@@durimmiziraj4815 if you check the description, I have put a link to the GitHub Repository for the final integration of the 3 parts. github://mobiletonster.com/Authn
Crisp and clear descriptions of how to do custom auth. Most articles will just thrust entity framework with identity schemes in your face, but this really shows the basic fundamentals and how to do them from the ground up. Fantastic tutorial.
Thank you for your kind words. This has been a lot of work to put together and I hope it will help someone. I know it is a complex topic because I had to fight through it myself and I promised that if I ever figured it out I would try to give back to the community who helped me. I just posted Part 2 in the series, so enjoy.
That was a really good Tutorial. I really like how you explain things (even trying and doing it wrong to know what went wrong). Thanks a lot, waiting for more about this topic.
i watched over 20 videos regarding Authorization/Authentication,Not even one video i didn't clarity after seeing your video i got clarity what is this Concept about thank you so much,
Tony, I am 45 minutes into your first video. Everything works. I am so grateful for your thorough explanations about this complex topic. I have worked with JWT's and now I decided I want to use cookies. I just want control and don't want to use MSFT Identity so understanding this completely is very important to me. You are the best resource I have found so far. Thank you!
You are a good teacher! In fact, I don’t know much about ASP.NET, but when I finished watching this video, I knew the difference between authentication and authorization, and understood how they work in ASP.NET!
Indeed. While the Identity Package can be useful, over the years I have found that I prefer to either use and Identity Provider (Google, Microsoft, Facebook, Twitter, etc.) or if I must have my own identity system, to use my own so I can easily modify the claims/properties that I want to capture for my users.
Amazing explanation, pace was spot on, it made perfect sense. I also feel like having watched it I can jump in where I need to as a refresh as I now build it. Thank you 😀
Hi Tony. Congratulations on your job. I am quite sure this is the best I´ve ever seen about this subject. Looks like you have a natural gift for being a teacher.
Very good tutorial for me... Everything I saw so far was using the Entity Framework so it gives me an inspiration to do it without EF.. Now need to understand more how to do the same with oAuth and OpenId connect for both a UI and API... Will go watch your other videos... Thanks man again for the video. Well done!
I'm only about 1/2 of the way through your video and this is great stuff!! You hit the nail on the had for what I was looking for in a tutorial. I plan on watching your other videos as well. Thank you very, VERY much!!! Well done!!!
Thanks for this great sharing of knowledge and process. So often with frameworks it seems the only way to learn is to blindly follow convention, but you show us how to play around with this beast and gain a deeper understanding of what we're actually doing.
Thank you for this wonderful job of teaching us of authentication work on asp net. I never found ressources like this on this specific aspect of Asp Net Core. Please keep going !
I'm glad you found it helpful. I just remember struggling through things like Authentication and wished there was a way to break it down into simpler concepts, so when I finally figured out some things, I decided to share it with others. It was hard work to put it together (and scary to be on camera to be honest) but now that I see how many people have benefited from it, it makes it worthwhile.
@@mobiletonster don't worry about the camera you did really well! I like as the way you explained literally step by step! If you consider to make a fully udemy course I'd buy it without hesitation! I really wanted to know how you can make a fully login with registration , forgot and reset password, role based, and even third part login like Facebook or Gmail etc! And what I haven't still found how you can deploy and publish Register and Login pages to an existing website with databases! Only I can find is local host! Aren't you doing private lessons?
Very nicely done Tony. That was just the intro into ASP.NET that I was looking for. Just a quick question; how would you implement a "Remember Me" option in the Login screen?
If the user selected the checkbox, I would store their username in a cookie. Then when they returned, I would check for the presence of that cookie and extract the information from it (using javascript) and inject it into the input field for username. I would still require the user to enter a password.
Thanks for your comment. Can you tell me the resolution of the computer you are watching on so I can gauge how large to make the content? It is always tricky to balance as some people are on large 4K monitors and others are on smaller monitors. Hopefully no one is trying to watch code on a mobile device, like a phone. That would be very difficult.
@@mobiletonster oh my bad. I was using mobile. Actually I came across your channel last night when I was searching filters in MVC. I would try your tutorials on my laptop screen. Have a great day Mr. Tony.
Good question. A few reasons (personal preference): 1) It seems to run faster when debugging as it doesn't have to spin up IIS 2) the logging outputs directly to the console making it easy to find and read 3) IIS can sometimes keep running even after the app has stopped debugging and may still be consuming a port so if you open another app to debug, it can't run because the port is still in use. Just a few reasons like that...and probably, mostly habit now. However, there are times when it makes sense to run it under IIS Express to test what it will actually work like when deployed onto an IIS Server. Usually there is no difference, but sometimes there is and it is handy to have the IIS Express option to test with, even if it isn't an exact duplicate of full IIS. But most of the time, I prefer just running with Kestrel or with WSL.
This is amazing stuff I have never seen a video like this with so much detail starting from scratch thank you, could you please create content where we have different types of authentication like you covered cookies apart from this like JWT and few others.
Awesome explanation. One thing I have always had a hard time wrapping my head around is Authorization and Authentication. ps. Ogden is beautiful, had the pleasure of attending Weber State there!
The email and username should be included in the token that comes from OKTA. Then the token claims get extracted during the initial validation phase and those claims get placed inside a cookie. From then on, the Cookie is the authentication "ticket" that contains useful information about the user.
Hi Tony, Excellent. Now cookie authentication is clear to me. You have great teaching and presentation skills. I have a question for you. Like cookie authentication, do we have session based authentication in core? I have seen various example of storing the data in session and retrieving back but nowhere found for authentication and authorisation purpose. Does it exists or just used to store the data for state management?
Are you referring to session on the server or in the browser. You can store session in either place, but in today’s cloud world with dynamic scaling, server side session storage isn’t as flexible as it forces a user to alway be connected to a specific server or you must synchronize session across multiple servers. Cookie based authentication scales much better as it isn’t tied to a specific server instance. As for storing something like a token in browser session storage, this is a common pattern however it requires more work from the developer to alway include the token in the header of each request to the server whereas the cookie rides for free on each request (on fetch requests make sure to use “includecredentials” option for cookies)
@@mobiletonster Thanks for your reply. I was talking about server side session. ultimately session uses cookie to store data in the browser but it is safe when using in memory session. Other than cookie authentication, What other option we have for authentication in MVC ? Because for safety purpose, cookie based authentication assumes to be a bad choice.
Cookies, when used correctly, are a safe option. The key is to 1. use https, 2. make sure the cookie is bound to a specific domain 3. set it to httponly so it can't be read on the client side in javascript 4. control the security level to be strict or same site, not lax. Using these and other techniques such as CSRF tokens to prevent cross site scripting attacks will further improve the security of your site while using cookies. Alternatives to using cookies include using JWT tokens added to the Authorization header, but they are really not any safer thank a cookie. Like a cookie, the JWT token is passed in the header, but the JWT token is usually readable by the client side, whereas a cookie can be encrypted so that it is not readable by the client side or browser (httponly). If you need store JWT tokens in the browser, don't store them in localstorage (which is a common practice, but not a good idea). Store tokens in sessionstorage or in memory (like in a react state object, or Angular state object) or .... in a cookie (lol).
Hi Hope you are doing well. I have query on authorization. Where do you define all authorization roles. Is done on on your local application. I mean create table and define roles and acesses previlages. Or is it managed at AD. Please suggested provide rferlink on how to manage authorizations. I wan t to use MSAL authentication. As the authorization is specific to an application. What is best method to manage authorization. Please suggest.
Part 3 of the series demonstrates both using a local database to store roles as well as using an IDP to store roles. It is similar to using AD for management, which would probably be the preference if you can do it that way.
Great! I'm glad it helped. There is also part 2 and 3 which dive into OpenId/OAuth implementation and connecting a database to house roles, etc. Enjoy!
Thanks for the feedback. I would actually like to put together a series of videos from basic to advanced. Expert? I don't consider myself an expert, so not sure I can do that part.
I had few issue, I download your project from github, but i got error: An ungandled exception occurred while processing the request. Could you help me with that?
Awesome tutorial! Curious, when you "hardcode" the Admin claim in the OnSigningIn event, is this an ok place to get that "admin" flag from a database? or could it get passed from my username/password lookup in the login action?
Yes. In parts 2 and 3 we build up to using a database to get that information and demonstrate using Identity as a service providers like AzureAD or Okta, etc.
Tony, I have run into one issue. When I log in with the proper information, log out and try to log in again, I get an error that says "ArgumentException: Value cannot be null or empty. (Parameter 'url')" and it highlights this line in my homecontroller.cs: " return Redirect(returnURL);" I can "fix it" by going into the history & deleting cookies for the last hour. But this comes right back up again if I log in, log out & try to log in again. Any ideas on this? And I love this training. Very well done! Thanks!
@@esamcoding I don't think the returnUrl will be an issue here, however, when "POSTING" data from a form to the backend, and when using cookies you should use a XSRF validation token, which I don't demonstrate in this video, but I do have it implemented in the github repo. At some point, I need to do a video specifically about how any why to use the XSRF validation.
@@esamcoding A simple solution would be to use the builtin method return LocalRedirect(returnUrl) rather than just use Redirect(returnUrl) if you prefer. This method ensures that the returnUrl is part of the local application and not redirecting outside of the application.
Wow! great explanation, but you'd have explained how to do the assignment of the claims in another Class trying to do the separation of concerns; and Using A database for the usr and pass... event the roles
There is one thing I noticed when I do logout it removes the authentication cookie from the browser only and if I captured this request maybe in fiddler then I get the valid page response with the same logout cookie??
If you are talking about cookie based authentication, then logout will only remove that cookie from the browser...that is correct. I'm not following your comment regarding what you are seeing with fiddler. If you want, you can contact me via email mobiletonster at gmail dot com, or on discord mobiletonster#2455
Hi Sir I am using VS 2019 community edition version 16.9.3 but I can't see template: asp.net core web application there so unable to follow you in parallel .............Can you please let me know the steps to install some prerequisite s/w to follow you.
I wrote a blogpost that shows how to ensure that you have the proper workloads installed: mobiletonster.com/blog/code/web-workload-for-vs2019-with-visual-studio-installer
Thank you, I plan to. I have been on a major project at work that has prevented me from getting my next planned video completed. Hopefully I will be able to get back to it soon.
I hope it was helpful. Be sure to watch parts 2 and 3 as well. There is some good information in those other 2 parts that you may find helpful as well.
Is it possible to put the identity logic in a separate DLL/Project so that this can be used in a web or API project? A video that shows this would be great.
Yes it is possible. I wouldn't try to write all that myself as there are some great libraries you can use such as Identity Server4, or Microsoft Identity. If you keep it simple and delegate the authentication to an Identity Provider such as Google, Facebook, Twitter or an IDaaS (Identity as a service) like Azure Active Directory or Auth0 then there shouldn't be much code in your application.
Thanks. I don't have plans to do one on Windows Authentication as it is kind of on its way out. Microsoft is trying to get people to migrate to other authentication methods such as OAuth/OpenIdConnect and using things like Azure Active Directory instead. Do you have a requirement to use Windows Authentication for a project?
@@mobiletonster Thanks for the reply. We are also planning to use Azure AD for authentication going forward. Is there a tutorial on configuring Azure AD authentication?
This is awesome. Thank you. I’m wondering…is there a way to override the ugly old fashioned login dialog box that prompts you in a browser that’s using Windows authentication from IIS? Like using your own custom login page that forwards the Windows authentication through IIS?
I'm not aware of a way to override the login box for NTLM. The only thing I know is that you can possibly override it by creating your own login dialog (html) and using LDAP on the backend rather than relying on NTLM, but that is all I know about.
The User class that is part of the HttpContext is populated when we create a ClaimsPrincipal object, or rather when the Authentication handler does that. During that time, there are a couple of special fields in the User class: Name and Id (I think I am remembering that correctly). The name maps to a constant in the ClaimTypes.Name and the id maps to the ClaimTypes.NameIdentifier constant. If you hover over these constants you will see that they are actually a long Uri of sorts, perhaps an ISO specification if I remember correctly. The User class is expecting and seeking out any claims that map to these two types. If it sees those present, it will populate the User class accordingly. Perhaps a bit of an oversimplification, but it really isn't magic. If you dig into the source for ASP.NET Core, you will see how they construct the User class that sits on the HttpContext during each request as it passes through the Authentication handler.
Be sure to watch Part 2 and 3. If you have questions or need more help, contact me at mobiletonster@gmail.com
It would be really helpful if you would upload your code and link it in the description.
@@durimmiziraj4815 if you check the description, I have put a link to the GitHub Repository for the final integration of the 3 parts. github://mobiletonster.com/Authn
Crisp and clear descriptions of how to do custom auth. Most articles will just thrust entity framework with identity schemes in your face, but this really shows the basic fundamentals and how to do them from the ground up. Fantastic tutorial.
Thanks!
Perfect balance of explanation of beginner to advanced topics and not sounding condescending. Not many can pull that off. Great job.
Thank you for your kind words. This has been a lot of work to put together and I hope it will help someone. I know it is a complex topic because I had to fight through it myself and I promised that if I ever figured it out I would try to give back to the community who helped me. I just posted Part 2 in the series, so enjoy.
That was a really good Tutorial. I really like how you explain things (even trying and doing it wrong to know what went wrong).
Thanks a lot, waiting for more about this topic.
Doing it wrong is the part that comes naturally for me...lol. I just posted Part 2.
i watched over 20 videos regarding Authorization/Authentication,Not even one video i didn't clarity after seeing your video i got clarity what is this Concept about thank you so much,
Thank you for the nice comment. Let me know where you are from and what other topics you would be interested in.
@@mobiletonster hi tony this is karthik from India ,Hyderabad ,I'm in interested in knowing about JWT
Good. This maybe the most clearest explanation for ASP.NET Core.
Thanks. I hope it helps someone.
Tony, I am 45 minutes into your first video. Everything works. I am so grateful for your thorough explanations about this complex topic. I have worked with JWT's and now I decided I want to use cookies. I just want control and don't want to use MSFT Identity so understanding this completely is very important to me. You are the best resource I have found so far. Thank you!
Great to hear!
Best video I've ever seen about Authentication and Authorization. Short, unerstandable with brilliant examples. Thanks
Wow, thanks! That is quite a nice compliment.
You are a good teacher! In fact, I don’t know much about ASP.NET, but when I finished watching this video, I knew the difference between authentication and authorization, and understood how they work in ASP.NET!
Hopefully you found it worth your time. I hope you make amazing things!
The best explanation I have seen so far about this topic. Thank you.
Wow, thank you!
Loved the pace of this video, and the simplicity of the explanations. Super! Thank you, I'll watch the other ones when I get the time.
Thanks for the compliment. I hope you find it useful.
Only after watching your videos , I understood Authentication/Authorization. Thank you very much.
Glad to hear that
the great thing is he show us auth process without adding an identity package and its DB context, thanks Tony
Indeed. While the Identity Package can be useful, over the years I have found that I prefer to either use and Identity Provider (Google, Microsoft, Facebook, Twitter, etc.) or if I must have my own identity system, to use my own so I can easily modify the claims/properties that I want to capture for my users.
im architecting a new system from scratch using .net5 and mvc. This was incredibly helpful. thank you so much.
Glad it was helpful!
this is the best explanation I have seen so far on .Netcore Security
That is a very nice compliment. Be sure to watch parts 2 and 3.
Simply amazing. Saw many days for clear explanation. Nowhere i found right one. Finally got the best one. Thanks man 😍
Great to hear!
Amazing explanation, pace was spot on, it made perfect sense.
I also feel like having watched it I can jump in where I need to as a refresh as I now build it.
Thank you 😀
Great to hear!
By far the best tutorials on this topic, must watch if you are building enterprise ready software. Thanks Tony
Thanks Jack! Very nice compliment.
Hi Tony. Congratulations on your job. I am quite sure this is the best I´ve ever seen about this subject. Looks like you have a natural gift for being a teacher.
Wow, thanks! I appreciate the compliment.
You are a hidden Gem Mr. Tony. Your knowledge is truly amazing. Salute to you Sir. This video is really helpful.
Glad it was helpful!
Best explanation of this process I have come across. Just enough detail IMHO.
I'm glad it helped. I hope to do a number of other topics in the future.
Very good tutorial for me... Everything I saw so far was using the Entity Framework so it gives me an inspiration to do it without EF.. Now need to understand more how to do the same with oAuth and OpenId connect for both a UI and API... Will go watch your other videos... Thanks man again for the video. Well done!
Great to hear!
Got clear idea about cookie based authentication. waiting for OpenID as well. Thank you so much. Keep up the good work.
I'm glad it helped. I have more videos on the way, but I just posted Part 2 which begins our journey into OpenIdConnect.
@@mobiletonster thank you for your commitment.
YEARS Looking for THIS level of information!! PERFECTION!!
So glad!
That was amercing, Your are my god. i search this operation 6 day, finally I got your explanation. Thank you again Sir.
Thank You? I'm not familiar with "amercing", but thanks for the compliment? lol. I'm glad it helped. Be sure to watch parts 2 and 3.
Truly amazing, you're such a gifted teacher.
Thank you! 😊
You really deserve more subs, I loved your way to teach, so clear!
Glad you think so! I hope to get back to making more in this series as soon as I get through a major project that I'm building at work.
Brilliant teaching here! A lot of tricky concepts that you describe in a very calm and understandable step-by-step fashion.
Thank Tony
Thanks for the compliment. Very kind of you.
I'm only about 1/2 of the way through your video and this is great stuff!! You hit the nail on the had for what I was looking for in a tutorial. I plan on watching your other videos as well. Thank you very, VERY much!!! Well done!!!
Awesome! Thank you!
Brilliant usage of those clips to demonstrate difference between Authentication and Authorization
Thanks. I hope you found the video useful.
Thank you so much, can't wait for the jwt, openid stuff.
I'm working on it right now....OpenID Connect will be the main focus of Part 2.
Thank you for making .NET's convolution much easier to understand
You are most welcome. .NET is very powerful if you can understand its "convolution" sometimes...lol.
Wow, that's one of the best tutorials I've ever seen!
Thanks a lot.
Wow, thanks!
Big thanks sir, really helpful and easy to follow, best Authentication/AuthorizationMVC view I watched
Glad it was helpful!
Thank you. I love it. Nice and simple explained without any unneeded content. Best regards :)
Thanks. I'm glad it was helpful.
Thanks for this great sharing of knowledge and process. So often with frameworks it seems the only way to learn is to blindly follow convention, but you show us how to play around with this beast and gain a deeper understanding of what we're actually doing.
Glad it was helpful!
Thank you for this wonderful job of teaching us of authentication work on asp net.
I never found ressources like this on this specific aspect of Asp Net Core.
Please keep going !
You're very welcome!
I'm really happy I've found your channel! It's super understandable and clear explanation! Thanks!
I'm glad you found it helpful. I just remember struggling through things like Authentication and wished there was a way to break it down into simpler concepts, so when I finally figured out some things, I decided to share it with others. It was hard work to put it together (and scary to be on camera to be honest) but now that I see how many people have benefited from it, it makes it worthwhile.
@@mobiletonster don't worry about the camera you did really well! I like as the way you explained literally step by step! If you consider to make a fully udemy course I'd buy it without hesitation! I really wanted to know how you can make a fully login with registration , forgot and reset password, role based, and even third part login like Facebook or Gmail etc! And what I haven't still found how you can deploy and publish Register and Login pages to an existing website with databases! Only I can find is local host! Aren't you doing private lessons?
@@attilaguba856 I wouldn’t call it private lessons but I’m always willing to discuss with people…you can email me at mobiletonster at gmail dot com.
@@mobiletonster thanks very much! I will email you !
The 3-part series answered most of my doubts! Thank you very much 😊
Glad it was helpful!
You just saved my school project, thank you so much !
Great! If you ever need help with your school projects, just reach out. You can DM me on twitter @mobiletonster.
Very nicely done Tony. That was just the intro into ASP.NET that I was looking for. Just a quick question; how would you implement a "Remember Me" option in the Login screen?
If the user selected the checkbox, I would store their username in a cookie. Then when they returned, I would check for the presence of that cookie and extract the information from it (using javascript) and inject it into the input field for username. I would still require the user to enter a password.
@@mobiletonster thanks
Very useful, crisp explanations. Keep posting more content on core mvc.
Thank you, I will
Authorization made simple. Great job !
Thank you!
Damn that's one of the best tutorials I've ever seen!
Thanks. That is a very kind compliment.
Pls zoom a little bit show that viewers can see the content properly.
Besides that the content is really good and helpful. Thanks
Thanks for your comment. Can you tell me the resolution of the computer you are watching on so I can gauge how large to make the content? It is always tricky to balance as some people are on large 4K monitors and others are on smaller monitors. Hopefully no one is trying to watch code on a mobile device, like a phone. That would be very difficult.
@@mobiletonster oh my bad. I was using mobile. Actually I came across your channel last night when I was searching filters in MVC.
I would try your tutorials on my laptop screen.
Have a great day Mr. Tony.
Thanks for the video!
I have a question, why do you switched from IIS to Krestel in the beginning? Is it faster or have any advantage?
Thanks
Good question. A few reasons (personal preference): 1) It seems to run faster when debugging as it doesn't have to spin up IIS 2) the logging outputs directly to the console making it easy to find and read 3) IIS can sometimes keep running even after the app has stopped debugging and may still be consuming a port so if you open another app to debug, it can't run because the port is still in use. Just a few reasons like that...and probably, mostly habit now.
However, there are times when it makes sense to run it under IIS Express to test what it will actually work like when deployed onto an IIS Server. Usually there is no difference, but sometimes there is and it is handy to have the IIS Express option to test with, even if it isn't an exact duplicate of full IIS. But most of the time, I prefer just running with Kestrel or with WSL.
@@mobiletonster Thanks so much for the clarification, I will give it a try!
This video is excellent - very clear and concise. Thanks for taking the time to make it!
Glad it was helpful!
Best teacher i ever had. I hope you make more videos.
That is quite a compliment. Thank you!
This is amazing stuff I have never seen a video like this with so much detail starting from scratch thank you, could you please create content where we have different types of authentication like you covered cookies apart from this like JWT and few others.
Thanks for the comment. I have plans to do more videos on other types of authentication...just haven't had the time yet.
superb...in a easy way you explain such a complicate topic..
Glad you liked it
U are the best! Better instructor than those on udemy. Your video saved me at work :)
Wow, thanks! Glad to hear that it helped at work. Don't forget to watch parts 2 and 3.
Just what I was looking for my company project. Thanks a lot!!
You're very welcome!
Awesome explanation. One thing I have always had a hard time wrapping my head around is Authorization and Authentication.
ps. Ogden is beautiful, had the pleasure of attending Weber State there!
I too attended Weber State University and fell in love with the Ogden Valley after growing up in Washington State. I have been here ever since!
Very well explained! Learnt a lot in this 1-hour session. Thanks heaps
Great to hear!
After validating myself in OKTA, how did you send the email and username to a session variable?, with Webform
The email and username should be included in the token that comes from OKTA. Then the token claims get extracted during the initial validation phase and those claims get placed inside a cookie. From then on, the Cookie is the authentication "ticket" that contains useful information about the user.
Marvelous tutorial. Great job.
Many thanks!
Good Explanation, thanks Tony Spencer
Glad it was helpful!
Hi Tony, Excellent. Now cookie authentication is clear to me. You have great teaching and presentation skills. I have a question for you. Like cookie authentication, do we have session based authentication in core? I have seen various example of storing the data in session and retrieving back but nowhere found for authentication and authorisation purpose. Does it exists or just used to store the data for state management?
Are you referring to session on the server or in the browser. You can store session in either place, but in today’s cloud world with dynamic scaling, server side session storage isn’t as flexible as it forces a user to alway be connected to a specific server or you must synchronize session across multiple servers. Cookie based authentication scales much better as it isn’t tied to a specific server instance. As for storing something like a token in browser session storage, this is a common pattern however it requires more work from the developer to alway include the token in the header of each request to the server whereas the cookie rides for free on each request (on fetch requests make sure to use “includecredentials” option for cookies)
@@mobiletonster Thanks for your reply. I was talking about server side session. ultimately session uses cookie to store data in the browser but it is safe when using in memory session. Other than cookie authentication, What other option we have for authentication in MVC ? Because for safety purpose, cookie based authentication assumes to be a bad choice.
Cookies, when used correctly, are a safe option. The key is to
1. use https,
2. make sure the cookie is bound to a specific domain
3. set it to httponly so it can't be read on the client side in javascript
4. control the security level to be strict or same site, not lax.
Using these and other techniques such as CSRF tokens to prevent cross site scripting attacks will further improve the security of your site while using cookies.
Alternatives to using cookies include using JWT tokens added to the Authorization header, but they are really not any safer thank a cookie. Like a cookie, the JWT token is passed in the header, but the JWT token is usually readable by the client side, whereas a cookie can be encrypted so that it is not readable by the client side or browser (httponly).
If you need store JWT tokens in the browser, don't store them in localstorage (which is a common practice, but not a good idea). Store tokens in sessionstorage or in memory (like in a react state object, or Angular state object) or .... in a cookie (lol).
@@mobiletonster Thanks Tony. it helped a lot.
Dear Tony, thank you. Helped me a lot.
Glad it helped
great coverage of cookie authen.
Thanks!
Hi Hope you are doing well. I have query on authorization. Where do you define all authorization roles. Is done on on your local application. I mean create table and define roles and acesses previlages. Or is it managed at AD. Please suggested provide rferlink on how to manage authorizations.
I wan t to use MSAL authentication. As the authorization is specific to an application. What is best method to manage authorization. Please suggest.
Part 3 of the series demonstrates both using a local database to store roles as well as using an IDP to store roles. It is similar to using AD for management, which would probably be the preference if you can do it that way.
Thank you for this!!!!! Exactly what I have been looking for.
Glad to hear! Don’t forget to watch part 2 and 3 for more information.
Thanks for this video, you helped me a lot
I am glad these have helped you and others. I am working on more tutorials as I get free time to work on them. Thanks for watching!
Clappp for you sir Happy understanding 😊
This is just what i needed for my project, thanks a lot
Great! I'm glad it helped. There is also part 2 and 3 which dive into OpenId/OAuth implementation and connecting a database to house roles, etc. Enjoy!
Thank you. making everything so clear and simple..bless you!
You are so welcome! Also, thank you for the blessings!
Really nice tutorial. Love form Pakistan
Glad it was helpful.
Good video to understand concepts of Authentication and Authorization
Appreciate your comments
Thumps-UP Explanation and Way. I wish If I have complete course on Dot Net Core from scratch to Expert Thanks Sir.
Thanks for the feedback. I would actually like to put together a series of videos from basic to advanced. Expert? I don't consider myself an expert, so not sure I can do that part.
I had few issue, I download your project from github, but i got error: An ungandled exception occurred while processing the request. Could you help me with that?
Happy to help. If you want to reach out to me and contact me via Direct Message on Twitter, we can connect. My Twitter name is @mobiletonster
Awesome tutorial! Curious, when you "hardcode" the Admin claim in the OnSigningIn event, is this an ok place to get that "admin" flag from a database? or could it get passed from my username/password lookup in the login action?
Yes. In parts 2 and 3 we build up to using a database to get that information and demonstrate using Identity as a service providers like AzureAD or Okta, etc.
Tony, I have run into one issue. When I log in with the proper information, log out and try to log in again, I get an error that says "ArgumentException: Value cannot be null or empty. (Parameter 'url')" and it highlights this line in my homecontroller.cs: " return Redirect(returnURL);"
I can "fix it" by going into the history & deleting cookies for the last hour. But this comes right back up again if I log in, log out & try to log in again. Any ideas on this?
And I love this training. Very well done! Thanks!
Add this line at the beginning of your POST method: returnUrl = string.IsNullorEmpty(returnUrl) ? "/": returnUrl;
@@mobiletonster i recall that using returnurl like this without validation open your app to redirection attack. don't remember the details.
@@esamcoding I don't think the returnUrl will be an issue here, however, when "POSTING" data from a form to the backend, and when using cookies you should use a XSRF validation token, which I don't demonstrate in this video, but I do have it implemented in the github repo. At some point, I need to do a video specifically about how any why to use the XSRF validation.
@@mobiletonster URL REDIRECTION - ATTACK
@@esamcoding A simple solution would be to use the builtin method return LocalRedirect(returnUrl) rather than just use Redirect(returnUrl) if you prefer. This method ensures that the returnUrl is part of the local application and not redirecting outside of the application.
Wow! great explanation, but you'd have explained how to do the assignment of the claims in another Class trying to do the separation of concerns; and Using A database for the usr and pass... event the roles
Thanks. Be sure to watch parts 2 & 3 of this video series. I think it might address your other concerns.
There is one thing I noticed when I do logout it removes the authentication cookie from the browser only and if I captured this request maybe in fiddler then I get the valid page response with the same logout cookie??
If you are talking about cookie based authentication, then logout will only remove that cookie from the browser...that is correct. I'm not following your comment regarding what you are seeing with fiddler. If you want, you can contact me via email mobiletonster at gmail dot com, or on discord mobiletonster#2455
Hi Sir I am using VS 2019 community edition version 16.9.3 but I can't see template: asp.net core web application there so unable to follow you in parallel .............Can you please let me know the steps to install some prerequisite s/w to follow you.
I wrote a blogpost that shows how to ensure that you have the proper workloads installed: mobiletonster.com/blog/code/web-workload-for-vs2019-with-visual-studio-installer
Well made, I only wish I could find something of similar quality on Policy-Based Authorization!
That is a good suggestion. Maybe in a follow up video I can demonstrate some basic Policy-Base Authorization.
Take a drink every ti he says “to stay super organized “
And if you do so, you will likely die of thirst.
Thank you so much , you are a great teacher hope you do more tutorials about asp.net
Thank you, I plan to. I have been on a major project at work that has prevented me from getting my next planned video completed. Hopefully I will be able to get back to it soon.
This is excellent Tutorial. Excellent.
Glad you think so!
Muchas gracias!. Me sirvió de mucho.
After adding my Role identity Identity claim getting null and it remove all claim ?
What can be a possible result ?
Where are you adding the Role? Maybe reach out to me mobiletonster@gmail.com and we can try to troubleshoot together.
Thank you I needed this for my project
I hope it was helpful. Be sure to watch parts 2 and 3 as well. There is some good information in those other 2 parts that you may find helpful as well.
非常棒的视频,我很喜欢,对我帮助很大,谢谢👍
Not sure what that means, but ok.
Is it possible to put the identity logic in a separate DLL/Project so that this can be used in a web or API project? A video that shows this would be great.
Yes it is possible. I wouldn't try to write all that myself as there are some great libraries you can use such as Identity Server4, or Microsoft Identity. If you keep it simple and delegate the authentication to an Identity Provider such as Google, Facebook, Twitter or an IDaaS (Identity as a service) like Azure Active Directory or Auth0 then there shouldn't be much code in your application.
Fantastic tutorial. Thank you
Glad it was helpful!
Thanks for the nice tutorial on Authentication. Is there a video on configuring Windows Authentication?
Thanks. I don't have plans to do one on Windows Authentication as it is kind of on its way out. Microsoft is trying to get people to migrate to other authentication methods such as OAuth/OpenIdConnect and using things like Azure Active Directory instead. Do you have a requirement to use Windows Authentication for a project?
@@mobiletonster Thanks for the reply. We are also planning to use Azure AD for authentication going forward. Is there a tutorial on configuring Azure AD authentication?
This helped me so much, great video!
Glad it helped!
Obrigado Tony pela sua generosidade em compartilhar conosco o seu conhecimento!
Very well explained, thank you
Glad it was helpful!
Thank you so much sir, thank you from turkey.
You are welcome! Good to hear from Turkey!
Wow, was für ein cooles Video. Vielen Dank dafür!
Danka!
This is awesome. Thank you. I’m wondering…is there a way to override the ugly old fashioned login dialog box that prompts you in a browser that’s using Windows authentication from IIS? Like using your own custom login page that forwards the Windows authentication through IIS?
I'm not aware of a way to override the login box for NTLM. The only thing I know is that you can possibly override it by creating your own login dialog (html) and using LDAP on the backend rather than relying on NTLM, but that is all I know about.
@@mobiletonster, thanks Tony. I’ll look into that. Thanks again :)
How what is magically able to find the "name" property in the user..I know there was a name claim but how did that value get into the user?
The User class that is part of the HttpContext is populated when we create a ClaimsPrincipal object, or rather when the Authentication handler does that. During that time, there are a couple of special fields in the User class: Name and Id (I think I am remembering that correctly). The name maps to a constant in the ClaimTypes.Name and the id maps to the ClaimTypes.NameIdentifier constant. If you hover over these constants you will see that they are actually a long Uri of sorts, perhaps an ISO specification if I remember correctly. The User class is expecting and seeking out any claims that map to these two types. If it sees those present, it will populate the User class accordingly. Perhaps a bit of an oversimplification, but it really isn't magic. If you dig into the source for ASP.NET Core, you will see how they construct the User class that sits on the HttpContext during each request as it passes through the Authentication handler.
@@mobiletonster Yes ok, thanks a lot
Thanks so much for this! you're awesome!
You're so welcome!
Great Teacher! Thanks for your wisdom!
Glad it was helpful!
Trying to do this tutorial in ASP.Net Core but there is no Startup.cs. There is Program.cs but its composition is very different.
I figured it out. it's just the same but put all code in Program.cs
You should watch my video on "How to deal with the missing Startup.cs file" ua-cam.com/video/vhNhcuht0J0/v-deo.html
awesome tutorial so far
Glad to hear that! Be sure to watch parts 2 and 3. There is important information in them.
Thanks for the Video it Helped me alot
You are welcome!
Thank You Tony this is a great video!
You are very welcome. Hope it was helpful.
Amazing tutorial!!
Thank you!