ASP.NET Core 3 - Authentication - Ep.3 Authorization (UPDATED: READ DESCRIPTION)
Вставка
- Опубліковано 15 жов 2024
- In this episode we dissect the mechanism behind Authorization - Policies. We explore the 3 main moving parts of Policies exposed to you:
NOTICE - UPDATED PLAYLIST
• ASP.NET Core Authentic...
Patreon 🤝 / raw_coding
Courses 📚 learning.raw-c...
Shop 🛒 shop.raw-codin...
Discord 💬 / discord
Twitter 📣 / anton_t0shik
Twitch 🎥 / raw_coding
👉 Try Rider
www.jetbrains....
RD5K9-4TXXW-KMV3G-NYWSF-3ZSTP
AuthorizationPolicy (Created by using an AuthorizationPolicyBuilder)
IAuthorizationRequirement (This is your request for a specific type of authorization)
AuthorizationHandler (This is the function which knows how to process the requirement)
Roles are just claims. rant over. Why have them? the concept of a role is more familiar than a claim to a human. For example what is easier to understand? - "What is your Role?" or "What do you claim to be?"
Source: github.com/T0s...
#csharp #aspnetcore #auth
Brilliant, you're a very very clever guy. You know this stuff at a fundamental level and your delivery is top notch!
Thank you:)
THE BEST series. So much Info. I have watched it twice to get all the little details. Stick with it, absolutely worth it.
Thank you :)
Subcribed after 2 videos... the concept explaining was great, not as much as blindly practice out there... i'm looking for further of you.
Once again... thanks mate!!
Thank you, glad you liked it!
I gone through most of the authentication and authorization stuff, its really good. Just one suggestion if possibly you put advertisements at start, as it breaks the rhythm if it comes while learning. Thanks for sharing great stuff in simplest possible way,
Just wanna say even in August 2020, you're saving someone's ass (mine). Thank you very much and hope you're doing fine.
It’s not even been a year :D
@@RawCoding you don't even know how many people you're helping, nobody does videos about this, Devs sometimes assume that everyone knows this topics
This series has helped me leaps and bounds in understanding this otherwise very poorly documented featureset, thank you very much!
Another excellent video. I like the style - show the default and deconstruct it so you can understand what is going on - this gives you confidence. Been studying up on Identity during lockdown and this cuts through everything else I have looked at so far.
Thank you for watching :)
you are the best lecturer in the world ;)
Eyyy thanks!
Complex concept explained so easily. Appreciate your effort.
Thank you:)
Thanks for sharing this, this is the best tutorial explaining Identity on internet i have come across so far.
Thank you:)
@@RawCoding that IS true. I've been pointlessly searching for guides, tutorials, videos and all of them are either useless aka (DOTHING METHOD) or out-of-date.
Thank you. THANK YOU! Gonna watch all of the videos on the channel.
Super video ! I am using your stuff to understand and implement identity to my project.
Awesome, hope it works out!
Nice and very concise and clear. Thanks
Cheers
I neved saw an explanation of Claims, Policies and Authorization as clear as this video.
Cheers
You have definitely gained a subscriber. Very nice video. Keep up the good content.
Cheers )
VERY nice video. Very nice refresher on how to do configuration also.
Cheers
@@RawCoding LOL I posted this comment on the wrong clip. I meant to do this for the last video on the email verification.
simply the best, man! you are very clear and concise...clever!
Thank you:)
amazing. you know these stuffs on a very granular level. I learnt a lot. Thanks
Thank you for watching
Keep going with uploading of solid quality materials !!
Cheers
Thanks dude ...awesometacular ...by the way which keyboard do you use...liked the clicks 😀
Great tutorial bud ! Appreciate all the efforts
Thank you for watching
Congrats! Really well done videos! I think you are one of the best lectures on UA-cam! It's not easy to explain these concepts deeply as you are doing. Just out of curiosity... what's your background in asp.net core?
Thank you, glad you enjoyed these! I've been doing dotnet professionally for about 3-4 years now. Wide variety of applications.
Thanks for the video, you solved my problems in a few minutes. best lecture on .net core and authorization on youtube.
Thank you for watching))
Thank you for these wonderful videos. I am learning a lot.
Cheers
Dear Raw Coding, Thanks for the series. this comment may be small but your video tells bigger than that.
Cheers :D
Interesting! Now its Role-based vs Policy-based authorization were explained! Okay, this is epic!
Glad you enjoying these
Your videos are excellent, keep up the good work!
Thank you :)
Amazing course!
Mind Blowing, Awesome work. I have a request can you also share/create a video in which you are explaining DependencyInjection lifetimes. Thanks
I’ve made a video about that, I’ve also have a video about how it works ;)
@@RawCoding I saw that, but i wanted to like have an idea, when to use which lifetime. If you can provide some resource that will be awesome too
ua-cam.com/video/01C8selSVCY/v-deo.html have you watched this?
@@RawCoding Bro you are awesome
@@RawCoding Thanks so much
I was with you until 16min in when you just if you want to make it an extension method then you can do this...
1) whats an extension method?
2) why would I want to?
3) will it work without it?
Extension method
They allow you to add new methods to an existing class.
This means we don't need to modify the original class to add these new methods.
So you can have an existing library written by someone else and add your own custom code to it without modifying the library itself.
It must be static.
nice one
Great video. Great series. One thing though about the roles. When you specify role in the attribute tag you can put that on a selection of methods and not all. The claims example you show of requiring the claim role would enforce on all methods with the authorized tag would it not?
The claims example works with policies
@@RawCoding but the policy is applied globally in the middleware setup is it not? Clearly I am missing something - could you please explain how to apply a different policy per endpoint?
@@RawCoding think i got it now. You can AddPolicy and choose which one to use. You can also set the DefaultPolicy which is where I got confused. Awesome thanks
You build the police in the ConfigureServices , and then you use it across your application when you need to
The best tutorial! Thanks much
Glad you enjoying these!
Brilliant brother!
Yes bro!
@5:34 as Anton suggested to understand and learn claims and policies. I found these two articles having concept explained very well. At least for me
Declarative Claims-Based Authentication in ASP.NET Core 3.0
visualstudiomagazine.com/articles/2019/10/29/aspnet-authentication.aspx
Working with Claims to Authorize Users in ASP.NET Core and Blazor
visualstudiomagazine.com/articles/2019/11/06/working-with-claims.aspx
Thank you for sharing
Great job❤
Don’t forget to check out the new videos !
thank you, thank you!
Think you for watching
Hi
Thank you so much for the lecture man,
I have a doubt, the AuthorizationPolicyBuilderExtensions class you defined does not inherit an Interface or an abstract class, so how does the policy builder uses the RequireCustomClaim method in the AuthorizationPolicyBuilderExtensions ?
it's a basic c# extension method, it doesn't need to inherit from an interface or an abstract class.
docs.microsoft.com/en-us/dotnet/csharp/programming-guide/classes-and-structs/extension-methods
@@RawCoding Thanks man
Thanks for the video.
Thank you for watching!
Thank you, it was amazing!!!
Thank you
Hello ,I just cannot understand why we should register this middleware "app.UseAuthorization()" on startap class.On my demo project I use Authorise filter without this middleware and with JWT authentication and everything works fine .So for what cases or for waht reason we have to use this middleware ?.If you have time please reply to me,thanks in advance.
> UseAuthorisation
look at HttpContext for a cookie / access_token in the header or query or anywhere in the request.
> UseAuthorization
look at the ClaimsPrincipal that has been added to the HttpContext and verify it's allowed based on the controller. It takes care of invoking the correct authorization handler for your [Authorize] attribute and checks the ClaimsPrincipal
hope this helps.
Again, a great tutorial
Thanks a lot
You have a new subscriber!!!
Thanks :D
hi,
In your video when we get an access denied because of the absence of a claim , why does your browser show 404 status code? Shouldn't it be 403 unauthorized request?
404 because the Access Denied page is not found.
Noob question..sorry..
How does injecting some services(like the Datacontext) into the authorizationHandler affect the decision of whether or not making it a scoped handler or a singleton?
You should have it scoped off you are injecting. If you are making it a singleton you should resolve the DbContext through the IServiceProvider interface
Ok, Thanks so much!
I don't see any ctor for AuthorizationPolicyBuilder taking zero params in .NET 5.0. I was trying to see if I can overwrite the default policy with a new policy which doesn't call the RequireAuthenticatedUser() method and to see what happens. Thanks
Looks like it, you'll need to specify the schema as well
Hey Anton! Want to see a video on pagination with dapper
Noted
Thank you for your Greatest vedios on youtube, 🎉 bu i have question please , How you understand this topic to make it very easy to explain like piece of cake 😊?
Awesome! Than you!
No thank you!
thank you, good tutorials.
Thank you for watching :)
the action's authorization and the authorize policy are written in code, can they be configured on runtime? hope you understand my horrible English.
Yes they can be, however I’m not explaining the solution because it’s quite a hard one
Hi - and thanks for a great tutorial. I've followed all the preceding tutorials and they are all great. I am looking into what you said about "Roles" - that you presume this is legacy code. I've been looking for more info on this on the internet but there is virtually nothing to back this up. "Roles" still feature very prominently in Authorization documentation and tutorials. Can you please point me in the right direction where it states categorically that Roles should no longer be used for Authorization. Many thanks in advance.
Well that’s not correct roles are just a way to represent a real world model
Raw Coding , is using the Claims rather Roles the preferred way?
I too am wondering if Roles are legacy.
@@picflight if you have the concept of Roles in your domain, use Roles.
Raw Coding , thanks.
Does this Authentication and Authorization work on .NET Core Web API? I'm planning to build Web API and leverage Vue.Js for the client-side.
By the way, thanks for the great video. Well Explained!
Yes it will.
Great tutorials. Thank you for that.
You very often scroll or jump too fast. I always have to pause the video or go back. Would be way more better if you add some little breaks (just 2-3 seconds).
Thank you very much for your feedback
Personally I think a lack of breaks is fine. The fact that you can pause to catch up and/or change the playback speed means that everybody can do it at their own pace. There's also the source if you need to see something that you missed because the author doesn't spend long enough looking at particular lines.
My time to spend with videos is precious, if this one wasn't so concise and to the point, I'd have given up on it (like I have with many others).
Thank you )
Отличные уроки, спасибо.
Спасибо
Thanks
thank you for watching :)
Superb
Cheers!
Can you add to you list the windows authentication for people who design for an intranet website. regards
I will see what I can do, because there are a couple of problems that arise with this. 1st is you lose the cross-platform feature 2nd is I don't have the infrastructure at home (win10 professional or Active Directory)
@@RawCoding I understand. great video I really enjoying them. keep the good work.
What is Trifecta ur talking about?
I googled trifecta programming and trifecta ASP and theres no explanation.
Can you give me a timestamp in the video where I say it? It's not a design pattern or anything like that, it only has meaning in the context that I say it in, probably just highlighting a trio of something, like three things that work together.
@@RawCoding If its not design pattern or any concept, and u just meant 3 things thats enough for me, Thanks. If i remember corrently it was in Configuration in startup class.
Theres a lot of people watching whos english is not native language like me, using as simple language as possible is very importatnt for clarity espetially for begginners.
Not that you use overly thechnical language, but its good to be aware of that for u as content creator of this type.
@@ripper9112 sorry about the confusion, thank you for taking the time to point this out.
Hi, can someone point to me if there is a tutorial on setting up MFA using Email in this series
No MFA here
I wouldn't fail the interview, if I found your video sooner. That sucks 😕.
Better luck next time!
If we use AD from Microsoft server, how can we give claims and policies to each user in our sql database?
You have pass the windows authentication token. Once you do that you can inspect the IdentityPrinciple and the Claims that it has. The AD groups that the user is in should show up there.
How do you pass a windows authentication token? Maybe have a tutorial on this!
@@cybernet8656 I don't have a professional environment setup do demonstrate it to the level I'd like to. You can see the basics here: docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth?view=aspnetcore-3.1&tabs=visual-studio it's pretty straight forward
11:49, in CustomRequireClaim.cs file,
i put foreach instead of =>
var hasClaim = context.User.Claims.Any(x => x.Type == requirement.ClaimType);
i.e line number 23.
as
foreach(var value in context.User.Claims)
{
if(value.Type == requirement.ClaimType)
{
hasClaim = true;
}
else
{
hasClaim = false;
}
}
but when i viewed value.Type i am getting => nameidentifier and
requirement.ClaimType => dateofbirth
why its so. because of which i am getting AccessDenied
Once you find the true condition you need to break the loop otherwise you override it.
Can policy can be able to dynamic ?
Please make a video on store encrypted password in database with hash + salt.
It's done automatically by Identity. Do not roll your own. I will not be making a video on this.
Is it possible to give any resources or video for encrypted password by identity.
@@santukumar-om3by I show you how to do it in episode 2... The password hash is created when you create a user with the password. UserManager handles that, SignInManager also creates the hash to check if the entered password is correct. The hash is not reversable.
Holy shit, this makes so much sense!. How does someone learn this, and understand something so well? Kudos to you for understanding it, and explaining it/articulating it well, and for free, on UA-cam. Damn. Mind Blown! Thank you very much for this series!
P.S. Is there anywhere I can ask you a few questions on the developer journey? My email is alien243600@gmail.com Having recently graduated, I somehow feel I'm behind the industry expectations.
cheers, join the discord channel