I am finally in AUTH stage now! I have planned my databases clearly, using my personal NF rules. 1. Can be many to one? New Table 2. Only one to one? Same Table I am about to do start getting freaky freaky hands on when I realize that, hey, I need auth. And Now I'm here. With just 3 videos, ASP.NET MVC, Data Access and OAUTH, I feel like a professional now. I must say ASP.NET Core MVC is much more clearer and simpler now that I understand that models in ASP.NET MVC is just for views. Sorry for long text, you are the best.
@@IAmTimCorey I have been looking for a tutorial like this . Can you help me with a tutorial that explains how to set redirect pages for different users when using default login in MVC with entity. Hopefully one that can also explain how to hide certain tabs in the nav bar based on user roles. Thank you in advance.
Great video! It would be really handy to see a follow-up to this detailing how Authorize works behind the scenes and how to take more control over what entity framework is doing.
0:00 - Intro 1:41 - ASP .NET Framework demo app with authentication 13:01 - Register vs Login explained 15:25 - Built in user registration and login 18:28 - Registration C# code overview 23:45 - Built in SQL 29:45 - Twitter authentication setup 45:37 - Implementing user restrictions 52:48 - Restrictions based on user role 1:01:03 - Who is logged in? 1:02:20 - Summary and concluding remarks
For those confused: The local authentication is also (still) called "Forms Authentication", although it's not about Webforms anymore. It's somewhat different though than the Webforms thing.
I don’t think it was ever about WinForms. It may have been a reference to WebForms, but I don’t think so. I think it is just about needing a login form.
Great video man! Thinking of making an app into an asp.net MVC style and I was worried that authentication would be a nightmare. Thanks for making it more simple!!
Hi Tim. Thanks for great video. I wish I'd seen this a long time ago. I've read numerous tutorials but you've made a seemingly complicated subject a lot easier to understand, this video was perfect for me as a starting point for further study into the subject. Thanks again. :)
Yeah I tried taking the ApiHelper/Token idea that you did an MVVM app with, took a while but was able to login. Then I decided that Owin was the next thing to learn, but I couldn't figure out why it didn't work out of the box. It turned out, that when I moved it from local to a named instance locally that I had the wrong connection string. So if you run into that issue, check that. I love your work Tim. Really helpful to shake off some of that rust.
Thanks Tim. I know everyone has different opinions and you’ll base your future videos on the majority , but I think the level of repetition is spot on and the content presented in a very clear manner. I am one of those people making my way up to mvc core, so this has been very helpful. You mentioned that you weren’t a big fan of entity, I’d appreciate a video on your take on this and what you do use.
Hi Tim. Thank you very much for the videos that you provide - I've already watched a bunch of them, and found that they help me a lot. Just recently I read the book "Patterns of enterprise application architecture" by Martin Fowler, and figured that you haven't covered much of those patterns as is - other than of cause, general architectural principles that developers should adhere to, i.e. SOLID and DRY. When I read the book, a bunch of these patterns were sort of abstract. I understood the general ideas, but personally it would be extremely helpful to see a seasoned .net developer like you, show them in practical setting, and give your personal opinion on the most common ones. Additionally, now when we talk about patterns... When I see this video, i cant help thinking, how to implement this "out of the box" user authentication system in a common 3-layer application, where we don't use a local database but rather one on a server. How would you implement it in your business logic? would you even do that?
I will be covering more patterns and practices, although a lot of them are much more specialized. As for using this authentication on a remote server, you would just point your connection string to that remote database. I'm not a fan of how tied it is to the UI but that's a personal preference.
Brilliant! Thank you so much, Corey. Amazing as always. It would be really nice to see more about Access Control using MVC and C#. Security is super important, but also one of the biggest error zones where developers (especially new developers) make mistakes, often costly ones. In these times where there are hackers, trolls and ghouls all over the place, educating people on security and how to make it easy, but good, is relevant. Thanks, Martin.
Sounds almost like we should have a new start to finish course that is more MVC-focused from the beginning so we can see how to implement this stuff in the real world. ;-)
Gone are the days where one could download a shareware copy of Hotdog HTML editor and publish a site with having just a few files. (Which IMO, is a good thing. I feel the internet became convoluted with junk because people could just keep adding trash to the pile not having any technical skill or understanding what's going on under the hood.) Great video!
"leaving authentication to Microsoft" can also mean leaving it to your local active directory, not only to Microsoft online services such as azure. However, you may still build your own AUTHORISATION system if you don't want to create AD Groups for everything. Tim, as always, correct me if you shouldn't build that on your own either :)
Hey Tim... I can't thank you enough for this awesome stuff.. I'm using some of them in my teachings at university :D Will you be doing anything soon on Xamarin??
Thank you for the video! I didn't know they made Authorization/Identity stuff so easy! If possible, I'd love to see an expansion where you talk about requiring authorization for Web API. Show how someone that wants to use my API for their own applications can authorize themselves for access.
I'm loving this ASP.NET series. Thank you. Request: If you decide to make a lesson about EF, can you do a database first approach? Using Stored Procedures in EF would be nice also. Again Thank you.
I doubt I'll be doing an EF video any time soon since I'm really not a fan of EF (check out my video on connecting C# to SQL) but I'll keep it in mind.
Hello Tim Corey, I would like to suggest for you to create a complete website or system using asp.net mvc just like the retail manager. That would really help us,me specially to learn a lot from you.. thank you very much
Thank you for good video and for redirecting me here. Once again I have found less information than I expected but presented in great way. You showed here how to use this generated things but I am a bit afraid of using something I don't understand. Menage controller has almost 400 rows, there are also some models that you didn't even open here. I understand that in this video with your speed it wouldn't be too good to speak about it because it would be too long, but I would really be glad if you could make 2nd part of this with more details. The most important thing for me right now is how to work with outside database. I'm not sure how to link my database in Web.config. I have found how to add my outside database to SQL Server Object Explorer and how to find its Connection string but even for the default database connection string here is different than the one used in Web.config and only first part (Data Source) is the same. I'm interested in this topic and will wait for more about it. Also I will subscribe you to not miss it.
I have two videos that might help you. First, I have a Connection Strings video that gives you a good overview of how to set up a connection string and where to find what yours is. Second, I have a video on Connecting C# to SQL. That will show you how to configure your web.config/app.config file so that you can connect to an external database. As for showing more details about the authentication side, I will be doing that in future videos, although I'm not sure I'll ever go line by line. Some of this is EF Code First and I really don't want to get into that whole issue. As far as setting up your own database to do the authentication, if you point your connection string to the right database, the first time the app runs it will set up the proper tables. I would recommend that you not mix databases though. Keep a separate database for your authentication vs. your other data. It is much easier to secure that way. You can still have them on the same server though.
Great series of videos. One thing I like to do is put my Authorize attributes in a base controller and inherit from it so that I am not having to put Authorize everywhere, and I don't run the risk of forgetting to put Authorize on some controllers. Some might argue that I could also forget to inherit from the base controller, but in my case, the base controller does a few other things that are essential to my app, so I wouldn't get very far without inheriting from the base controller.
Good tip. Then, if you need to have something not protected, you add the AllowAnonymous tag instead. Essentially, your application is secure by default. I like it. Thanks for sharing.
Hi Tim, thanks for the wonderful tutorial! I am new to authorization and bit confused as to use third party tools like Auth0, IdentityServer5 , okta vs the Identity Framework provided by Microsoft. Is the Microsoft Identity really that unsecure as people on the internet say? All the third party auth tools are black box and have not so good documentation, where as identity is easy to setup.
Please can you provide a short video in regarding of adding authentication and authorization to an application created previously. when I do so, it doesn't work. thanks
Great video. One thing to add - if you stack the Authorize declarations on a function/controller you can require the user to have all of the roles specified (AND), rather than just one OR more of them. There's an example here: docs.microsoft.com/en-us/aspnet/core/security/authorization/roles
Hi Tim. New to authentication and I followed the tutorial, however I still get the "The remote certificate is invalid according to the validation procedure" error.
Hey Tim, I saw couple of your videos and you doing awesome job. How ever, I'm just curious you said in this video you are not a big fan of entity framework. So what you suggest in alternate?
I suggest Dapper. Much easier to use, much simpler, and it does not interfere with good database design. You can see more about it in my video here: ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-Et2khGnrIqc.html
Nicely explained... Please make a video on other functionalities of identity, e.g email verification before login, reset password, forgot password, Two-Factor Auth. Thanks a lot for providing such great contents.
This is very helpful. Can you please create a video for allowing users to register using localdb but requires admin approval before they can start logging in? Thanks!
*** FIXED READ BELOW *** I did everything described in this video in regards to Twitter. I keep getting 403. Response status code does not indicate success: 403 (Forbidden). Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden). However, with the new signup procedure for a Twitter Developer account, I had to assign a URL for my website and an organization URL. I don't think this is the issue, but worth noting. I used the URL to my twitter profile for these values. I tried adding more callback urls 127.0.0.1 localhost:44306/Account localhost:44306/Account/ExternalLogin localhost:44306 That didn't seem to work either. Am I missing something? Is there an extra step in 2020 that I am missing? ***FIXED*** append "/signin-twitter" to your callback URL. In my case localhost:44306/signin-twitter. Now it works. Whew. ************
Hi Tim,Thanks for this video,however i am just curious to know how [Authorize] works behind the scene.How it gets to know the user details and token and authorize the user.. It would really be helpful if you could provide me any pointers .
Sorry for the multiple questions, but I have some gaps I can't fill. I've always built my sql tables on a server first, then coded my application, so I am apprehensive about building on localdb...every tutorial regarding identity I have come across starts with tables on localdb and assumes we magically know how to move it to production at some future point. My process before (I have never implemented authentication) has always been to first get database on a real server, build tables there, go back to my app , set up helpers, a dataaccess class and connection string, build model, build controller, build views...in that order. If I miss something I go back to sql build the table, then go back to the app, rinse and repeat. Now, I am thinking of starting a new db on azure and want to implement identity. If I were to follow this method of implementing identity locally first, what do I need to do to get the all my tables (including the other ones I add to the db) in the server instead of localdb, assuming I coded the whole thing locally first instead as in the demo. Is it possible to change the connection string before installing the owin nuget package and running the package in order to sidestep all that so I can continue working the way I have before (ie the table structure for identity stuff would just be created in the production server instead of localdb)? Or is there some easy button for moving that all into a production server after you have coded your entire project locally?
It does! Thanks much! I also appreciate the clear and distinct instructions your videos usually include. I do a lot of research and find your videos the easiest to understand, the most comprehensive, and have lead to a lot more ah-ha moments for me. I think I would still be scratching my head on a lot of ideas if it weren't for your channel.
@@IAmTimCoreyThanks for your attention Tim. I'd be so thankfull to you if you take your time to pick up on it. I have really had a hard times to understand how this middleware and its properties behave after each request.
Hi Tim, this is great. Would love to see an example of impersonation following on from this video. i.e. login as an admin (with admin roles) and then impersonate a user already registered in the system to see their data. Or indeed any pointers on which classes etc. to read around to do this.
Hi Tim, I tried entering Authorization as you did by editing the database, but I am not able to get access for specific roles even after repeating the same procedure. Access Denied page is popping.
Hi Tim! Love your tuts. Will you ever do something about Auth, without Microsoft Identity Framework? I would love to build my auth without any pre-scaffolded code. Thanks!
It's really good explanation, I like when you showed the Role based authentication as well. Do you have a complex tutorial how I can implement with all Identity Register and Login , Forgot and Reset password and =>/ Facebook, Gmail etc / to an existing website with publishing too!?
Excellent video and very timely for me. I do have a question. You mention that the local database is not the preferred storage for account data. What is involved in moving to a MySQL database for the account storage information rather than the local SQL database?
It would be easier to just move your SQL database to a "full" SQL Server (or Azure SQL) but here are instructions on using MySQL: docs.microsoft.com/en-us/aspnet/identity/overview/getting-started/aspnet-identity-using-mysql-storage-with-an-entityframework-mysql-provider
Well, the unfortunate part is that some "teachers" tell users that if they see a lot of plug-ins, etc. then something is wrong and they need to stop doing that. It is an over-correction for users who get a plug-in for everything instead of writing any code. The key is context. If you have that many plug-ins because you forgot to code, yes, try to remove them and start over. However, if you have no plug-ins and try to do everything manually yourself, that will take too much time and negates one of the big benefits of programming. Instead, you need to know what your balance is and hit it.
Ugh I spent 2 hours searching and replacing my callback Url but I just can't get it right. I keep getting the 403 Error. ***EDIT: fixed it by adding: localhost:44388/signin-twitter Amazing content as always Tim, Thank you!
Hi Tim - i noticed the scaffolding code produces a lot of excess code which a develop may not use. Is there a way of modifying this, like deleting excess code, changing table names, adding extra columns etc to make it more specific to a business case?
Trying to follow this with the new project template in Visual Studio 2019 and the Register and Login pages blow up with a Null Ref Exception on the model straight outta the box!
Also to say: If you store the password in a database, always HASH it (like SHA), never just ENCRYPT it (like, say, with AES). There is a BIG difference. There is a difference if an administrator is able to RESET your password, or if he is able to SEE it. He should NEVER be able to see it. If it's just encrypted, and he knows the key, he can read it. If it's hashed, no chance for anybody.
@@IAmTimCorey You're right. I have to correct myself: Hashing is not enough. You need to "salt" it as well. I watched a video "How to not store passwords". After that, I knew more.
Interesting I find the Role-Management. I have to do some research, if you always need to specify the Roles by a String "User, Admin". It would be much easier, if it could be done with the UserID, because then you can easier group them, like saying Access to RoleID > 2... But I guess that is also possible somehow. Anyway, thanks for the very clear tutorial.
You can assign permissions to a user, not just to a role, but that is too specific and hard-coded to be very useful. You can't apply conditional logic to the role decorators (without dropping the check into the code), so >2 wouldn't really work well.
Thank you Tim: A couple of questions. Is it possible to capture additional user data in the EF authentication process such as first name, last name, employee ID number, etc? (Would it be easy / possible to modify parts of the system to hold additional data for example such as the items mentioned above? If I understand this correctly, we are fine to develop this using the local SQL server and then when it is ready to be deployed, one can just say change the connection string to point to a SQL Azure database (for example) and the local database will be recreated in the cloud? Finally, if you want to manage the creation of the user accounts and not let people just come to the site and Register, could you create part of your app that would allow an admin user to create new accounts? (i.e. I get the feeling that you strongly recommend using this authentication system as opposed to building your own and storing the username and password data in a database. Thank you so much for your time and all of the videos that you do, they are wonderful!
Hey Tim! Thank you for the great video. I really appreciate the explanation as most people do not explain in such tutorials. However, just my personal opinion - I feel like while it is great to re-iterate on a point a few times to place a strong emphasis on a concept, you tend to repeat yourself a little too often. I believe most users would appreciate it if you repeat just once or twice less than you already did to make the video more concise! I hope this feedback is useful to you and thank you once again!
I appreciate the kind feedback. I do work on the balance of repetition. I want to repeat for emphasis enough to show the importance and give clarity but not enough to be annoying. I also try to come at the same point from multiple directions for added clarity. I know I don't always get it right but I'm working on it.
Thank you so much. I feel I learned so much, and I even fixed a few things on my website based on what you covered here. I was under Bootstrap 4, and was wondering how to change the button look. It was so small. I read the Oath RFC a number of times, and like you said it does a lot. I am trying to map the functional components between the rfc and the video. Twitter would be the authentication server, the client and the user agent would be our application I guess. The rfc was talking about one scenario where the client asks the user to authenticate with the server so then the client can get some services from yet another server. Is it possible to create a tutorial for something like this please? I definitely followed what you covered here, and it helped me a lot with understanding of the RFC, but I want to be sure. I know understanding the RFC is job of pros, but I got to try. I also tried to refactor my existing ASP.NET project to enable Oauth and could not find a way yet. I wonder if that is possible or I should just start from the beginning.
I understand adding authentication while creating a new project. But how do we add authentication to an existing ASP.NET MVC 5 project? I can't find any resource for it.
Hi Tim, This is a really great video! Thanks for that. Quick question, I've followed your steps, using local authentication only. If I run my VS project, register and/or login, stop the VS project and then run it again, then I am still logged in. I need to run some code just after successfull authentication. Clearly this shouldn't be done in public async Task Login(LoginViewModel model, string returnUrl) since this only runs when the user clicks on the Login button. Where should post authentication code be run ? Thanks again for your work, helps tremendously!
Good question. You might find success running it on the homepage, since the user will hit that first (check if they are authenticated). The only problem is if the user is not logged in and attempts to go to a secured page. When they log in, it will direct them to the page they attempted to go to instead of the homepage. So if you can do it in two places, the homepage and the login would be the two places to do it.
Is there any video or article explaining every step of the logging process such as register, change password , log out for identity authentication in MVC 5?
Not sure what you mean. I use Dapper with SQL, I use MongoDB, I use CosmosDB, I use Redis - basically, I use whatever database solution is best for the situation.
Again, Excellent video, thanks - I was going to ask about roles (e.g. Gold, Silver, Bronze membership) but you covered this at the end. :) Quick question on the Twitter App ID/Secret keys - I know you covered them up, which is good - but if you delete the app from twitter after creating the video, would these ID/Keys be valid still ? If not, then does it really matter to blur them out ? - No I'm not after your information, just curious on how secure it would be... unless you forgot to remove the app from twitter of course.
In theory they should be fine. In practice, it might tell you more about my account than I would prefer. I decided to err on the side of caution. I could also request that they be reset and I wouldn't even have to delete my app for them to be invalid. It was just the abundance of caution.
OK, thanks for that - I wasn't sure as I don't even have a twitter or facebook account. On the Roles, you assigned the roles to the users manually by editing the database, I take it there is function to do this in the code? Could you do a quick video on how we would assign roles to users when they (a, create an account, b, pay for a better membership (gold, silver, bronze roles).
Twitter authentication does not seem to work in this manner any more. Swapped in the solution from stackoverflow post that you showed. Plugged in my key/secret ... tried with both "get user email" checked and unchecked methods ... all of them seem to give a 403 error the moment I hit the "Twitter" button on the login page. Exception Details: System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden). Looking through inspect Network tab shows that request goes to localhost:44395/Account/ExternalLogin and gets back a status of 500 (even though it gets back content showing 403 error). No request is ever sent to Twitter.
The password hashing part at 27:57 - It doesn't appear as if the passwords are being salted prior to hash, do you reckon this would be easy enough to implement? For instance, adding in a "salt" column in the Users table and when a user registers, a cryptographically secure RNG value is created for that user which is then stored within the new column. The trick would be finding where, in the C# backend code, the passwords are being hashed.
You could do that. My big thing is that when I start messing with authentication code, I have the potential to make it worse. This has been tested by Microsoft and a LOT of other companies. My custom changes have not. I get concerned when we start talking about overriding parts, since that means I really need to know the system intimately in order to ensure I do it right.
@@IAmTimCorey Ah that's a really good point, if I were to implement a salting system, I'd need to conduct some really thorough testing to make sure I wasn't making the system insecure. I'm just really worried about rainbow table attacks against an application I'm developing. Many thanks for the reply!
I don't have any exam-focused content but anything I've done with MVC will help. I do have an add-on course that uses ASP.NET MVC at www.iamtimcorey.com that might help you out. It is an add-on to the main C# Application from Start to Finish course, though, so the add-on only covers MVC, not the business logic or data access since they are already covered in the previous course.
Excellent video Tim, but I have query, all this stuff is inbuilt projects code provided by Microsoft. What if I want to use my own tables like Users, Roles etc. What kind of changes need to be done? e.g. In a code you have shown Authorize(Role=Admin) what if I want to use my own roles from my own role table? Do I have to create my own Authorize attribute for the same?
Hi Tim, awesome video as usual. I've learned a huge deal from you in my steps to become a software dev already working on my own project now. In this one however i have a problem and i cant get the twitter login to work no matter what.I have added the code and even found some other Digicert keys as in some forums they were saying the one in this video have expired, but still i cant get it to work getting always the same error with the secure connection. Any ideas? Have they changed anything, is there a place to find the current keys?
Hello Tim. Great works there! Questions (1) Is it possible to to change the database name? How do we do it? (2) How do we create ASP.Net identity database in SQL Server? Thanks
Good question. To change the database name, just change the connection string. If it is a LocalDB, it will create that new database. If it is a SQL database, it will look for that new database but crash if it does not exist yet. As for creating the ASP.NET Identity database in SQL Server, the easiest way is to create an empty database in SQL and point the connection string in C# to it. Then run the application and try to register an account. It will see that the tables do not exist and it will create them.
I think I've got a good handle on this locally. How do you change the Database connection for this so it adds these tables to a database on a hosting server?
You just change the web.config file's connection string, which you can do even at runtime. However, usually what you do is when you deploy it, you transform the deployed web.config file to have the correct connection string.
Hi Tim, great video. I am working on setting up external login with ASP.NET Core 2.2 without using identity. Do you remember if you have made a video for that before? Thanks
Hi @IAmTimCorey, I notice that once we get into twitter signup page, it asks us to have/create a developer account? Did you have to do that too or is this a new step that Twitter has just created since your video was published early this year. Thanks.
Hello Tim, thanks for the video! Could you please advise how can I configure the default user role to be assigned for new users automatically after registration?
Hi tim! Thanks for the video. I followed this tutorial on a .net framework project, as i upgraded it to .net core 3.0, everything works fine, but i couldn't upgrade this to the project. Mycrosoft suggests this : services.AddAuthentication().AddTwitter(twitterOptions => { twitterOptions.ConsumerKey = "..."; twitterOptions.ConsumerSecret = "=..."; }); Doesn't seem to work for me. Do you have any ideas why? -> Error suggest -> "AuthenticationBuilder does not contain a definition for AddTwitter ... "
Tim, would it be possible to use Dapper to connect to SQL Azure in this scenario? I assume it would be possible, just wondering if it would be a good way to go. Any Dapper related videos planned?
Yes, Dapper can connect to SQL Azure. You just need to change the connection string. Everything else is the same compared to on-premises SQL. As for more Dapper videos, yep, they are coming.
Is there a simple way to specify to the template or just transform it into a non-MS-SQL-Server server database like MySQL or Amazon AWS Dynamo/María all the databases (at least get the instructions to build them) if not I need manually to change the provider, and create all the databases, this is cumbersome and may fail easily...
This is the same still for .NET Framework. For .NET Core (.NET), things have changed a little bit. The TimCo Retail Manager course covers those changes.
They can, although I recommend using separate databases. You can see an example of this in the TimCo Retail Manager application here on this channel. If you use one connection string, you need to take care not to create a conflict with the EF updates. Plus, you are mixing your data types. I prefer to keep my security data away from my "regular" data. It makes for easier security.
Sir please make a video for Identity in ASP.NET Core I spent alot of time trying to tweak identity in ASP.NET Core and since you can't access the controllers for identity in asp core I ended up implementing the controllers again myself so I'd be able to customize identity If there's an easier way please make a video and explain it. I love your channel and thanks for making C# easy to understand and learn for us.
