@@ApheliontI'm seriously thinking about this right now.

@Apheliont I'd always recommend against implementing your own solution (and said so to my company!), but they didn't want to pay the license fee for Duende. Anyways, deep diving into Identity/Open ID was a good learning experience for me so I can't complain

@@eg8568 Azure has 50 000 MAU for free on B2C

You are not alone.

@eg8568 Why did you not have a look at dunde ?

November 14, 2023 ASP .NET Core 8, with its much-anticipated features and enhancements, is scheduled to be officially released on November 14, 2023

Is this thing secure?

@@araz911 No, it is not.

Exact!

I have to agree. My learning experience with auth was painful at best and has led to a lot of confusion as to best practices. In the end I found using third party solutions was less painful as a rule.

That's the point

yeah! it's like a marketing feature😅 this is for programmers who like to compare programming languages by writing helloworld application )) loook, in python enough "print('hello')" in c# it needs so many codes like (class program { static void Main(string[] args) { Console.WriteLine('hello'); }😂😂

I guess you have to scaffold the endpoints and do what's necessary. Additional fields most likely is just a matter of adding properties as those endpoints will work on T where IdentityUser

Yea, I was just thinking if this could replace IdentityServer and came to the same conclusion that this is mostly for single apps that doesn't require oidc or single sign on.

I've been using OrchardCore just for its out of the box OpenIddict.

My other comment got deleted because I linked the repo.. There is code in the Asp Net Core project for handling OIDC flows (including I believe opaque tokens). If you don't need to be an IdP it's all buried in there and you can scaffold out the UI and see the stuff in action via the Razor pages right now.

second this, very correct

yeah they destroyed the authentication that we actually need

+1 here wondering whether this can be used with an independent auth server for multiple services!

@marklnz why wouldn't you call the extension method to add the endpoints? Functionality such as resetting user passwords etc would likely still be needed

Also, are there any improvements in net8 that work more efficiently with Azure Functions ??

@@marklnz I tend to favour Azure AD instead of local auth db. Azure B2B can be overkill at times but then you don't need to worry much about the authN functionality.

What approach did you go for? Have a video?

@@d0neall_ I use the backend for frontend approach, I don't think there is an video about it it's pretty new

Would love to see that! I'm looking for an example in .NET8, where I have a service that is used for login/token authentication and other API (separated service) that will use the token to call the service. Looks like any example assumes that the services API are the SAME as the authentication API.

Will be seamless with Swagger, they are just endpoints. I’m guess that the difference is that this token is not base64url encoded, and does not contain client readable info, unlike a jwt

@@kabal911I don't see these endpoints in swagger edit: I had to add builder.Services.AddEndpointsApiExplorer(); builder.Services.AddControllers(); I worked on blazor dotnet 8 app and it wasn't included by default.

True

Yes

You would want the auth system to work with any database schema? Or would you augment the schema for the identity system? I think a better solution would be to provide more building block when the database schema is fixed. Another option is the use the identity schema as standalone and link it to your user table via foreign keys.

Yup. Most of the systems I work on are 20+ years old and we don't have a lot of flexibility to update user stores (they are accessed or managed by many other systems). I have yet to work on a project where the built-in auth schemas are used. The direction I took was to create a class implementing Microsoft.AspNetCore.Identity.IUserPasswordStore and IUserLoginStore and a class implementing IRoleStore that I register as singletons and that handle interfacing with our user and role store (which in some cases is just an INI file with some username=scrambledPassword pairs under either [admin] or [user] keys), and then services.AddIdentity() connects my custom user and role stores with the identity system (I could probably also use the .AddRoleStore(), .AddUserStore() extensions on .AddIdentity()). We don't usually need the other features due to the nature of the systems we're working with, but implementing the stores for tokens and claims is similarly straightforward. That seems to work well, is very flexible, and fairly painless to set up. It would be great to have some guidance on how (or when/whether it makes sense) to integrate some of these newer options with custom stores that have limited feature sets.

If by seeding you are talking about creating the default admins, then you can do that before you run the app. You can manually create a scope and get the db context.

@@arjix8738that’s problematic if your app is distributed

this is usually done via a post deployment script. if using ef core migrations you can do this in your db context class.. you can do this in your "OnModelCreating" method via the "HasData" method.

Pretty easy to use bcrypt or argon2 with this. You just specify the password hashed singleton for the DI to use (I’ve done this for both already)

Cookies are the way, it's not clear to me from this short overview that it's setting the cookies though. I know that David knows that though based on the GitHub issue, so it probably has support for setting cookies in there some where.

Well, i think the idea is that you can call the API from anywhere in your server-side logic.

Oidc and oauth protocols does not require token to be in JWT format.

+1. Would like to see this in action with Azure AD

Normally you would have to create an app registration and provide the client id, tenant id & secret. Then you set it up for a 302 response instead of 401 and you are mostly done. Postman documentation is also decent to explain how to set it up and how to add the postman return url in the app registration. The set up for an app like angular can be messy though. I find having our own UI for login more complex to set up in a typical SPA + API scenario.

it seems to me like this system is entirely designed for when you want to provide your own user-management/authentication solution. With AzureAD (or MS Entra, now, because i think Microsoft has a renaming-things fetish) you dont have to do any of that, You use good old OAuth2 with maybe a little OpenID sprinkled on top. And that stuff will *always* be confusing. I've implemented it, I've taught it, I've written documentation for it and trust me: "Simple" and "Authentication" just dont go together. You just cant secure an API using *any* identity provider without some serious requirements introspection (i.e. what clients do you want to support, what level of security, where does your config live, etc.

Totally agree. In my (could be limited) experience, it's rarely a good idea to create a custom authentication system. On top of security, there's also a huge amount of regulation compliance that can easily become a nightmare. So, while I appreciate the effort, I don't think I will ever use it in this way: better to rely on some authentication provider using a robust standard.

I recently did this for a client and automated it via IaC / Bicep files. The documentation for both was dreadful and made it doubly confusing, I feel your pain.

Ha! I was going to beg for the same thing! All of our apps require KC use. Scopes and refresh are an added bonus!

There will be a new scaffold for Blazor in .NET8 RC1.

@@marklnzIt will be obviously server rendered.

thanks u.u @@sokoo1978

you can try with webassembly. i was working with .ney7 with duende, ait it was a nightmare. then i can think now to replace the replacement that i used to replace duende 1 year ago in my server side. It's all about the server side. it's obvious.@@marklnz

@@marklnzI think you misunderstand.. RC1 will be able to create you the client template like MVC did before. It will have the basic functionality and pages/components to register, login, have the basic header with the auth and user info. In many applications this is actually good enough, like intranet apps where Windows user is not applicable. The logic is all server side (like hosted WASM in current version).

As usual

1. It is using data protection yes. 2. The token is not a JWT, it's a different format. 3. If there are still timing issues with data protection providers, we'll need to fix them, these tokens are on top of that subsystem.

@@davidfowl Thanks for the response. I did catch in Nick's video that he said they aren't JWTs, but then the tokens in the login response looked a lot like what you get back in the OAuth OIDC client flow, so my brain went to JWTs. If I remember correctly, the easiest way to recreate the SQL Server DP provider timing issue was to stop all the nodes in the cluster, delete the DP keys from the database and then start the cluster. In my case, I was using Cloud Foundry with an app that I scaled up to something like 10 nodes. Even though I know the DP subsystem has some level of control around how nodes handle key rotation, I wanted to see what would happen if multiple nodes in the cluster were trying to create new keys at nearly the same time. The result in my test was that some nodes ended up with different DP keys than others because the SQL Server DP provider doesn't do any locking, which I believe could be necessary. The DP subsystem tries to get a key from the provider and if it doesn't exist, it tries having the provider write/save the one and then calls the get method again. If multiple nodes fail to get a key (because a write/save hasn't yet completed), each of those node's write/save key method will be hit, which can result in some nodes having different keys. It's pretty fringe case but was still concerning enough for me to write my own SQL provider for DP.

Need this, too 😲 with some other stuff like persistence (e.g. pressing F5 will log you out in Blazor Server) ... - never found a working solution for this

Simply add the field on the user object

Yeap

This already is supported. If your identity username is the same as your social username (usually email address) then you can login with either. If they have different usernames, then you would need to do something to allow an authed user to then link a social account - which I haven’t tried, but should be simple enough

Also the refresh token as a JSON and not as a HTTP-ONLY Cookie could be a little dangerous.

you lost me at XML

This is why there are fully self-contained auth solutions that you can pay for 😁

that brought back some 2005 (bad) memories