The .NET 8 Auth Changes You Must Know About!

แชร์
ฝัง
  • เผยแพร่เมื่อ 23 ส.ค. 2023
  • Use code DDD20 and get 20% off the brand new Domain-Driven Design course on Dometrain: dometrain.com/course/getting-...
    Become a Patreon and get source code access: / nickchapsas
    Hello, everybody, I'm Nick, and in this video, I will show you how Authentication and Identity have changed in .NET 8 in an effort to simplify it and make it more accessible.
    Subscribe to Amichai: ‪@amantinband‬
    Workshops: bit.ly/nickworkshops
    Don't forget to comment, like and subscribe :)
    Social Media:
    Follow me on GitHub: bit.ly/ChapsasGitHub
    Follow me on Twitter: bit.ly/ChapsasTwitter
    Connect on LinkedIn: bit.ly/ChapsasLinkedIn
    Keep coding merch: keepcoding.shop
    #csharp #dotnet

ความคิดเห็น • 339

  • @eg8568
    @eg8568 10 หลายเดือนก่อน +114

    This is such a helpful addition. I recently had to build whole identity system and whilst a lot of the heavy lifting was taken care for me by identity, I had to build the endpoints for generating & refreshing tokens, resetting user passwords, etc. This would have saved SO much of my time.

    • @jessecalato4677
      @jessecalato4677 10 หลายเดือนก่อน

      @@ApheliontI'm seriously thinking about this right now.

    • @eg8568
      @eg8568 10 หลายเดือนก่อน +6

      @Apheliont I'd always recommend against implementing your own solution (and said so to my company!), but they didn't want to pay the license fee for Duende. Anyways, deep diving into Identity/Open ID was a good learning experience for me so I can't complain

    • @Velociapcior
      @Velociapcior 10 หลายเดือนก่อน

      @@eg8568 Azure has 50 000 MAU for free on B2C

    • @virtualdars
      @virtualdars 10 หลายเดือนก่อน

      You are not alone.

    • @HarrishSelvarajah
      @HarrishSelvarajah 8 หลายเดือนก่อน

      @eg8568 Why did you not have a look at dunde ?

  • @josephizang6187
    @josephizang6187 10 หลายเดือนก่อน +72

    This is perfect! I think Microsoft should prescribe the right way of doing things and leave it to devs to customize it in anyway they want. Nice video Nick

    • @Paul-uo9sv
      @Paul-uo9sv 8 หลายเดือนก่อน

      November 14, 2023
      ASP .NET Core 8, with its much-anticipated features and enhancements, is scheduled to be officially released on November 14, 2023

    • @araz911
      @araz911 6 หลายเดือนก่อน

      Is this thing secure?

    • @SM-tj4jc
      @SM-tj4jc 4 วันที่ผ่านมา

      @@araz911 No, it is not.

  • @ExpensivePizza
    @ExpensivePizza 10 หลายเดือนก่อน +17

    I literally just manually coded something like this a couple of weeks ago. This would have made things much easier.
    I would love to see more content around this topic on the different token types, how to integrate it with front end frameworks like React and Vue and different backend databases like MongoDB.

  • @PippiTheLongSock
    @PippiTheLongSock 10 หลายเดือนก่อน +63

    I would love to see how well these endpoints could be customized. For example, what if you want to have some custom fields when registering a user (first name, last name, etc). How can you modify the request body? You also need to override the underlying implementation of the given endpoint.
    Suggestion for you Nick:
    When all of the new improvements to the way we deal with identity are finally released in dotnet 8, can you create a full course on what would be the modern/recommended approach of working with identity. Because over the years there have been so many ways and it really has become confusing (especially for a beginner). Also, Microsoft have been pushing the Identity UI MVC (or was it actually razor pages, idk) built-in capabilities, which for me was a mistake as the industry is really moving away from the MPAs. I promise I would be the first to buy this course :)
    Edit: You can even collaborate with Anton from RawCoding because as you know he is very passionate about auth

    • @10Totti
      @10Totti 10 หลายเดือนก่อน +3

      Exact!

    • @jomama55ful
      @jomama55ful 10 หลายเดือนก่อน +1

      I have to agree. My learning experience with auth was painful at best and has led to a lot of confusion as to best practices. In the end I found using third party solutions was less painful as a rule.

    • @mateuszkaleta1495
      @mateuszkaleta1495 10 หลายเดือนก่อน

      That's the point

    • @yessenzhol8989
      @yessenzhol8989 10 หลายเดือนก่อน

      yeah! it's like a marketing feature😅
      this is for programmers who like to compare programming languages by writing helloworld application ))
      loook, in python enough "print('hello')" in c# it needs so many codes like (class program { static void Main(string[] args) { Console.WriteLine('hello'); }😂😂

    • @elpe21
      @elpe21 9 หลายเดือนก่อน +2

      I guess you have to scaffold the endpoints and do what's necessary. Additional fields most likely is just a matter of adding properties as those endpoints will work on T where IdentityUser

  • @luis1118
    @luis1118 10 หลายเดือนก่อน +22

    Hope the new documentation will be clear about the addition of social login options 😬

  • @jerryjeremy4038
    @jerryjeremy4038 10 หลายเดือนก่อน

    I really like it. Thanks Nick. I hope you create a video about this in full details and features.

  • @jeffjones9502
    @jeffjones9502 10 หลายเดือนก่อน

    This is awesome! After setting up auth so many times this will definitely help streamline and make the process easier.

  • @alex.semeniuk
    @alex.semeniuk 10 หลายเดือนก่อน +2

    Nick, you are doing a great job! Keep it up.

  • @saicharan1000
    @saicharan1000 7 หลายเดือนก่อน

    I just needed this for what I am building. Thanks a lot.

  • @jeffbarnard348
    @jeffbarnard348 10 หลายเดือนก่อน +23

    This is great for small projects, but it's not OAuth2.0 and OIDC standardized. We'll still need to integrate OpenIddict or IdentityServer for full compliance

    • @Jared-150
      @Jared-150 10 หลายเดือนก่อน

      I've been using OrchardCore just for its out of the box OpenIddict.

    • @TheProTip
      @TheProTip 10 หลายเดือนก่อน +1

      My other comment got deleted because I linked the repo.. There is code in the Asp Net Core project for handling OIDC flows (including I believe opaque tokens). If you don't need to be an IdP it's all buried in there and you can scaffold out the UI and see the stuff in action via the Razor pages right now.

    • @shanemonck3225
      @shanemonck3225 9 หลายเดือนก่อน

      second this, very correct

    • @carson8417
      @carson8417 หลายเดือนก่อน

      yeah they destroyed the authentication that we actually need

  • @marijnfeijten
    @marijnfeijten 10 หลายเดือนก่อน +1

    For one of my projects I was looking into doing this myself and thought it would be a pain to setup. Then I saw that Microsoft was adding this and it looks really cool. Thanks for explaining yet another great topic!

  • @ZimTachyon
    @ZimTachyon 6 หลายเดือนก่อน

    You deliver excellent and relevant information which helped me a lot. Thank you.

  • @fifty-plus
    @fifty-plus 10 หลายเดือนก่อน +1

    Finally, I've been using this since it dropped instead of writing a ton of custom code. Very nice.

  • @todorkatsarski7487
    @todorkatsarski7487 10 หลายเดือนก่อน

    I loved that Doug reference. THIS is awesome content.

  • @SnOrfus
    @SnOrfus 10 หลายเดือนก่อน +36

    This is definitely great, and a move in the right direction. That said, in the enterprise, it’s extraordinarily rare to build authn as part of your API like this. You’re almost always integrating with a 3rd party IdP/oidc/saml, and that integration is equally annoying.

    • @rzaip
      @rzaip 10 หลายเดือนก่อน +4

      Yea, I was just thinking if this could replace IdentityServer and came to the same conclusion that this is mostly for single apps that doesn't require oidc or single sign on.

  • @TheSpruut
    @TheSpruut 10 หลายเดือนก่อน

    great video, thanks Nick

  • @muzammilghani2492
    @muzammilghani2492 10 หลายเดือนก่อน

    Great video Nick 👍🏻

  • @tanglesites
    @tanglesites 10 หลายเดือนก่อน

    This is a game changer and such a time saver!

  •  10 หลายเดือนก่อน +6

    Looks great I just hope there is enough customization possible and (more important) that the documentation for customization is well written.
    Are there also razor pages/blazor templates for UI variants of the endpoints?

  • @atur94
    @atur94 10 หลายเดือนก่อน

    That is so freaking awesome. Finally

  • @MaximilienNoal
    @MaximilienNoal 10 หลายเดือนก่อน +25

    Finally ! It was such a headache.

  • @leoravilo2812
    @leoravilo2812 10 หลายเดือนก่อน

    Oh god... I waited for that for so long... Finally !

  • @poojamahtha2780
    @poojamahtha2780 7 หลายเดือนก่อน

    Wow ! Such a great video.

  • @hemant-sathe
    @hemant-sathe 10 หลายเดือนก่อน +16

    It’s great to see the improvements and also encouraging to see David Fowler replying to questions. Loving it. Is it possible to set up an independent auth server with this to be shared across multiple services? Also does this work with other third party systems like social login and azure Active Directory? Can we map the user with any Active Directory attributes like email, name, groups etc?

    • @Zenoc2
      @Zenoc2 10 หลายเดือนก่อน +1

      +1 here wondering whether this can be used with an independent auth server for multiple services!

    • @eg8568
      @eg8568 10 หลายเดือนก่อน

      @marklnz why wouldn't you call the extension method to add the endpoints? Functionality such as resetting user passwords etc would likely still be needed

    • @SlugiuesRex
      @SlugiuesRex 9 หลายเดือนก่อน

      Also, are there any improvements in net8 that work more efficiently with Azure Functions ??

    • @hemant-sathe
      @hemant-sathe 9 หลายเดือนก่อน

      @@marklnz I tend to favour Azure AD instead of local auth db. Azure B2B can be overkill at times but then you don't need to worry much about the authN functionality.

  • @kagishophahlamohlaka2306
    @kagishophahlamohlaka2306 10 หลายเดือนก่อน

    This is mind blowing!!!

  • @virtualdars
    @virtualdars 10 หลายเดือนก่อน +8

    This is great! In this example the protected endpoint resides on the same Auth microservice (with RequireAuthorization()).
    Nick, can you please show us another sample of the separate API service that performs validation of the access tokens issued by this Auth service? Thank you!

    • @drrd5145
      @drrd5145 2 หลายเดือนก่อน

      Would love to see that!
      I'm looking for an example in .NET8, where I have a service that is used for login/token authentication and other API (separated service) that will use the token to call the service.
      Looks like any example assumes that the services API are the SAME as the authentication API.

  • @luigicfilho
    @luigicfilho 10 หลายเดือนก่อน +8

    For my case, I'm going for another approach, because the token get exposed in the client, any script on the browser has access.
    This can be a great idea to do a new video about the "backend for frontend" :)

    • @d0neall_
      @d0neall_ 7 หลายเดือนก่อน

      What approach did you go for? Have a video?

    • @luigicfilho
      @luigicfilho 7 หลายเดือนก่อน

      @@d0neall_ I use the backend for frontend approach, I don't think there is an video about it it's pretty new

  • @iron_spark
    @iron_spark 10 หลายเดือนก่อน

    Love it!

  • @jjeffh
    @jjeffh หลายเดือนก่อน

    StartingAsync! I think that solves a problem (a dirty background service hack like you mentioned) for me. Thanks!!

  • @allenn9068
    @allenn9068 10 หลายเดือนก่อน

    Great intro to this new feature. Echoing questions about generating and customizing UI for AspNet, Blazor, or SPA frameworks. Wondering if there are templates to start with. Looks perfect for a simple personal web site that has auth for an admin area or customer/client features. Wondering if it can be used for a Generic Host as well as for a Web Host. Will have to try it. Looks good!

  • @allothernameswherealreadytaken
    @allothernameswherealreadytaken 10 หลายเดือนก่อน +1

    Fantastic! I wish they had implementet the passkey auth though.

  • @victor1882
    @victor1882 10 หลายเดือนก่อน +6

    I wish they had gone with OpenIddict, but I guess they don't want another IdentityServer situation and that it would be a competitor to Azure AD (or Entra, I don't know anymore)

  • @Daanik8
    @Daanik8 10 หลายเดือนก่อน +1

    I liked the humor! 😂 But hey Nick, it would be great if you show how to integrate this identity authentication and authorization with keycloak!

    • @Ballebone
      @Ballebone 10 หลายเดือนก่อน

      Ha! I was going to beg for the same thing! All of our apps require KC use. Scopes and refresh are an added bonus!

  • @blackpaw29
    @blackpaw29 10 หลายเดือนก่อน

    Really interesting, much more than I was expecting.
    Do you know how difficult it would be to link to an existing user database, rather than creating one from scratch?

  • @dyakobaram
    @dyakobaram 10 หลายเดือนก่อน +16

    i wish they also made seeding admin accounts easier with roles and claims. can you make a video about it?

    • @arjix8738
      @arjix8738 10 หลายเดือนก่อน

      If by seeding you are talking about creating the default admins, then you can do that before you run the app.
      You can manually create a scope and get the db context.

    • @andrewcolleen1698
      @andrewcolleen1698 10 หลายเดือนก่อน

      @@arjix8738that’s problematic if your app is distributed

    • @z_prospective160
      @z_prospective160 4 หลายเดือนก่อน

      this is usually done via a post deployment script. if using ef core migrations you can do this in your db context class.. you can do this in your "OnModelCreating" method via the "HasData" method.

  • @WTHBrou
    @WTHBrou 10 หลายเดือนก่อน +5

    How extendable is it? For instance, doing the classic step to use BCrypt or Argon instead of their default hash implementation? All it leaves is the authorization setup side to do?
    So far I find it pretty awesome. A huge facade made by Microsoft which certainly solves the complex setup it requires to properly create your own Identity Server. I don't remember how many times I have recalled to the documentation and guides when setting up one of these. Marvelous move done by Microsoft.

    • @lukegordon4734
      @lukegordon4734 10 หลายเดือนก่อน +3

      Pretty easy to use bcrypt or argon2 with this. You just specify the password hashed singleton for the DI to use (I’ve done this for both already)

  • @microtech2448
    @microtech2448 10 หลายเดือนก่อน +4

    That's great that it is out of the box now. It would be nicer if it could be jwt format

  • @Paul-uo9sv
    @Paul-uo9sv 10 หลายเดือนก่อน

    That's great video. Thanks. November 14, 2023
    ASP .NET Core 8, with its much-anticipated features and enhancements, is scheduled to be officially released on November 14, 2023

  • @GlebWritesCode
    @GlebWritesCode 10 หลายเดือนก่อน +1

    Really helpful. Is there an option to get this working so that Identity endpoints are not in minimal API fashion?

  • @RebelliousCanadian
    @RebelliousCanadian 10 หลายเดือนก่อน +6

    Love this update. Wonder how good this works with Swagger/OpenApi and more clarification between this and a JWT bearer tokens?

    • @kabal911
      @kabal911 10 หลายเดือนก่อน +2

      Will be seamless with Swagger, they are just endpoints.
      I’m guess that the difference is that this token is not base64url encoded, and does not contain client readable info, unlike a jwt

    • @sikor02
      @sikor02 10 หลายเดือนก่อน

      @@kabal911I don't see these endpoints in swagger
      edit:
      I had to add
      builder.Services.AddEndpointsApiExplorer();
      builder.Services.AddControllers();
      I worked on blazor dotnet 8 app and it wasn't included by default.

  • @iSoldat
    @iSoldat 10 หลายเดือนก่อน +7

    Can the new auth changes accept the AD as a user store? if so, how about mapping membership groups or custom AD properties in claims?

  • @mrkjartanvalur
    @mrkjartanvalur 10 หลายเดือนก่อน +5

    Is it possible to override e.g. the login method for custom logic like logging or add custom claims

  • @nilswierling5899
    @nilswierling5899 10 หลายเดือนก่อน

    Hey! What do you think about CQRS Pattern with EF ? Any experiences on that topic? And is there maybe a Video comming from you about CQRS?

  • @antonmartyniuk
    @antonmartyniuk 10 หลายเดือนก่อน

    Wow, that so much code I was writing before. It's so great. I wonder if any endpoint can be overriden with custom behaviour?
    And does this out of the box support refresh tokens if the same user is logged-in with multiple devices?

  • @hevymetldude
    @hevymetldude 10 หลายเดือนก่อน

    Love the Doug DeMuro cameo.

  • @brandonpearman9218
    @brandonpearman9218 10 หลายเดือนก่อน +11

    I'm always worried about customization with black box magic because it looks simple until you use it in the real world. if I have to work on a system that implements this, how long will it take to figure out how to customize it. For example I may need to send an email on register, or maybe I need extra data on register to setup a relation to another entity.

    • @benjamininkorea7016
      @benjamininkorea7016 9 หลายเดือนก่อน

      Well, i think the idea is that you can call the API from anywhere in your server-side logic.

  • @AceSyntaxx
    @AceSyntaxx 10 หลายเดือนก่อน +9

    I'd appreciate some explanation of how this integrates with other identity providers, Facebook, X etc. This looks like oidc/oauth, but you say it's not JWT, which bothers me. Could you enlighten me?

    • @kawamustudio
      @kawamustudio 10 หลายเดือนก่อน +1

      Oidc and oauth protocols does not require token to be in JWT format.

  • @souleymanembengue5989
    @souleymanembengue5989 10 หลายเดือนก่อน +4

    Good but It would be better to implement standards OAuth and OIDC but Microsoft does prefer to sell Azure Active Directory...

  • @parlor3115
    @parlor3115 10 หลายเดือนก่อน +3

    Does it support storing the user session in the database in case the token needs to be invalidated?

  • @btogkas1
    @btogkas1 10 หลายเดือนก่อน

    What would be nice to have would be 1. Invalidating the token (one login, locking the user) 2. Ability to see online users. 3. Dynamic ACL based on user rights - role rights

  • @rogeriobarretto
    @rogeriobarretto 10 หลายเดือนก่อน +17

    Is a great step forward. But the must annoying thing for me is the dictatorship on how my Authentication Tables needs to be setup (migrate). It is very common to change a new project where there's already a Database Model in place, some simple scenarios where there's only a Users table with Email and Password.
    Would be great if we were able to setup the Authentication in that Stupid Simple Lean approach (where you could specify what is the table and how complex you want your authentication to be, (include refresh tokens, hashed passwords, etc)

    • @davidfowl
      @davidfowl 10 หลายเดือนก่อน +3

      You would want the auth system to work with any database schema? Or would you augment the schema for the identity system? I think a better solution would be to provide more building block when the database schema is fixed. Another option is the use the identity schema as standalone and link it to your user table via foreign keys.

    • @dave7038
      @dave7038 10 หลายเดือนก่อน

      Yup. Most of the systems I work on are 20+ years old and we don't have a lot of flexibility to update user stores (they are accessed or managed by many other systems). I have yet to work on a project where the built-in auth schemas are used.
      The direction I took was to create a class implementing Microsoft.AspNetCore.Identity.IUserPasswordStore and IUserLoginStore and a class implementing IRoleStore that I register as singletons and that handle interfacing with our user and role store (which in some cases is just an INI file with some username=scrambledPassword pairs under either [admin] or [user] keys), and then services.AddIdentity() connects my custom user and role stores with the identity system (I could probably also use the .AddRoleStore(), .AddUserStore() extensions on .AddIdentity()). We don't usually need the other features due to the nature of the systems we're working with, but implementing the stores for tokens and claims is similarly straightforward.
      That seems to work well, is very flexible, and fairly painless to set up. It would be great to have some guidance on how (or when/whether it makes sense) to integrate some of these newer options with custom stores that have limited feature sets.

  • @cn-ml
    @cn-ml 13 วันที่ผ่านมา

    1:57 like that reference 👌

  • @ethanford9678
    @ethanford9678 8 หลายเดือนก่อน

    Love the Doug DeMuro reference :D

  • @uflidd
    @uflidd 10 หลายเดือนก่อน +1

    That was just a ton of tables and magic 😮

  • @keithealanta7790
    @keithealanta7790 8 หลายเดือนก่อน

    That's really useful. I wonder if there's an easy way to get it to use JWTs by default (I'm sure it's possible to rewrite overall, I'd just love to be able to set a flag for that, as we use JWTs in the rest of our system, and it would be ideal to maintain compatibility/)

  • @EzequielRegaldo
    @EzequielRegaldo 10 หลายเดือนก่อน +2

    Where is the secret or cert?
    Can we change endpoints names?
    Can we choose features instead get all or nothing?
    Can i do an authentication server with this out of the box or integrate this ?

  • @jiM3op
    @jiM3op 10 หลายเดือนก่อน

    yo nick... this is great! How would this work with Windows Authentication for like Intranet Web Applications?

  • @mightypirate100
    @mightypirate100 6 หลายเดือนก่อน

    Thanks for the video. Question: How to customise the register and login endpoints to accept user id instead of email?
    Thank you

  • @OldShoolGames
    @OldShoolGames 10 หลายเดือนก่อน

    Hey Nick, could you please make a video on limiting the bandwidth per user for file downloads in ASP ?

  • @TaiNguyen-gb1pr
    @TaiNguyen-gb1pr 10 หลายเดือนก่อน +1

    Great video! How to customize register endpoint, because maybe we need more field, ex: phone, avatar...?

    • @nickchapsas
      @nickchapsas  10 หลายเดือนก่อน +1

      Simply add the field on the user object

  • @viniciusmelquiades
    @viniciusmelquiades 9 หลายเดือนก่อน

    C# has changed a lot since I last used it. If I ever go back to backend, I'll probably use C#

  • @_curtman
    @_curtman 10 หลายเดือนก่อน

    Can't wait for .Net 8 to be released.

  • @user-ko7zs4gy3z
    @user-ko7zs4gy3z 8 หลายเดือนก่อน

    This is a great iintro, thank you, but where is the signout URL? I can't find it in the source or the documentatioin

  • @LifeWithSeb99
    @LifeWithSeb99 3 หลายเดือนก่อน

    What's really helpful! What should I do if I don't need some of the endpoints? For example my API won't use 2 factor authentication

  • @arkadiyshuvaev
    @arkadiyshuvaev 10 หลายเดือนก่อน

    I like the advice regarding EF Core 8 at 2:57. How can I reduce the cold start of EF Core in a serverless application?
    I have used the Debug mode and seen EF Core context initialization messages. The context initialization took 800 milliseconds per each cold start serverless invocation.

  • @AntiPolarity
    @AntiPolarity 10 หลายเดือนก่อน +17

    Hoping that they will integrate it into blazor

    • @sokoo1978
      @sokoo1978 10 หลายเดือนก่อน +2

      There will be a new scaffold for Blazor in .NET8 RC1.

    • @sokoo1978
      @sokoo1978 10 หลายเดือนก่อน +6

      @@marklnzIt will be obviously server rendered.

    • @felipepassion
      @felipepassion 10 หลายเดือนก่อน

      thanks u.u @@sokoo1978

    • @felipepassion
      @felipepassion 10 หลายเดือนก่อน

      you can try with webassembly. i was working with .ney7 with duende, ait it was a nightmare. then i can think now to replace the replacement that i used to replace duende 1 year ago in my server side.
      It's all about the server side. it's obvious.@@marklnz

    • @sokoo1978
      @sokoo1978 10 หลายเดือนก่อน

      @@marklnzI think you misunderstand.. RC1 will be able to create you the client template like MVC did before. It will have the basic functionality and pages/components to register, login, have the basic header with the auth and user info. In many applications this is actually good enough, like intranet apps where Windows user is not applicable. The logic is all server side (like hosted WASM in current version).

  • @SvdSinner
    @SvdSinner 10 หลายเดือนก่อน +5

    How it will work with an enterprise identity server like Auth0?

  • @xanhxanh5097
    @xanhxanh5097 10 หลายเดือนก่อน

    Nick could you make a dometrain video on this how to set this up with react/angular and signing in with a social media account.

  • @bitmanagent67
    @bitmanagent67 9 หลายเดือนก่อน +1

    This shit is still complicated. We would have never figured this out on our own. MSFT consistently convolutes approaches because they have this spaghetti against the wall mentality of refining features. Back in the day we used to have property panes and dialogs to configure options. The changes were made in the background for you. Now they basically said fk you to powerful tools and followed the rest of the open source community down the "type all your setup and config into a file" rabbit hole.

  • @cjt9150
    @cjt9150 5 หลายเดือนก่อน +1

    Good work. Can you please create a video for custom authentication with cookie/local storage/session storage & without identity

    • @socomjoy4563
      @socomjoy4563 5 วันที่ผ่านมา

      Need this, too 😲 with some other stuff like persistence (e.g. pressing F5 will log you out in Blazor Server) ... - never found a working solution for this

  • @ryanobray1
    @ryanobray1 10 หลายเดือนก่อน +4

    I think this is great simplification. I do have some questions though. First, is it safe to assume that .net 8 is using data protection under the hood for managing the certs used to mint the JWT? If so, is the only out-of-the-box way to implement this in such a way that it's cluster safe, to enable sticky sessions on the load balancer? I could see that becoming problematic with long living tokens though. I'm curious to know the best practice for implementing this in a cluster because unless Microsoft has added more options since I dug into it deeply, data protection isn't all that easy/reliable to implement in a cluster without just using sticky sessions. I once wrote my own SQL server solution for hosting dp keys, but it was difficult to avoid timing issues. I had to use locking techniques to prevent failures when all nodes in the cluster were spinning up at the same time. I had to role my own because the MS sql server dp provider didn't properly handle that very concern.

    • @davidfowl
      @davidfowl 10 หลายเดือนก่อน +4

      1. It is using data protection yes.
      2. The token is not a JWT, it's a different format.
      3. If there are still timing issues with data protection providers, we'll need to fix them, these tokens are on top of that subsystem.

    • @ryanobray1
      @ryanobray1 10 หลายเดือนก่อน +1

      @@davidfowl Thanks for the response. I did catch in Nick's video that he said they aren't JWTs, but then the tokens in the login response looked a lot like what you get back in the OAuth OIDC client flow, so my brain went to JWTs.
      If I remember correctly, the easiest way to recreate the SQL Server DP provider timing issue was to stop all the nodes in the cluster, delete the DP keys from the database and then start the cluster. In my case, I was using Cloud Foundry with an app that I scaled up to something like 10 nodes. Even though I know the DP subsystem has some level of control around how nodes handle key rotation, I wanted to see what would happen if multiple nodes in the cluster were trying to create new keys at nearly the same time. The result in my test was that some nodes ended up with different DP keys than others because the SQL Server DP provider doesn't do any locking, which I believe could be necessary. The DP subsystem tries to get a key from the provider and if it doesn't exist, it tries having the provider write/save the one and then calls the get method again. If multiple nodes fail to get a key (because a write/save hasn't yet completed), each of those node's write/save key method will be hit, which can result in some nodes having different keys. It's pretty fringe case but was still concerning enough for me to write my own SQL provider for DP.

  • @RasulAbuMuhammadAmin
    @RasulAbuMuhammadAmin 9 หลายเดือนก่อน

    Looks great. Wonder can I do the same using JWT token.

  • @sergeitishkov2385
    @sergeitishkov2385 10 หลายเดือนก่อน

    Do they also allow devs to specify custom routes or at least a custom prefix for all the routes? Would be nice to have this as well.

  • @AhmedAymanM
    @AhmedAymanM 10 หลายเดือนก่อน +4

    7:39 I love how you roasted microsoft, which created this auto refresh token generation, in 2 seconds 😂😂😂😂

  • @shahzshafie
    @shahzshafie 10 หลายเดือนก่อน +1

    very helpful.. would like to know how .net8 can be integrated with a 3rd party IAM provider like Auth0...

  • @drewkillion2812
    @drewkillion2812 10 หลายเดือนก่อน

    I wrote many of the endpoints myself. I'm a happy I don't have to do it anymore

  • @JKhalaf
    @JKhalaf 7 หลายเดือนก่อน

    Can you please do a video on how to setup .NET 8 with AWS Cognito with the Blazor auth scaffolding pages?

  • @ModBay
    @ModBay 10 หลายเดือนก่อน

    Game changer I think. 🎉

  • @JoeLizFamily4
    @JoeLizFamily4 10 หลายเดือนก่อน +2

    Can this be connected to an outside service like Octa?

  • @danku1013
    @danku1013 10 หลายเดือนก่อน +2

    Is it possible to use JWT with that approach?

  • @Spirch
    @Spirch 10 หลายเดือนก่อน

    so i guess i will spend time at work to see if this can do what is missing in azure B2C, OBO / web api chain api

  • @jesperkped
    @jesperkped 10 หลายเดือนก่อน +1

    Can you show how to do it from a blazer wasm client calling the API?

  • @TheMeatySurprise
    @TheMeatySurprise 10 หลายเดือนก่อน

    Now they just need to fix the authorization framework to allow for parameters to be passed in the Authorize attribute so you don't have to define dozens of schemes to support different required claim values. That would be great

  • @CryptoWulf_app
    @CryptoWulf_app 9 หลายเดือนก่อน +2

    This scenario is only intended for when your service also functions as an auth-service and not when you use an auth-provider like Azure AD/Azure AD B2C, right?

  • @systemslave510
    @systemslave510 10 หลายเดือนก่อน +3

    Now how to make it work with dapper?

  • @dukefleed9525
    @dukefleed9525 6 หลายเดือนก่อน

    ...a step in a right direction! Previous "web" authentication/authorization from Microsoft was very wrong. This is something better, but there is still a lot to improve. See, authentication/authorization can be done in a lot of different ways, the lack of usage of interfaces and also the fact that appears to be "all or nothing" is still quite wrong. A problem like authorization/authentication should be treated as much as orthogonal problems as possible. This requires a very profound redesign, and even if the proposed solution is very handy in simple scenario, i dubt it can be adopted for advanced things (imagine a system where the grants are added to the user and the UI have to respond in near real time using a gRPC channel with JWT bearer and an event sourced database as storage.... i dubt this thing could do it)

  • @KonradGaska
    @KonradGaska 10 หลายเดือนก่อน

    Just wondering how often would you really use it? In majority of current applications identity comes from external identity providers and you don't have to bother with stuff like user registration, etc. It is still cool that this was simplified though.

  • @vasilisplavos
    @vasilisplavos 3 หลายเดือนก่อน

    Thank you so much Nick for your informative video. I was wondering, what options do we have if we want to sign in users with phone number or anonymously?
    Google is providing these options out of the box with a PaaS solution! Do we have something similar here?

  • @sikor02
    @sikor02 10 หลายเดือนก่อน +1

    adding few social login providers and merging that with local account would be nice. But I guess the 3rd party integration requires redirection at some point so no single API call will handle this, right?

    • @kabal911
      @kabal911 10 หลายเดือนก่อน

      This already is supported. If your identity username is the same as your social username (usually email address) then you can login with either.
      If they have different usernames, then you would need to do something to allow an authed user to then link a social account - which I haven’t tried, but should be simple enough

  • @lucaciandrei
    @lucaciandrei หลายเดือนก่อน

    Do you have info / video on how to set this up properly as a JWT? Is this also out of the box (configuration only)? Or should we add extra code for that?

  • @jouel123
    @jouel123 10 หลายเดือนก่อน +2

    Great video Nick!
    Was wondering what if we need to add a few more properties to the user? How easy it is to customize to also add them to the request?

  • @haxi52
    @haxi52 10 หลายเดือนก่อน +1

    Would like to see what happens when you start filling out the user class. Does it support complex types?

  • @88spaces
    @88spaces 4 หลายเดือนก่อน

    They removed the pain from setting up bearer tokens. That alone is worth using it.

  • @siddy2456
    @siddy2456 หลายเดือนก่อน

    Perfect…just perfect. .Net really stepped up their game

    • @siddy2456
      @siddy2456 หลายเดือนก่อน

      As usual

  • @HeyWhoTheFuckAreYou
    @HeyWhoTheFuckAreYou 10 หลายเดือนก่อน +7

    What about OpenIddict? Can they be used together or does this update fully cover OpenIddict functionality?

    • @tedchirvasiu
      @tedchirvasiu 10 หลายเดือนก่อน +2

      This does not look like OpenID

  • @ARumGremlin
    @ARumGremlin 10 หลายเดือนก่อน +17

    I would love to see a video on how to lock down an API with Azure AD authentication. I just went through the horror of doing it myself and the documentation for it is woefully confusing.

    • @SaltySquirrel12
      @SaltySquirrel12 10 หลายเดือนก่อน +5

      +1. Would like to see this in action with Azure AD

    • @hemant-sathe
      @hemant-sathe 10 หลายเดือนก่อน

      Normally you would have to create an app registration and provide the client id, tenant id & secret. Then you set it up for a 302 response instead of 401 and you are mostly done. Postman documentation is also decent to explain how to set it up and how to add the postman return url in the app registration. The set up for an app like angular can be messy though. I find having our own UI for login more complex to set up in a typical SPA + API scenario.

    • @aremes
      @aremes 10 หลายเดือนก่อน +2

      it seems to me like this system is entirely designed for when you want to provide your own user-management/authentication solution. With AzureAD (or MS Entra, now, because i think Microsoft has a renaming-things fetish) you dont have to do any of that, You use good old OAuth2 with maybe a little OpenID sprinkled on top. And that stuff will *always* be confusing. I've implemented it, I've taught it, I've written documentation for it and trust me: "Simple" and "Authentication" just dont go together. You just cant secure an API using *any* identity provider without some serious requirements introspection (i.e. what clients do you want to support, what level of security, where does your config live, etc.

    • @fabiolune
      @fabiolune 10 หลายเดือนก่อน

      Totally agree.
      In my (could be limited) experience, it's rarely a good idea to create a custom authentication system.
      On top of security, there's also a huge amount of regulation compliance that can easily become a nightmare.
      So, while I appreciate the effort, I don't think I will ever use it in this way: better to rely on some authentication provider using a robust standard.

    • @eg8568
      @eg8568 10 หลายเดือนก่อน +1

      I recently did this for a client and automated it via IaC / Bicep files. The documentation for both was dreadful and made it doubly confusing, I feel your pain.

  • @freigeist2147
    @freigeist2147 2 หลายเดือนก่อน

    this is very cool, only one question, where do I get then the email confirm code from, to send it over Email to the user. This flow is not clear after the video, bit this would be I think to much for a 10 min video. Thanks a lot !!

    • @freigeist2147
      @freigeist2147 2 หลายเดือนก่อน

      Also the refresh token as a JSON and not as a HTTP-ONLY Cookie could be a little dangerous.

  • @ChuckGiddens
    @ChuckGiddens 8 หลายเดือนก่อน

    Do you have a video on how to handle this on the Blazor Client side? No one ever shows the client side....

  • @myhjrhfgnb
    @myhjrhfgnb 10 หลายเดือนก่อน

    Saves devs setting up many things, that is a boom

  • @jasonsteelj
    @jasonsteelj 10 หลายเดือนก่อน +1

    It's a nice step, but they need a full example of authentication with SPAs, one that doesn't involve identity server/DUENDE. I don't need a whole identity server. I just need login on the local app.

    • @TheProTip
      @TheProTip 10 หลายเดือนก่อน

      Cookies are the way, it's not clear to me from this short overview that it's setting the cookies though. I know that David knows that though based on the GitHub issue, so it probably has support for setting cookies in there some where.