The .NET 8 Auth Changes You Must Know About!

This is such a helpful addition. I recently had to build whole identity system and whilst a lot of the heavy lifting was taken care for me by identity, I had to build the endpoints for generating & refreshing tokens, resetting user passwords, etc. This would have saved SO much of my time.

This is perfect! I think Microsoft should prescribe the right way of doing things and leave it to devs to customize it in anyway they want. Nice video Nick

I literally just manually coded something like this a couple of weeks ago. This would have made things much easier.
I would love to see more content around this topic on the different token types, how to integrate it with front end frameworks like React and Vue and different backend databases like MongoDB.

I would love to see how well these endpoints could be customized. For example, what if you want to have some custom fields when registering a user (first name, last name, etc). How can you modify the request body? You also need to override the underlying implementation of the given endpoint.
Suggestion for you Nick:
When all of the new improvements to the way we deal with identity are finally released in dotnet 8, can you create a full course on what would be the modern/recommended approach of working with identity. Because over the years there have been so many ways and it really has become confusing (especially for a beginner). Also, Microsoft have been pushing the Identity UI MVC (or was it actually razor pages, idk) built-in capabilities, which for me was a mistake as the industry is really moving away from the MPAs. I promise I would be the first to buy this course :)
Edit: You can even collaborate with Anton from RawCoding because as you know he is very passionate about auth

This is great for small projects, but it's not OAuth2.0 and OIDC standardized. We'll still need to integrate OpenIddict or IdentityServer for full compliance

Hope the new documentation will be clear about the addition of social login options 😬

This is great! In this example the protected endpoint resides on the same Auth microservice (with RequireAuthorization()).
Nick, can you please show us another sample of the separate API service that performs validation of the access tokens issued by this Auth service? Thank you!

This is definitely great, and a move in the right direction. That said, in the enterprise, it’s extraordinarily rare to build authn as part of your API like this. You’re almost always integrating with a 3rd party IdP/oidc/saml, and that integration is equally annoying.

1:57 like that reference 👌

Finally, I've been using this since it dropped instead of writing a ton of custom code. Very nice.

It’s great to see the improvements and also encouraging to see David Fowler replying to questions. Loving it. Is it possible to set up an independent auth server with this to be shared across multiple services? Also does this work with other third party systems like social login and azure Active Directory? Can we map the user with any Active Directory attributes like email, name, groups etc?

I'm always worried about customization with black box magic because it looks simple until you use it in the real world. if I have to work on a system that implements this, how long will it take to figure out how to customize it. For example I may need to send an email on register, or maybe I need extra data on register to setup a relation to another entity.

@nickchapsas Please note that the default implementation of IdentityUser (used in this video) uses a string as Id which turns into a NVARCHAR(450) as primary key. This is terrible as it will lead to fragmentation because they don't insert records in a sequentially increasing order. This can lead to increased page splits and fragmentation within the database, potentially degrading performance over time as the database grows. To solve this and turn it into (for example) a integer primary key, the MyUser should inherit IdentityUser and the DbContext should inherit IdentityDbContext This will turn all primary keys into incrementing integers which are inserted in the right order.

For my case, I'm going for another approach, because the token get exposed in the client, any script on the browser has access.
This can be a great idea to do a new video about the "backend for frontend" :)

Finally ! It was such a headache.

I wish they had gone with OpenIddict, but I guess they don't want another IdentityServer situation and that it would be a competitor to Azure AD (or Entra, I don't know anymore)

I'd appreciate some explanation of how this integrates with other identity providers, Facebook, X etc. This looks like oidc/oauth, but you say it's not JWT, which bothers me. Could you enlighten me?

i wish they also made seeding admin accounts easier with roles and claims. can you make a video about it?

Looks great I just hope there is enough customization possible and (more important) that the documentation for customization is well written.
Are there also razor pages/blazor templates for UI variants of the endpoints?

How extendable is it? For instance, doing the classic step to use BCrypt or Argon instead of their default hash implementation? All it leaves is the authorization setup side to do?
So far I find it pretty awesome. A huge facade made by Microsoft which certainly solves the complex setup it requires to properly create your own Identity Server. I don't remember how many times I have recalled to the documentation and guides when setting up one of these. Marvelous move done by Microsoft.

Can the new auth changes accept the AD as a user store? if so, how about mapping membership groups or custom AD properties in claims?

Where is the secret or cert?
Can we change endpoints names?
Can we choose features instead get all or nothing?
Can i do an authentication server with this out of the box or integrate this ?

I loved that Doug reference. THIS is awesome content.

For one of my projects I was looking into doing this myself and thought it would be a pain to setup. Then I saw that Microsoft was adding this and it looks really cool. Thanks for explaining yet another great topic!

Nick, you are doing a great job! Keep it up.

Love this update. Wonder how good this works with Swagger/OpenApi and more clarification between this and a JWT bearer tokens?

Is it possible to override e.g. the login method for custom logic like logging or add custom claims

I really like it. Thanks Nick. I hope you create a video about this in full details and features.

This is awesome! After setting up auth so many times this will definitely help streamline and make the process easier.

I just needed this for what I am building. Thanks a lot.

That's great that it is out of the box now. It would be nicer if it could be jwt format

How it will work with an enterprise identity server like Auth0?

I think this is great simplification. I do have some questions though. First, is it safe to assume that .net 8 is using data protection under the hood for managing the certs used to mint the JWT? If so, is the only out-of-the-box way to implement this in such a way that it's cluster safe, to enable sticky sessions on the load balancer? I could see that becoming problematic with long living tokens though. I'm curious to know the best practice for implementing this in a cluster because unless Microsoft has added more options since I dug into it deeply, data protection isn't all that easy/reliable to implement in a cluster without just using sticky sessions. I once wrote my own SQL server solution for hosting dp keys, but it was difficult to avoid timing issues. I had to use locking techniques to prevent failures when all nodes in the cluster were spinning up at the same time. I had to role my own because the MS sql server dp provider didn't properly handle that very concern.

Good but It would be better to implement standards OAuth and OIDC but Microsoft does prefer to sell Azure Active Directory...

It's a nice step, but they need a full example of authentication with SPAs, one that doesn't involve identity server/DUENDE. I don't need a whole identity server. I just need login on the local app.

Hoping that they will integrate it into blazor

This scenario is only intended for when your service also functions as an auth-service and not when you use an auth-provider like Azure AD/Azure AD B2C, right?

Is a great step forward. But the must annoying thing for me is the dictatorship on how my Authentication Tables needs to be setup (migrate). It is very common to change a new project where there's already a Database Model in place, some simple scenarios where there's only a Users table with Email and Password.
Would be great if we were able to setup the Authentication in that Stupid Simple Lean approach (where you could specify what is the table and how complex you want your authentication to be, (include refresh tokens, hashed passwords, etc)

I like the advice regarding EF Core 8 at 2:57. How can I reduce the cold start of EF Core in a serverless application?
I have used the Debug mode and seen EF Core context initialization messages. The context initialization took 800 milliseconds per each cold start serverless invocation.

What would be nice to have would be 1. Invalidating the token (one login, locking the user) 2. Ability to see online users. 3. Dynamic ACL based on user rights - role rights

StartingAsync! I think that solves a problem (a dirty background service hack like you mentioned) for me. Thanks!!

Oh god... I waited for that for so long... Finally !

This shit is still complicated. We would have never figured this out on our own. MSFT consistently convolutes approaches because they have this spaghetti against the wall mentality of refining features. Back in the day we used to have property panes and dialogs to configure options. The changes were made in the background for you. Now they basically said fk you to powerful tools and followed the rest of the open source community down the "type all your setup and config into a file" rabbit hole.

Can you show how to do it from a blazer wasm client calling the API?

It looks great and spent so many hours with identity in last few years. However, one of the thing which i am still missing is some kind of the way to invalidate at least refresh token. This basic behavior is simple but it still require additional work from us. I always implementing logic for validation of user every time when you use refresh token and also logic which is validating users in database at least once in every 5 minutes. My reason is that I am mostly working on closed systems where it's really important to kick users out of system almost immediately when admins decide to remove their right to be there.

I don't understand. Are these API endpoints only accessible from onsite? What's to stop someone from batch-creating a million accounts using the register endpoint?

That's great video. Thanks. November 14, 2023
ASP .NET Core 8, with its much-anticipated features and enhancements, is scheduled to be officially released on November 14, 2023

6:10 What plugin allows you to explore the sqlite db file like that?

You deliver excellent and relevant information which helped me a lot. Thank you.

Why not JWT?

Does it support storing the user session in the database in case the token needs to be invalidated?

Now how to make it work with dapper?

Great video! How to customize register endpoint, because maybe we need more field, ex: phone, avatar...?

Fantastic! I wish they had implementet the passkey auth though.

Love the Doug DeMuro cameo.

I would love to see a video on how to lock down an API with Azure AD authentication. I just went through the horror of doing it myself and the documentation for it is woefully confusing.

very helpful.. would like to know how .net8 can be integrated with a 3rd party IAM provider like Auth0...

Love the Doug DeMuro reference :D

That was just a ton of tables and magic 😮

I liked the humor! 😂 But hey Nick, it would be great if you show how to integrate this identity authentication and authorization with keycloak!

Is it possible to use JWT with that approach?

7:39 I love how you roasted microsoft, which created this auto refresh token generation, in 2 seconds 😂😂😂😂

Good work. Can you please create a video for custom authentication with cookie/local storage/session storage & without identity

Perfect…just perfect. .Net really stepped up their game

So it's not good to save all user credentials as plaintext? :P

That is so freaking awesome. Finally

Great video Nick 👍🏻

Can this be connected to an outside service like Octa?

What about B2C integration ?

My favorite part 7:40

C# has changed a lot since I last used it. If I ever go back to backend, I'll probably use C#

Hey Nick, I would REALLY appreciate a follow up on this video for how to setup identity without a database... I have an application where I need to authenticate and get user data from a third party application using a REST service. It used to be really easy in .NET 4 to create a custom user storage provider that would call a REST or SOAP service to obtain or update user data, but I have been struggling real hard trying doing the same in a Blazor SSR application, and let's just say the documentation really isn't straightforward at all... Standard solutions do not work, because I do not need to actually connect through a third party OAuth endpoint. What I need to do is query an external ERP product that contains the user data (through customer contacts for example), and use that data to authorize users in my external .NET 8 app.

1) Where is that file with all the settings and api routes in the end of the video? Can't find it in my project
2) If I have webapi app, and two client apps - mvc and phone app. I want to get token from web api and use it for authorization in client apps. How can I do that?

Really helpful. Is there an option to get this working so that Identity endpoints are not in minimal API fashion?

...a step in a right direction! Previous "web" authentication/authorization from Microsoft was very wrong. This is something better, but there is still a lot to improve. See, authentication/authorization can be done in a lot of different ways, the lack of usage of interfaces and also the fact that appears to be "all or nothing" is still quite wrong. A problem like authorization/authentication should be treated as much as orthogonal problems as possible. This requires a very profound redesign, and even if the proposed solution is very handy in simple scenario, i dubt it can be adopted for advanced things (imagine a system where the grants are added to the user and the UI have to respond in near real time using a gRPC channel with JWT bearer and an event sourced database as storage.... i dubt this thing could do it)

is there a way to delete the api key? or revoke it?

Loved the "except for Microsoft" comment! xD

Wow ! Such a great video.

This is a game changer and such a time saver!

Can you please do a video on how to setup .NET 8 with AWS Cognito with the Blazor auth scaffolding pages?

Is it in purpose the picture at 01.57?

great video, thanks Nick

Do you have info / video on how to set this up properly as a JWT? Is this also out of the box (configuration only)? Or should we add extra code for that?

adding few social login providers and merging that with local account would be nice. But I guess the 3rd party integration requires redirection at some point so no single API call will handle this, right?

Thanks for the video. Question: How to customise the register and login endpoints to accept user id instead of email?
Thank you

This is a great iintro, thank you, but where is the signout URL? I can't find it in the source or the documentatioin

Hello do i need 2 set of bases for doing this? Or i can put all other domain models in that data base? I used to have models in one base for example blogs walks etc and other one was identitydb can i store it all in one? "identitydb" ? or does it comes only with user model

This is mind blowing!!!

Do you have a video on how to handle this on the Blazor Client side? No one ever shows the client side....

Hey! What do you think about CQRS Pattern with EF ? Any experiences on that topic? And is there maybe a Video comming from you about CQRS?

Can't wait for .Net 8 to be released.

What's really helpful! What should I do if I don't need some of the endpoints? For example my API won't use 2 factor authentication

Does it support role based access system by default?

FInally an easy way to setup authorizations... Just a question, i have a master website and N satellite sites, with this new way how could I share my authentication with satellite sites? Mi idea is to login once and load these sites in an iFrame on the master website where I logged in.

Hi when i try this and access a protected minimal api endpoint I get a 404 because it is trying to redirect to Account/Login which does not exist. Is there a way to disable this behaviour so I can get the expected 401?

Great intro to this new feature. Echoing questions about generating and customizing UI for AspNet, Blazor, or SPA frameworks. Wondering if there are templates to start with. Looks perfect for a simple personal web site that has auth for an admin area or customer/client features. Wondering if it can be used for a Generic Host as well as for a Web Host. Will have to try it. Looks good!

Would like to see what happens when you start filling out the user class. Does it support complex types?

That's really useful. I wonder if there's an easy way to get it to use JWTs by default (I'm sure it's possible to rewrite overall, I'd just love to be able to set a flag for that, as we use JWTs in the rest of our system, and it would be ideal to maintain compatibility/)

How to work with roles in this new identity api endpoints and also how to override auto generated auth endpoints?

Saves devs setting up many things, that is a boom