks
Good question. To change the database name, just change the connection string. If it is a LocalDB, it will create that new database. If it is a SQL database, it will look for that new database but crash if it does not exist yet. As for creating the ASP.NET Identity database in SQL Server, the easiest way is to create an empty database in SQL and point the connection string in C# to it. Then run the application and try to register an account. It will see that the tables do not exist and it will create them.
Thank you.
Trying to follow this with the new project template in Visual Studio 2019 and the Register and Login pages blow up with a Null Ref Exception on the model straight outta the box!
Thank you Tim: A couple of questions. Is it possible to capture additional user data in the EF authentication process such as first name, last name, employee ID number, etc? (Would it be easy / possible to modify parts of the system to hold additional data for example such as the items mentioned above?
If I understand this correctly, we are fine to develop this using the local SQL server and then when it is ready to be deployed, one can just say change the connection string to point to a SQL Azure database (for example) and the local database will be recreated in the cloud?
Finally, if you want to manage the creation of the user accounts and not let people just come to the site and Register, could you create part of your app that would allow an admin user to create new accounts? (i.e. I get the feeling that you strongly recommend using this authentication system as opposed to building your own and storing the username and password data in a database.
Thank you so much for your time and all of the videos that you do, they are wonderful!
Excellent video Tim, but I have query, all this stuff is inbuilt projects code provided by Microsoft. What if I want to use my own tables like Users, Roles etc. What kind of changes need to be done? e.g. In a code you have shown Authorize(Role=Admin) what if I want to use my own roles from my own role table? Do I have to create my own Authorize attribute for the same?
Thank you Tim, excellent tutorial.
You are welcome.
Thank you so much. I feel I learned so much, and I even fixed a few things on my website based on what you covered here. I was under Bootstrap 4, and was wondering how to change the button look. It was so small. I read the Oath RFC a number of times, and like you said it does a lot. I am trying to map the functional components between the rfc and the video. Twitter would be the authentication server, the client and the user agent would be our application I guess. The rfc was talking about one scenario where the client asks the user to authenticate with the server so then the client can get some services from yet another server. Is it possible to create a tutorial for something like this please? I definitely followed what you covered here, and it helped me a lot with understanding of the RFC, but I want to be sure. I know understanding the RFC is job of pros, but I got to try.
I also tried to refactor my existing ASP.NET project to enable Oauth and could not find a way yet. I wonder if that is possible or I should just start from the beginning.
It's really good explanation, I like when you showed the Role based authentication as well. Do you have a complex tutorial how I can implement with all Identity Register and Login , Forgot and Reset password and =>/ Facebook, Gmail etc / to an existing website with publishing too!?
I don’t. Sorry.
Interesting I find the Role-Management. I have to do some research, if you always need to specify the Roles by a String "User, Admin". It would be much easier, if it could be done with the UserID, because then you can easier group them, like saying Access to RoleID > 2...
But I guess that is also possible somehow.
Anyway, thanks for the very clear tutorial.
You can assign permissions to a user, not just to a role, but that is too specific and hard-coded to be very useful. You can't apply conditional logic to the role decorators (without dropping the check into the code), so >2 wouldn't really work well.
Hi Tim , thanks very much for a useful video
You are welcome.
Hi Tim, great video. I am working on setting up external login with ASP.NET Core 2.2 without using identity. Do you remember if you have made a video for that before?
Thanks
I don't have a video like that. Sorry.
Hi Tim, thank you for sharing your videos to public. I learn a lot from your videos. Do you have any video talks about OAuth 2.0 in Visual Studio?
I have content using the .NET Core authorization but not external OAuth.
I wish someone to explain Authentication middleware in detail. What is Authenticaion Type? How does it work regarding cookie based authentication ?
Sounds like a good in-depth video. I'll add it to the suggestion list.
@@IAmTimCoreyThanks for your attention Tim. I'd be so thankfull to you if you take your time to pick up on it. I have really had a hard times to understand how this middleware and its properties behave after each request.
Hi Tim, I tried entering Authorization as you did by editing the database, but I am not able to get access for specific roles even after repeating the same procedure. Access Denied page is popping.
It sounds like you missed a step or maybe mistyped something.
Good day sir, what alternative do you use for your database access? Thank you and more power to you.God bless
Not sure what you mean. I use Dapper with SQL, I use MongoDB, I use CosmosDB, I use Redis - basically, I use whatever database solution is best for the situation.
Hi Tim,
This is a really great video! Thanks for that.
Quick question, I've followed your steps, using local authentication only. If I run my VS project, register and/or login, stop the VS project and then run it again, then I am still logged in. I need to run some code just after successfull authentication. Clearly this shouldn't be done in
public async Task Login(LoginViewModel model, string returnUrl)
since this only runs when the user clicks on the Login button. Where should post authentication code be run ?
Thanks again for your work, helps tremendously!
Good question. You might find success running it on the homepage, since the user will hit that first (check if they are authenticated). The only problem is if the user is not logged in and attempts to go to a secured page. When they log in, it will direct them to the page they attempted to go to instead of the homepage. So if you can do it in two places, the homepage and the login would be the two places to do it.
Is there any video or article explaining every step of the logging process such as register, change password , log out for identity authentication in MVC 5?
We use the Identity process for logging in and out (and registering) in the TimCo Retail Manager.
Hey Tim! Thank you for the great video. I really appreciate the explanation as most people do not explain in such tutorials. However, just my personal opinion - I feel like while it is great to re-iterate on a point a few times to place a strong emphasis on a concept, you tend to repeat yourself a little too often. I believe most users would appreciate it if you repeat just once or twice less than you already did to make the video more concise!
I hope this feedback is useful to you and thank you once again!
I appreciate the kind feedback. I do work on the balance of repetition. I want to repeat for emphasis enough to show the importance and give clarity but not enough to be annoying. I also try to come at the same point from multiple directions for added clarity. I know I don't always get it right but I'm working on it.
@@IAmTimCorey keep repeating Tim! We need it to learn! Thank you mate.
Thanks , i love you Tim.
You are welcome.
Hey tim, do you have a video/resource which goes into more depth about auth ?
Thanks for the great video. Really helpful.
I don't. Added it to my list.
Thank you so much. Comprehensive content. Liked, subbed and belled.
Excellent! I'm glad you enjoy the content.
Hello tim, Awesome tutorial, Thank you.
I have a question about cookies and how to set its expiration date?
I believe this should help: stackoverflow.com/questions/33701398/oauth2-webapi-token-expiration
Thank you so much!! You explained it amazing
You are welcome.
Hello Tim, thanks for the video! Could you please advise how can I configure the default user role to be assigned for new users automatically after registration?
Learned alot from this thanks !
Excellent!
Hi Tim - i noticed the scaffolding code produces a lot of excess code which a develop may not use. Is there a way of modifying this, like deleting excess code, changing table names, adding extra columns etc to make it more specific to a business case?
I don’t believe so. You can tweak some of it, but most is necessary.
Hi Tim - Great Introduction
Thank you!
All what i can say is, this is a great tutorials and thank you for It:)
I'm glad. Thanks!
Hi,Great tutorial .. Once question if you can I want to LogOff on session timeout...
Thanks
Tim, would it be possible to use Dapper to connect to SQL Azure in this scenario? I assume it would be possible, just wondering if it would be a good way to go. Any Dapper related videos planned?
Yes, Dapper can connect to SQL Azure. You just need to change the connection string. Everything else is the same compared to on-premises SQL. As for more Dapper videos, yep, they are coming.
Also to say: If you store the password in a database, always HASH it (like SHA), never just ENCRYPT it (like, say, with AES). There is a BIG difference. There is a difference if an administrator is able to RESET your password, or if he is able to SEE it. He should NEVER be able to see it. If it's just encrypted, and he knows the key, he can read it. If it's hashed, no chance for anybody.
There is a lot that goes into making authentication secure.
@@IAmTimCorey You're right. I have to correct myself: Hashing is not enough. You need to "salt" it as well. I watched a video "How to not store passwords". After that, I knew more.
@@IAmTimCorey could you make a video on single sign on with aspnet core?
great video. But i saw its 5 years old. Is anything changed after that? If yes, did you create followup videos for your fans?
This is the same still for .NET Framework. For .NET Core (.NET), things have changed a little bit. The TimCo Retail Manager course covers those changes.
Thank u for great Tutorial
You are welcome.
Did you manually create the database tables for the user accounts (AspNetRoles, AspNetUsers, etc.) ?
its too long but very useful and informative tutorial ,yo did just simply grate works , i request you to give email verification tutorial ,
thanks
Thanks for the suggestion.
Sir please make a video for Identity in ASP.NET Core
I spent alot of time trying to tweak identity in ASP.NET Core and since you can't access the controllers for identity in asp core I ended up implementing the controllers again myself so I'd be able to customize identity
If there's an easier way please make a video and explain it.
I love your channel and thanks for making C# easy to understand and learn for us.
I will add it to the list. Thanks for the suggestion.
Hi Tim, awesome video as usual. I've learned a huge deal from you in my steps to become a software dev already working on my own project now. In this one however i have a problem and i cant get the twitter login to work no matter what.I have added the code and even found some other Digicert keys as in some forums they were saying the one in this video have expired, but still i cant get it to work getting always the same error with the secure connection. Any ideas? Have they changed anything, is there a place to find the current keys?
You explained same thing in your web API authentication video as well.
Yep, same system, just a different UI.
@@IAmTimCorey I guess you should make a video on Web API Token authentication with empty template. Thanks.
Hi tim.. Please make a video, regarding integrate key validation system for window application wpf.. Plz
I am not sure what you are referring to. Do you mean having WPF authenticate against this provider? Because that is what the WPF app in the TimCo Retail Manager system does.
Is this same possible without entity freamwork what we seen In the demo
And thank for the demo video
Hey Tim. Thanks for another fantastic tutorial.
What if I wanted to use my own sign up form, and database configuration, kinda like the one you created that one in your other MVC database access tutorial, but also implement a social authorization such as Facebook or Google. Wheat would be the best way to What would be this best way to achieve this?
I would recommend against it. Use a pre-build authentication system. Otherwise, you risk opening yourself up to data breach.
IAmTimCorey Got it. Thanks!
Thank You. Really Help me to learn
Glad to hear that
The password hashing part at 27:57 - It doesn't appear as if the passwords are being salted prior to hash, do you reckon this would be easy enough to implement?
For instance, adding in a "salt" column in the Users table and when a user registers, a cryptographically secure RNG value is created for that user which is then stored within the new column. The trick would be finding where, in the C# backend code, the passwords are being hashed.
You could do that. My big thing is that when I start messing with authentication code, I have the potential to make it worse. This has been tested by Microsoft and a LOT of other companies. My custom changes have not. I get concerned when we start talking about overriding parts, since that means I really need to know the system intimately in order to ensure I do it right.
@@IAmTimCorey
Ah that's a really good point, if I were to implement a salting system, I'd need to conduct some really thorough testing to make sure I wasn't making the system insecure. I'm just really worried about rainbow table attacks against an application I'm developing.
Many thanks for the reply!
Again, Excellent video, thanks - I was going to ask about roles (e.g. Gold, Silver, Bronze membership) but you covered this at the end. :) Quick question on the Twitter App ID/Secret keys - I know you covered them up, which is good - but if you delete the app from twitter after creating the video, would these ID/Keys be valid still ? If not, then does it really matter to blur them out ? - No I'm not after your information, just curious on how secure it would be... unless you forgot to remove the app from twitter of course.
In theory they should be fine. In practice, it might tell you more about my account than I would prefer. I decided to err on the side of caution. I could also request that they be reset and I wouldn't even have to delete my app for them to be invalid. It was just the abundance of caution.
OK, thanks for that - I wasn't sure as I don't even have a twitter or facebook account. On the Roles, you assigned the roles to the users manually by editing the database, I take it there is function to do this in the code? Could you do a quick video on how we would assign roles to users when they (a, create an account, b, pay for a better membership (gold, silver, bronze roles).
I'll see what I can do. You have to make your own UI for it.
Great video. Thank you. Is it possible to add active directory authentication along with the local login and external login?
I'm not sure I've ever tried to mix AD authentication and local authentication.
@@IAmTimCorey Thanks for your reply, really appreciated.
If you are the kind of person that say "OMG, it got much stuff installed, i need to remove it all", programming is properly not your thing :D - 9:10
Well, the unfortunate part is that some "teachers" tell users that if they see a lot of plug-ins, etc. then something is wrong and they need to stop doing that. It is an over-correction for users who get a plug-in for everything instead of writing any code. The key is context. If you have that many plug-ins because you forgot to code, yes, try to remove them and start over. However, if you have no plug-ins and try to do everything manually yourself, that will take too much time and negates one of the big benefits of programming. Instead, you need to know what your balance is and hit it.
Thanks Tim
You are welcome.
super knowledgeable
Thanks!
Thank you very much
Lovely❤️
You are welcome.
hi please add 2factor method to your list too ,that would be helpful
I'll see what I can do. Thanks for the suggestion.
Hey Tim, I was watching this video (amazing btw) and came up with some issues, since Twitter has changed some stuff from this video release until today, and actually got to solve it.
My issue was on pressing the Twitter button, it showed me the error "an connection has been forcibly closed by the remote host", there was nothing in the comments here, so found this answer: stackoverflow.com/questions/57271345/twitter-api-responds-with-an-existing-connection-was-forcibly-closed-by-the-rem
The solution that worked for me was to add this line:
System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12;
just before setting the TwitterAuthenticationOptions in the startup.auth.cs file... given my limited knowledge of ASP, I really don't know if that was the correct place to add that line since in the answer don't mention it, but it worked nonetheless.
I hope this helps future viewers with the same issue as me.
Thank you for sharing! I'm sure others will run into this also.
Hi @IAmTimCorey, I notice that once we get into twitter signup page, it asks us to have/create a developer account? Did you have to do that too or is this a new step that Twitter has just created since your video was published early this year. Thanks.
Not sure but if Twitter says you have to do it, go for it. It is probably just a conversion of your existing account to allow for more features.
I think I've got a good handle on this locally. How do you change the Database connection for this so it adds these tables to a database on a hosting server?
You just change the web.config file's connection string, which you can do even at runtime. However, usually what you do is when you deploy it, you transform the deployed web.config file to have the correct connection string.
@@IAmTimCorey I managed to get this working on my Go Daddy server; not sure why it wasn't working before. Thanks!
*** FIXED READ BELOW ***
I did everything described in this video in regards to Twitter.
I keep getting 403.
Response status code does not indicate success: 403 (Forbidden).
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden).
However, with the new signup procedure for a Twitter Developer account, I had to assign a URL for my website and an organization URL. I don't think this is the issue, but worth noting. I used the URL to my twitter profile for these values.
I tried adding more callback urls
127.0.0.1
localhost:44306/Account
localhost:44306/Account/ExternalLogin
localhost:44306
That didn't seem to work either.
Am I missing something? Is there an extra step in 2020 that I am missing?
***FIXED***
append "/signin-twitter" to your callback URL.
In my case localhost:44306/signin-twitter. Now it works. Whew.
************
Glad you figured it out.
Thanks tim
Glad to help!
Hi Tim, This is helpful sample, i have another problem about MVC SSO login. Do you have any sample about MVC active directory SSO form login ?
Not yet, no. Now that Azure Active Directory is more common, I will probably do one in the near(ish) future.
awesome job. how do you do SSO with another website other than fb twitter etc. so its an existing web app for a company that we want to autkmatically login to a new mvc web app once u are logged into that other webapp?