I am finally in AUTH stage now! I have planned my databases clearly, using my personal NF rules. 1. Can be many to one? New Table 2. Only one to one? Same Table I am about to do start getting freaky freaky hands on when I realize that, hey, I need auth. And Now I'm here. With just 3 videos, ASP.NET MVC, Data Access and OAUTH, I feel like a professional now. I must say ASP.NET Core MVC is much more clearer and simpler now that I understand that models in ASP.NET MVC is just for views. Sorry for long text, you are the best.

Great video! It would be really handy to see a follow-up to this detailing how Authorize works behind the scenes and how to take more control over what entity framework is doing.

Tim is King!!!. you make everything easy. I normally dread long videos but this one seemed like it was 5min the way I was enjoying it.

God loves me so much that I have found your channel :)

For those confused: The local authentication is also (still) called "Forms Authentication", although it's not about Webforms anymore. It's somewhat different though than the Webforms thing.

Hi Tim. Thank you very much for the videos that you provide - I've already watched a bunch of them, and found that they help me a lot. Just recently I read the book "Patterns of enterprise application architecture" by Martin Fowler, and figured that you haven't covered much of those patterns as is - other than of cause, general architectural principles that developers should adhere to, i.e. SOLID and DRY. When I read the book, a bunch of these patterns were sort of abstract. I understood the general ideas, but personally it would be extremely helpful to see a seasoned .net developer like you, show them in practical setting, and give your personal opinion on the most common ones. Additionally, now when we talk about patterns... When I see this video, i cant help thinking, how to implement this "out of the box" user authentication system in a common 3-layer application, where we don't use a local database but rather one on a server. How would you implement it in your business logic? would you even do that?

Yeah I tried taking the ApiHelper/Token idea that you did an MVVM app with, took a while but was able to login. Then I decided that Owin was the next thing to learn, but I couldn't figure out why it didn't work out of the box. It turned out, that when I moved it from local to a named instance locally that I had the wrong connection string. So if you run into that issue, check that. I love your work Tim. Really helpful to shake off some of that rust.

Great video man! Thinking of making an app into an asp.net MVC style and I was worried that authentication would be a nightmare. Thanks for making it more simple!!

Best tutorial on OAuth. Clean and to the point explanation. Thank you TIM !!

Thanks Tim. I know everyone has different opinions and you’ll base your future videos on the majority , but I think the level of repetition is spot on and the content presented in a very clear manner. I am one of those people making my way up to mvc core, so this has been very helpful. You mentioned that you weren’t a big fan of entity, I’d appreciate a video on your take on this and what you do use.

Gone are the days where one could download a shareware copy of Hotdog HTML editor and publish a site with having just a few files. (Which IMO, is a good thing. I feel the internet became convoluted with junk because people could just keep adding trash to the pile not having any technical skill or understanding what's going on under the hood.) Great video!

Hi Tim. Thanks for great video. I wish I'd seen this a long time ago. I've read numerous tutorials but you've made a seemingly complicated subject a lot easier to understand, this video was perfect for me as a starting point for further study into the subject. Thanks again. :)

Brilliant! Thank you so much, Corey. Amazing as always. It would be really nice to see more about Access Control using MVC and C#. Security is super important, but also one of the biggest error zones where developers (especially new developers) make mistakes, often costly ones. In these times where there are hackers, trolls and ghouls all over the place, educating people on security and how to make it easy, but good, is relevant. Thanks, Martin.

0:00 - Intro 1:41 - ASP .NET Framework demo app with authentication 13:01 - Register vs Login explained 15:25 - Built in user registration and login 18:28 - Registration C# code overview 23:45 - Built in SQL 29:45 - Twitter authentication setup 45:37 - Implementing user restrictions 52:48 - Restrictions based on user role 1:01:03 - Who is logged in? 1:02:20 - Summary and concluding remarks

"leaving authentication to Microsoft" can also mean leaving it to your local active directory, not only to Microsoft online services such as azure. However, you may still build your own AUTHORISATION system if you don't want to create AD Groups for everything. Tim, as always, correct me if you shouldn't build that on your own either :)

Thank you for the video! I didn't know they made Authorization/Identity stuff so easy! If possible, I'd love to see an expansion where you talk about requiring authorization for Web API. Show how someone that wants to use my API for their own applications can authorize themselves for access.

I'm loving this ASP.NET series. Thank you. Request: If you decide to make a lesson about EF, can you do a database first approach? Using Stored Procedures in EF would be nice also. Again Thank you.

I will explain you how it works > 19:00 by large you can leave this as it is and just works Wow, awesome explanation

Thanks Tim, Finally found someone that can explain how this works.

Thank you for good video and for redirecting me here. Once again I have found less information than I expected but presented in great way. You showed here how to use this generated things but I am a bit afraid of using something I don't understand. Menage controller has almost 400 rows, there are also some models that you didn't even open here. I understand that in this video with your speed it wouldn't be too good to speak about it because it would be too long, but I would really be glad if you could make 2nd part of this with more details. The most important thing for me right now is how to work with outside database. I'm not sure how to link my database in Web.config. I have found how to add my outside database to SQL Server Object Explorer and how to find its Connection string but even for the default database connection string here is different than the one used in Web.config and only first part (Data Source) is the same. I'm interested in this topic and will wait for more about it. Also I will subscribe you to not miss it.

Hey Tim... I can't thank you enough for this awesome stuff.. I'm using some of them in my teachings at university :D Will you be doing anything soon on Xamarin??

Hello Tim Corey, I would like to suggest for you to create a complete website or system using asp.net mvc just like the retail manager. That would really help us,me specially to learn a lot from you.. thank you very much

Nicely explained... Please make a video on other functionalities of identity, e.g email verification before login, reset password, forgot password, Two-Factor Auth. Thanks a lot for providing such great contents.

Great video. Can expand it include user and role management via a webpage.

Great video. One thing to add - if you stack the Authorize declarations on a function/controller you can require the user to have all of the roles specified (AND), rather than just one OR more of them. There's an example here: docs.microsoft.com/en-us/aspnet/core/security/authorization/roles

RequireNonLetterOrDigit means Require Non(letter or Digit) or require something other than an alphanumeric character (So, a special character).

Sorry for the multiple questions, but I have some gaps I can't fill. I've always built my sql tables on a server first, then coded my application, so I am apprehensive about building on localdb...every tutorial regarding identity I have come across starts with tables on localdb and assumes we magically know how to move it to production at some future point. My process before (I have never implemented authentication) has always been to first get database on a real server, build tables there, go back to my app , set up helpers, a dataaccess class and connection string, build model, build controller, build views...in that order. If I miss something I go back to sql build the table, then go back to the app, rinse and repeat. Now, I am thinking of starting a new db on azure and want to implement identity. If I were to follow this method of implementing identity locally first, what do I need to do to get the all my tables (including the other ones I add to the db) in the server instead of localdb, assuming I coded the whole thing locally first instead as in the demo. Is it possible to change the connection string before installing the owin nuget package and running the package in order to sidestep all that so I can continue working the way I have before (ie the table structure for identity stuff would just be created in the production server instead of localdb)? Or is there some easy button for moving that all into a production server after you have coded your entire project locally?

Please can you provide a short video in regarding of adding authentication and authorization to an application created previously. when I do so, it doesn't work. thanks

This is very helpful. Can you please create a video for allowing users to register using localdb but requires admin approval before they can start logging in? Thanks!

Hi Tim, thanks for the wonderful tutorial! I am new to authorization and bit confused as to use third party tools like Auth0, IdentityServer5 , okta vs the Identity Framework provided by Microsoft. Is the Microsoft Identity really that unsecure as people on the internet say? All the third party auth tools are black box and have not so good documentation, where as identity is easy to setup.

Hi Tim. New to authentication and I followed the tutorial, however I still get the "The remote certificate is invalid according to the validation procedure" error.

Hi Tim, this is great. Would love to see an example of impersonation following on from this video. i.e. login as an admin (with admin roles) and then impersonate a user already registered in the system to see their data. Or indeed any pointers on which classes etc. to read around to do this.

Thanks and you really made it so simple. One word for this. Amazing!

It's really good explanation, I like when you showed the Role based authentication as well. Do you have a complex tutorial how I can implement with all Identity Register and Login , Forgot and Reset password and =>/ Facebook, Gmail etc / to an existing website with publishing too!?

Trying to follow this with the new project template in Visual Studio 2019 and the Register and Login pages blow up with a Null Ref Exception on the model straight outta the box!

I wish someone to explain Authentication middleware in detail. What is Authenticaion Type? How does it work regarding cookie based authentication ?

Thanks for making these tutorials! Fantastic content

Great series of videos. One thing I like to do is put my Authorize attributes in a base controller and inherit from it so that I am not having to put Authorize everywhere, and I don't run the risk of forgetting to put Authorize on some controllers. Some might argue that I could also forget to inherit from the base controller, but in my case, the base controller does a few other things that are essential to my app, so I wouldn't get very far without inheriting from the base controller.

Thank you. I like your videos. Keep posting please

Hi Tim,Thanks for this video,however i am just curious to know how [Authorize] works behind the scene.How it gets to know the user details and token and authorize the user.. It would really be helpful if you could provide me any pointers .

Interesting I find the Role-Management. I have to do some research, if you always need to specify the Roles by a String "User, Admin". It would be much easier, if it could be done with the UserID, because then you can easier group them, like saying Access to RoleID > 2... But I guess that is also possible somehow. Anyway, thanks for the very clear tutorial.

Hi Tim! Love your tuts. Will you ever do something about Auth, without Microsoft Identity Framework? I would love to build my auth without any pre-scaffolded code. Thanks!

Ugh I spent 2 hours searching and replacing my callback Url but I just can't get it right. I keep getting the 403 Error. ***EDIT: fixed it by adding: localhost:44388/signin-twitter Amazing content as always Tim, Thank you!

Extremely well explained. Very top level as Indian Eng. haha who save my butt more than once.

Hi Tim, thank you for sharing your videos to public. I learn a lot from your videos. Do you have any video talks about OAuth 2.0 in Visual Studio?

Tims your works alwalys kills me .

Also to say: If you store the password in a database, always HASH it (like SHA), never just ENCRYPT it (like, say, with AES). There is a BIG difference. There is a difference if an administrator is able to RESET your password, or if he is able to SEE it. He should NEVER be able to see it. If it's just encrypted, and he knows the key, he can read it. If it's hashed, no chance for anybody.

Hey Tim, I saw couple of your videos and you doing awesome job. How ever, I'm just curious you said in this video you are not a big fan of entity framework. So what you suggest in alternate?

Excellent video and very timely for me. I do have a question. You mention that the local database is not the preferred storage for account data. What is involved in moving to a MySQL database for the account storage information rather than the local SQL database?

its too long but very useful and informative tutorial ,yo did just simply grate works , i request you to give email verification tutorial , thanks

*** FIXED READ BELOW *** I did everything described in this video in regards to Twitter. I keep getting 403. Response status code does not indicate success: 403 (Forbidden). Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code. Exception Details: System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden). However, with the new signup procedure for a Twitter Developer account, I had to assign a URL for my website and an organization URL. I don't think this is the issue, but worth noting. I used the URL to my twitter profile for these values. I tried adding more callback urls 127.0.0.1 localhost:44306/Account localhost:44306/Account/ExternalLogin localhost:44306 That didn't seem to work either. Am I missing something? Is there an extra step in 2020 that I am missing? ***FIXED*** append "/signin-twitter" to your callback URL. In my case localhost:44306/signin-twitter. Now it works. Whew. ************

Thank you so much. I feel I learned so much, and I even fixed a few things on my website based on what you covered here. I was under Bootstrap 4, and was wondering how to change the button look. It was so small. I read the Oath RFC a number of times, and like you said it does a lot. I am trying to map the functional components between the rfc and the video. Twitter would be the authentication server, the client and the user agent would be our application I guess. The rfc was talking about one scenario where the client asks the user to authenticate with the server so then the client can get some services from yet another server. Is it possible to create a tutorial for something like this please? I definitely followed what you covered here, and it helped me a lot with understanding of the RFC, but I want to be sure. I know understanding the RFC is job of pros, but I got to try. I also tried to refactor my existing ASP.NET project to enable Oauth and could not find a way yet. I wonder if that is possible or I should just start from the beginning.

hi please add 2factor method to your list too ,that would be helpful

Thank you Tim, excellent tutorial.

I understand adding authentication while creating a new project. But how do we add authentication to an existing ASP.NET MVC 5 project? I can't find any resource for it.

Is there any video or article explaining every step of the logging process such as register, change password , log out for identity authentication in MVC 5?

You explained same thing in your web API authentication video as well.

Hi Tim - i noticed the scaffolding code produces a lot of excess code which a develop may not use. Is there a way of modifying this, like deleting excess code, changing table names, adding extra columns etc to make it more specific to a business case?

Hi Tim , thanks very much for a useful video

Sir please make a video for Identity in ASP.NET Core I spent alot of time trying to tweak identity in ASP.NET Core and since you can't access the controllers for identity in asp core I ended up implementing the controllers again myself so I'd be able to customize identity If there's an easier way please make a video and explain it. I love your channel and thanks for making C# easy to understand and learn for us.

Thank you so much. Comprehensive content. Liked, subbed and belled.

Great work. I am preparing for Microsoft 70-486 exam. Any hints on what videos are must-watch? And books perhaps? Thanks.

Twitter authentication does not seem to work in this manner any more. Swapped in the solution from stackoverflow post that you showed. Plugged in my key/secret ... tried with both "get user email" checked and unchecked methods ... all of them seem to give a 403 error the moment I hit the "Twitter" button on the login page. Exception Details: System.Net.Http.HttpRequestException: Response status code does not indicate success: 403 (Forbidden). Looking through inspect Network tab shows that request goes to localhost:44395/Account/ExternalLogin and gets back a status of 500 (even though it gets back content showing 403 error). No request is ever sent to Twitter.

Plz make a video to print report in pdf format in asp.net mvc5 application. I hope you create as soon as possible. Thanks

Thank you Tim: A couple of questions. Is it possible to capture additional user data in the EF authentication process such as first name, last name, employee ID number, etc? (Would it be easy / possible to modify parts of the system to hold additional data for example such as the items mentioned above? If I understand this correctly, we are fine to develop this using the local SQL server and then when it is ready to be deployed, one can just say change the connection string to point to a SQL Azure database (for example) and the local database will be recreated in the cloud? Finally, if you want to manage the creation of the user accounts and not let people just come to the site and Register, could you create part of your app that would allow an admin user to create new accounts? (i.e. I get the feeling that you strongly recommend using this authentication system as opposed to building your own and storing the username and password data in a database. Thank you so much for your time and all of the videos that you do, they are wonderful!

Learned alot from this thanks !

Thank you so much!! You explained it amazing

Hey Tim! Twitter doesn't allow to use localhost anymore to create an App, how do we solve this?

Good day sir, what alternative do you use for your database access? Thank you and more power to you.God bless

Excellent video Tim, but I have query, all this stuff is inbuilt projects code provided by Microsoft. What if I want to use my own tables like Users, Roles etc. What kind of changes need to be done? e.g. In a code you have shown Authorize(Role=Admin) what if I want to use my own roles from my own role table? Do I have to create my own Authorize attribute for the same?

Hello tim, Awesome tutorial, Thank you. I have a question about cookies and how to set its expiration date?

Hi Tim, great video. I am working on setting up external login with ASP.NET Core 2.2 without using identity. Do you remember if you have made a video for that before? Thanks

The password hashing part at 27:57 - It doesn't appear as if the passwords are being salted prior to hash, do you reckon this would be easy enough to implement? For instance, adding in a "salt" column in the Users table and when a user registers, a cryptographically secure RNG value is created for that user which is then stored within the new column. The trick would be finding where, in the C# backend code, the passwords are being hashed.

Hello Tim. Great works there! Questions (1) Is it possible to to change the database name? How do we do it? (2) How do we create ASP.Net identity database in SQL Server? Thanks

Thank u for great Tutorial

Hello Tim, thanks for the video! Could you please advise how can I configure the default user role to be assigned for new users automatically after registration?

How do we can edit user profile using this system?

Hey Tim, I was watching this video (amazing btw) and came up with some issues, since Twitter has changed some stuff from this video release until today, and actually got to solve it. My issue was on pressing the Twitter button, it showed me the error "an connection has been forcibly closed by the remote host", there was nothing in the comments here, so found this answer: stackoverflow.com/questions/57271345/twitter-api-responds-with-an-existing-connection-was-forcibly-closed-by-the-rem The solution that worked for me was to add this line: System.Net.ServicePointManager.SecurityProtocol = System.Net.SecurityProtocolType.Tls12; just before setting the TwitterAuthenticationOptions in the startup.auth.cs file... given my limited knowledge of ASP, I really don't know if that was the correct place to add that line since in the answer don't mention it, but it worked nonetheless. I hope this helps future viewers with the same issue as me.

Hey tim, do you have a video/resource which goes into more depth about auth ? Thanks for the great video. Really helpful.

Hi,Great tutorial .. Once question if you can I want to LogOff on session timeout... Thanks

Hi Tim, This is a really great video! Thanks for that. Quick question, I've followed your steps, using local authentication only. If I run my VS project, register and/or login, stop the VS project and then run it again, then I am still logged in. I need to run some code just after successfull authentication. Clearly this shouldn't be done in public async Task Login(LoginViewModel model, string returnUrl) since this only runs when the user clicks on the Login button. Where should post authentication code be run ? Thanks again for your work, helps tremendously!

Very nice video!!! It would be nice if you cover OAuth token access from the client side to consume this ASP.NET OAuth site.

Hi tim.. Please make a video, regarding integrate key validation system for window application wpf.. Plz

Thank you very much Lovely❤️

Hi Tim, awesome video as usual. I've learned a huge deal from you in my steps to become a software dev already working on my own project now. In this one however i have a problem and i cant get the twitter login to work no matter what.I have added the code and even found some other Digicert keys as in some forums they were saying the one in this video have expired, but still i cant get it to work getting always the same error with the secure connection. Any ideas? Have they changed anything, is there a place to find the current keys?

Hey Tim! Thank you for the great video. I really appreciate the explanation as most people do not explain in such tutorials. However, just my personal opinion - I feel like while it is great to re-iterate on a point a few times to place a strong emphasis on a concept, you tend to repeat yourself a little too often. I believe most users would appreciate it if you repeat just once or twice less than you already did to make the video more concise! I hope this feedback is useful to you and thank you once again!

All what i can say is, this is a great tutorials and thank you for It:)

God bless you tim! we love you

anybody know example how dapper and identity can live together? because identity use entity framework, do i need to have different connection strings?

I think I've got a good handle on this locally. How do you change the Database connection for this so it adds these tables to a database on a hosting server?

Did you manually create the database tables for the user accounts (AspNetRoles, AspNetUsers, etc.) ?

Is there a simple way to specify to the template or just transform it into a non-MS-SQL-Server server database like MySQL or Amazon AWS Dynamo/María all the databases (at least get the instructions to build them) if not I need manually to change the provider, and create all the databases, this is cumbersome and may fail easily...

can you upload tutorials regarding claim based authorization

Again, Excellent video, thanks - I was going to ask about roles (e.g. Gold, Silver, Bronze membership) but you covered this at the end. :) Quick question on the Twitter App ID/Secret keys - I know you covered them up, which is good - but if you delete the app from twitter after creating the video, would these ID/Keys be valid still ? If not, then does it really matter to blur them out ? - No I'm not after your information, just curious on how secure it would be... unless you forgot to remove the app from twitter of course.

Thanks , i love you Tim.

Hi Tim - Great Introduction

A most enjoyable tutorial. Thank you very much. Is there a possibility that you could do a similar tutorial for authentication with Microsoft Office365?

Thank You. Really Help me to learn

Hi tim! Thanks for the video. I followed this tutorial on a .net framework project, as i upgraded it to .net core 3.0, everything works fine, but i couldn't upgrade this to the project. Mycrosoft suggests this : services.AddAuthentication().AddTwitter(twitterOptions => { twitterOptions.ConsumerKey = "..."; twitterOptions.ConsumerSecret = "=..."; }); Doesn't seem to work for me. Do you have any ideas why? -> Error suggest -> "AuthenticationBuilder does not contain a definition for AddTwitter ... "

awesome job. how do you do SSO with another website other than fb twitter etc. so its an existing web app for a company that we want to autkmatically login to a new mvc web app once u are logged into that other webapp?