Neat tutorial man. I recently went through that exact same issue as well, so it's good for me to see that I did it the right way. It's pretty straight forward once you know about dataprotection and schemes, but man, I wish that dotnet Identity made it a little bit easier to get through the whole scheme constants and setup mess. Not to mention that some extension methods are severly bloated, and there's no real "minimal" setup method if you don't do it yourself. If you add scheme X, then it suddenly automatically overwrites scheme Y under the hood, which you setup with another previous method etc. ... Debugging it is hell, and no way you can do it without constantly looking into the framework sources
Lol this is pretty funny timing. About a month ago I asked how to do this specific thing on your Do you need IdentityServer? video. And now when I finally sat down today to do it you came out with this video. Nice.
Exactly the thing I needed. Thinking about migration from .NET framework to .NET 6 and running both apps behind reverse proxy with shared cookies. Thank you!
This is my 4th video from your channel and none was able to disappoint! Security concepts are important and you explained them very nicely. Subscribing for such clean presentations!
One interesting observation... The amount of views you get baffled me for quite some time. Rare are the channels that deep dive into specifics. Actually, this is the only one I know of. Pretty much everyone just wants easily digestible, short content with a dumb thumbnail and a clickbait title. ADD bastards... Keep up! Cheers for another good video ;)
This was great. Thanks! 4:50 I have a question: So after you logged into Identity -> 'localhost:7094/login' and tried to hit your app -> 'localhost:7240/protected', it redirected you to 'localhost:7240/account/login' where login isn't implemented. So is there a way to just redirect the user to the login endpoint of Identity app when they try to hit protected endpoint in the app?
So are the persistent keys just pointers to cookies? What's the point of storing a keyring? I have two apps sharing cookies and all I had to do was call: AddDataProtection().SetApplicationName()
If we have projects say in Python and DotNet. How can we use SSO. One way i see is like in your YARP video. Use Dotnet project as reverse proxy. Is this the best way or is there any other way.
Sorry for ignorance., this is to emulate the handling of different cookies in localhost with different domains even if the application is the same? is it an approximation?
I followed the exact steps, but when using the host url i am getting when trying an error while accessing the iis hosted application over a reverse proxy. Bad Request - Invalid Hostname HTTP Error 400. The request hostname is invalid.
I got a question here. As we are already using reverse proxy to map app.company.lcoal to localhost:port, do we need to add the app.company.local entry to hostfile explicitly? My understanding is any of that would work. Either hostfile or reverse proxy?
Very nice, simple and easy to follow video. One question when to use AspNetCore Identity can you please elaborate use cases for identity. And if we have mobile version. Can we use two schemes in one project. like JWT and Cookie.
How can I use this approach (cookie-based authentication) with other apps that are using token-based authentication, such as SPA (JWT-based authentication) all under SSO umbrella?
In my company we would like to migrate a set of applications from windows form to .NET Core Web app hosted in a local server. Since our PC belongs to a domain network, my idea was to structure the new infrastructure as you show in this video. So one app (IdentityServer) will be responsible to ask the user credentials and forward them via LDAP to the AD server that manages our domain credentials. When it authorizes the user, the identityserver looks for his permissions in our SQL db and then authorizes/non authorize the user to access the specific app resources… Could work?
Thanks for the video and explained very well clearly. It is very helpful to everyone. I would like to take some suggestions from you, I am thinking create a reusable single sign-on (SSO) component can allow users to authenticate once and gain access to multiple applications without having to sign in again. This component can be designed to work with different SSO protocols, such as SAML, OAuth2, or OpenID Connect, and can provide APIs for integrating with different identity providers, such as Active Directory, Google, or Facebook. Is it good idea or not? Is it useful if someone wants to implement SSO in their applications?
Hey man, im getting this error 'IServiceCollection' does not contain a definition for 'AddAuthorization' and the best extension method overload 'MvcCoreMvcCoreBuilderExtensions.AddAuthorization(IMvcCoreBuilder, Action)' requires a receiver of type 'IMvcCoreBuilder' RestfulApi
Official dotnet template for SPAs was a mistake. They forced IdentityServer on everyone's throat even though it is a simple system with one SPA client. Probably the biggest reason people started misusing IdentityServer. Hey, if template says this is good then why not use it. Not to mention that client side code in that template, especially in react, is outdated af.
@@RawCoding It means you're suffering from Dunning Kruger. You and this person somehow think you know better than the dotnet team made of people with more experience. SSO is more complicated than you think, don't have the time to write a full essay on it here when a couple minutes of dropping your dunning Kruger and doing some research online will be of more benefit and help you get the point.
I don’t know a Mr Kruger mate, but as if to prove my point you came back to say that you don’t know but now in the form of don’t want to write an essay.
Yes it does, authN authentication is about WHO ARE YOU? authZ authorization is about ARE YOU ALLOWED? If we dont know who you are, we cant start answering are you allowed…
Hey there! Nice video. I have a question, is it possible to use the same steps to protect MVC applications? I've been struggling to make my SSO application work. It would be nice if someone could share some code! Thanks in advance.
How will your mobile apps, other native apps or other apps not written in .net core or deployed on different servers use your "SSO"?. This shouldn't be done in real world apps for SS0.
There's isn't an SSO solution out there that doesn't use cookies. To extend this solution to Native apps you use auth flow, and store the tokens on the backend, meanwhile the Native app still get's a cookie.
@@RawCoding You're not getting the point. Shared Cookies between apps won't scale for SSO. Infact, that isn't SSO. The standard for SSO is either SAML or OpenId.
I just subscribed! I love how clearly and quickly you get down to the details and skip all the talking and unnecessary (off topic) code. Well done!
Neat tutorial man. I recently went through that exact same issue as well, so it's good for me to see that I did it the right way. It's pretty straight forward once you know about dataprotection and schemes, but man, I wish that dotnet Identity made it a little bit easier to get through the whole scheme constants and setup mess.
Not to mention that some extension methods are severly bloated, and there's no real "minimal" setup method if you don't do it yourself. If you add scheme X, then it suddenly automatically overwrites scheme Y under the hood, which you setup with another previous method etc. ... Debugging it is hell, and no way you can do it without constantly looking into the framework sources
Lol this is pretty funny timing. About a month ago I asked how to do this specific thing on your Do you need IdentityServer? video. And now when I finally sat down today to do it you came out with this video. Nice.
it was meant to be :)
Your explanation is always fluent and smooth. Helped a lot!
Thanks Anton! Have a great day!
Sad lemon thank you, hope you become happy lemon
@@RawCoding It's just an anagram :) It only takes one cookie to make me smile :D
Exactly the thing I needed. Thinking about migration from .NET framework to .NET 6 and running both apps behind reverse proxy with shared cookies. Thank you!
🎉
This is my 4th video from your channel and none was able to disappoint! Security concepts are important and you explained them very nicely. Subscribing for such clean presentations!
1
.1
1
Ll¼yń
You won a subscriber, AMAZING tutorial
Thank you buddy !
great show man! very clear, hard work, great knowledge sharing!
Awesome video. I used IdentityServer3 one to secure 3 apis on the same domain, and this method is much more simpler.
This is exactly what I needed. Didn’t know about caddy but it looks like it’ll solve my local setup 👌🏻
Anyway, love your videos, keep them coming
Best thumbnail ever
One interesting observation... The amount of views you get baffled me for quite some time. Rare are the channels that deep dive into specifics. Actually, this is the only one I know of. Pretty much everyone just wants easily digestible, short content with a dumb thumbnail and a clickbait title. ADD bastards...
Keep up! Cheers for another good video ;)
Thank you )
bro, you are flowless. Thank you.
Flawless
This was great. Thanks!
4:50 I have a question: So after you logged into Identity -> 'localhost:7094/login' and tried to hit your app -> 'localhost:7240/protected', it redirected you to 'localhost:7240/account/login' where login isn't implemented. So is there a way to just redirect the user to the login endpoint of Identity app when they try to hit protected endpoint in the app?
So are the persistent keys just pointers to cookies? What's the point of storing a keyring?
I have two apps sharing cookies and all I had to do was call: AddDataProtection().SetApplicationName()
Persisting keys means cookie works after app restart. It’s about creating the cookie using the keys.
If we have projects say in Python and DotNet. How can we use SSO. One way i see is like in your YARP video. Use Dotnet project as reverse proxy. Is this the best way or is there any other way.
if you want to authenticate a python app, I'd say best put it behind a YARP proxy.
Sorry for ignorance., this is to emulate the handling of different cookies in localhost with different domains even if the application is the same? is it an approximation?
This is a simulation of what if your auth component and spa lived on the same domain
@@RawCoding Thanks! =)
Best, as usually!!!👍
I followed the exact steps, but when using the host url i am getting when trying an error while accessing the iis hosted application over a reverse proxy.
Bad Request - Invalid Hostname
HTTP Error 400. The request hostname is invalid.
Don’t use iis can’t help
I got a question here. As we are already using reverse proxy to map app.company.lcoal to localhost:port, do we need to add the app.company.local entry to hostfile explicitly? My understanding is any of that would work. Either hostfile or reverse proxy?
Very nice, simple and easy to follow video. One question when to use AspNetCore Identity can you please elaborate use cases for identity. And if we have mobile version. Can we use two schemes in one project. like JWT and Cookie.
Identity is user representation, and yes you can have multiple schemes in 1 project
How can I use this approach (cookie-based authentication) with other apps that are using token-based authentication, such as SPA (JWT-based authentication) all under SSO umbrella?
I don’t know what your situation is
@@RawCoding Thank You!
Just to make sure, when using cookies we’ll need to add some sort of security on top of that to avoid any xss or csrf attack, right?
If you’re using razor pages no there’s and anti forgery token that gets generated, otherwise if it’s a spa then yes
@@RawCoding what about Blazor server?
Yes
In my company we would like to migrate a set of applications from windows form to .NET Core Web app hosted in a local server. Since our PC belongs to a domain network, my idea was to structure the new infrastructure as you show in this video. So one app (IdentityServer) will be responsible to ask the user credentials and forward them via LDAP to the AD server that manages our domain credentials. When it authorizes the user, the identityserver looks for his permissions in our SQL db and then authorizes/non authorize the user to access the specific app resources… Could work?
Thanks for the video and explained very well clearly. It is very helpful to everyone.
I would like to take some suggestions from you, I am thinking create a reusable single sign-on (SSO) component can allow users to authenticate once and gain access to multiple applications without having to sign in again. This component can be designed to work with different SSO protocols, such as SAML, OAuth2, or OpenID Connect, and can provide APIs for integrating with different identity providers, such as Active Directory, Google, or Facebook.
Is it good idea or not?
Is it useful if someone wants to implement SSO in their applications?
Hey man, im getting this error
'IServiceCollection' does not contain a definition for 'AddAuthorization' and the best extension method overload 'MvcCoreMvcCoreBuilderExtensions.AddAuthorization(IMvcCoreBuilder, Action)' requires a receiver of type 'IMvcCoreBuilder' RestfulApi
Paste piece of code
@@RawCoding @Raw Coding
Thanks for replying I appreciate this.
//Authentication
builder.Services.AddAuthentication();
builder.Services.AddAuthorization(CookieAuthenticationDefaults.AuthenticationScheme)
.AddCookie(CookieAuthenticationDefaults.AuthenticationScheme);
Add cookie and scheme specification goes into he AddAuthentication method
Amazing tutorial!
How can i share logged user between multiple blazor apps using identity in .net 8?
Official dotnet template for SPAs was a mistake. They forced IdentityServer on everyone's throat even though it is a simple system with one SPA client. Probably the biggest reason people started misusing IdentityServer. Hey, if template says this is good then why not use it. Not to mention that client side code in that template, especially in react, is outdated af.
I’ll bundle this mistake in to the “stop using the run button” category
Cookies is not the right way to do SSO. Do your research on why it is bad.
"Do your research." aka "I don't really understand"
@@RawCoding It means you're suffering from Dunning Kruger. You and this person somehow think you know better than the dotnet team made of people with more experience. SSO is more complicated than you think, don't have the time to write a full essay on it here when a couple minutes of dropping your dunning Kruger and doing some research online will be of more benefit and help you get the point.
I don’t know a Mr Kruger mate, but as if to prove my point you came back to say that you don’t know but now in the form of don’t want to write an essay.
order of authentiction and authrization matters or not.? you mention aurthrization first in piple line service.addauthrization
Yes it does, authN authentication is about WHO ARE YOU? authZ authorization is about ARE YOU ALLOWED?
If we dont know who you are, we cant start answering are you allowed…
@@RawCoding so yours viideo clip should be updated or you may need to drop a disclaimer and for users . as you have mentioned order viseversa.
Hey there! Nice video. I have a question, is it possible to use the same steps to protect MVC applications? I've been struggling to make my SSO application work. It would be nice if someone could share some code! Thanks in advance.
Yes you can, just adapt the solution make sure you can’t cross site attack the login endpoint if you post from spa
Awesome
How will your mobile apps, other native apps or other apps not written in .net core or deployed on different servers use your "SSO"?. This shouldn't be done in real world apps for SS0.
There's isn't an SSO solution out there that doesn't use cookies. To extend this solution to Native apps you use auth flow, and store the tokens on the backend, meanwhile the Native app still get's a cookie.
@@RawCoding You're not getting the point. Shared Cookies between apps won't scale for SSO. Infact, that isn't SSO. The standard for SSO is either SAML or OpenId.
Yea what I mean by auth flow is openid, auth code flow with pkce to be specific. And it’s an extension on the solution in the video.
@@RawCoding Okay.
@@awmy3109 correct
Can we use this method with multiple angular frontends to make sso ?
As long as they are all on the same domain
@@RawCoding they are like this
Apps.domain/app1
Apps domain/app2
They are sub applications on iis on same domain domain
Sound good
Do you have to use redis?
If you’re on about the data protection api, nope you can use file system .
I m ur new subscriber stay connected
Ta
Suppose you don't want to persist the login beyond a session?
Is that like the login session having an out of body experience?
rediz nutz ha
i saw a car
Haha but did you hear it :D
@@RawCoding no i didn't was there suppose to be sound?
There was a car driving outside my window at that point so yeah :D