Great!

You are welcome.

You are welcome.

You are welcome.

You are welcome.

Thanks for the suggestion. Please add it to the list on the suggestion site so others can vote on it as well: suggestions.iamtimcorey.com/

You are welcome.

You are welcome.

If you are looking to create a service, check out the Worker Service project type. It runs as a Console app for testing but then installs as a service (or daemon on Mac/Linux). It has appsettings, dependency injection, and more built-in.

This video is using .NET Core 3.0, but the principles still apply. It covers how to set up logging, including how to use appsettings for your logging: kzbin.info/www/bejne/pYmxpJ-dfr18mLMsi=7-UJU4veBhGTNzvK

Once the GUID is set, everyone uses that same GUID. Since the likelihood of it already being in use is infinitesimally small, it isn’t a problem.

@@IAmTimCorey Thanks for the quick reply. I think we did that eventually. just note every time a new developer press on manage user secrets it creates a new user secret file for them. so we had to manually update the user secret file name to be the same as the existing guid then remove the reference to the new guid from the project file.

the same question, I'm also very curious about this

Another same question, specifically if hosted in a Google Cloud Windows VM as is pretty common. I assume the answer is most often a Windows environment variable because the Windows server admins are typically OK to know the secret. If the server admins are not authorized to see the secret then I'm at a loss of what options to consider. I really don't want to overcomplicate the solution by adding an Azure keyvault because organizations that use Google cloud are unlikely to also use Azure.

@@donaldlee6760 My personal opinion - you have to have a service which reads the secret key. And depends on environment and settings you have to register it in DI and it will produce you the key either from the secrets location in you PC or from Azure or from Google Cloud, etc.. My personal opinion that this should be presented in this video.

I talked about this briefly in the video. If, for instance, you deploy to Azure, you would use the Environment Variables in Azure to store your secret information. Other cloud providers typically have something similar. If, however, you are deploying to a full server (not a hosted web app or serverless solution), you would put your secrets right in the appsettings.json when you publish to the server. Not in source control, but when the CI/CD process publishes your application to the server, it would update the produced appsettings.json file with the secret information. This is because you should trust the server you deploy to and it should have restricted access. If it does not, your information is not secure. It does not matter if you use environment variables, secret keys, encrypted values, etc. If a user has control over the machine that is running the executable, they can see your information in clear text no matter what you do. This answers @donaldlee6760's question as well - if you don't trust the server admins, they should not be server admins. If they are an admin, they have access to see your secrets. All of them. The secrets.json file is only for local development. Its purpose is to keep secrets out of source control. That is it. There is no equivalent for the deployed location. You use appsettings.json to store your secret information once it gets to the server (again, by updating it via CI/CD) or you put that information in environment variables if you deploy to a cloud provider.

@@IAmTimCorey Thank you very much for the clarification and explanation.

Yep, that's part of the team dynamic - establishing how you are going to do things in a similar manner in order to have consistency in your code base.

Yes, I believe you can index your value and then set it something like configuration["MyValue"] = "Test";

I covered that in this video: kzbin.info/www/bejne/qHfRlHxvrsuMY6csi=kRW8FcNWM7Ej2-rb Basically, desktop applications cannot securely access resources without exposing that access information to the user. The best option is Windows authentication, but that means you are adding each user to your database and managing their permissions. That also means that they can use SSMS to make the same calls they can make through the app (more if you give them too broad of permissions). Storing credentials in Key Vault won't help because the app has to download and decode those connection strings in the app itself. Since the user has access to the app and the memory, they have access to the password. Yes, it can be harder to access than just reading a text file, but that is only a small hurdle. It causes a false sense of security. The same is true with encryption in appsettings. Yes, you can't read it directly, but the app can so again, the user has access to the clear-text password. That information is also transmitted then to SQL, which means the user can read their own network traffic (and since they own one end of the connection, SSL doesn't help here). The best option is to have the desktop app call an API if it needs secure access. This greatly reduces the attack footprint and it allows you to conditionally allow limited access rather than giving access all of the time.

It is over

At the end of the last video, I let you know it was the last video and what I recommended you do next.

@@IAmTimCorey my mistake. I was waiting for it to be done before I started. Your series were longer in the past. Appreciate your work regardless

Ah, gotcha. Yeah, this one was a short one. I may add to it in the future. We will see. For now, it is concluded though.

If you deploy the app, you would deploy the appsettings.json file with the app. That's why we said it needed to be copied if newer. That copies it to the output directory. Secrets is just for your machine. When your app is deployed, you would either update the appsettings.json of the built file with the secrets it needs or you would update the environment variables if you deployed your app to a cloud service.

@@IAmTimCorey thanks. But the "secrets" file?

That’s just for your machine. It is information that you use for local testing. In production you don’t need it because appsettings works just fine.

@iamtimcorey do you have a video on how to deploy your app server blazor app and connect to a database ? I’m having trouble getting my app server instance to recognize the environment variables properly for some reason

@@IAmTimCorey look like this stuff Is suitable only for APIs. Desktop applications have differenti requiremnts

I get that a lot.

I'm working on the source code download system. I'm tracking down a bug related to rotating the password.

Could you elaborate on what you mean?

I'm not sure what you mean. Do you mean because there is a "new" way of accessing settings compared to what they used with the .NET Framework? If so then yes, like all developers, they are looking to improve on what they have done in the past. Instead of utilizing the slow, clunky system they had, they upgraded to an incredibly powerful new system that is flexible and much, much faster.

@@ByronScottJones There are too many ways to create and access configuration files. I am not complaining about it. But there seems to be a "hey, let's come up with a new way to do that" mentality going on. There are App.config (or Web.config) and Settings.settings. Now there are launchSettings.json and appsetings.json.

​@@IAmTimCorey Yes, that is what I mean. If this new way of accessing the settings files is faster than previous iterations, then I am OK with it. However, upon initial usage, it seemed unnecessary and convoluted. I like to keep things simple. :)

It is definitely faster. It is also MUCH more flexible. The old system required app.config/web.config and it did not handle overrides very well (thus tools like Slow Cheetah). This system is modular, meaning you can bring in five different sources "out of the box" by default in ASP.NET Core (appsettings, developer/release settings, secrets, environment variables, and command line arguments). However, you can choose to add more or remove some. In this demo, we built out our own config builder and only added the ones we wanted. We could have also added additional ones like Azure KeyVault very easily. In this system, the control is all in the hands of the developer rather than Microsoft forcing you to use one system in one way.

Thanks! I'm working on the source code download system. I'm tracking down a bug related to rotating the password.

@@IAmTimCorey Thank you Tim!