128. What Authentication System Should I Use For My App?
HTML-код
- Опубликовано: 21 ноя 2024
- What are the pros and cons of the various authentication systems? Should I use the built-in authentication system in ASP.NET Core? Should I use a third-party system? Is Azure Active Directory the right choice? These are the questions we will answer in today's episode of Dev Questions.
Website: www.iamtimcore...
I can summarize this video in one sentence:
"The more important the information is that you are storing, the better system you need to protect it."
What you won't find are insights of the available technologies and products and how they work that you could use to help you choose the best fit for your situation.
I love the analogies and terms "Keep the walls high".
Loved it absolutely!
I'm glad you enjoyed it.
I have recenlty started App development and just wanted to know different ways of authorization ,, before this i have never thought of like this ,,figuring out risk to reward ...The explanation was good even for freshers like me ...
I am glad it was helpful.
I would use "Sign-in with Microsoft" or something similar for the software I make, but it's a kind of offline software (ERP) and in Germany most business owners don't like anything outside of their own building. They don't seem to trust third parties on the internet that much. At least that's what I've been told by support. Support talks to customers, I rarely do.
Tim Corey videos in 4k are at whole 'nother level. Truly appreciate the work Tim
Glad you like them!
Perfect timing Tim! I’m trying to dive deep in this subject, and I see such a widespread association of these “3rd parties” with microservices that I was wondering if it’d be an overkill to apply it on traditional monolithic web applications. At least I got rid of the DIY idea. 😄
I am glad it was helpful.
Thank u for this video! Was "this close" to spinning up my own Identity Provider with Duende. But following your suggestion, I decided to go with Azure Active Directory B2C.
Glad it was helpful!
Nice video, I'd like to add something - there is actually one more situation, when you can (and maybe should!) build your own auth system: if you really want to know, how it works. You'll learn literally tons of stuff! If you've built it, don't build your buisiness around it ofc :P But 'building your own and do the research' is one of the best learning curves imo.
Literally just got back from a 3-day NDC conference about this topic. Great summary.
Thanks!
I was hoping for a comparison between identityserver vs auth0 vs okta or others but this is also good
Thanks!
Same here.... not an option to 3rd party this. 27 year backend vet here. Seen too much crap in that time. Oauth2 all the way, always.
I usually like Tim's videos, but the title of this video is inaccurate. This was just him imploring us to not implement our own 50x in a row.
Cool thanks, now what are the differences between OAuth 2.0 authentication types?
between Azure AD B2C and Auth0 for a SaaS startup, which would you suggest? We will strictly force to only sign in with email and password, no sign in with google, microsft, etc
Either will do great, but I like B2C because it gives you 50,000 MAUs for free. That's a LOT, especially for a startup. Auth0 provides 7,500 MAUs for free. That difference can be a big deal when you are starting out. Once you hit the 50,000 MAUs, you should have a good revenue stream going to pay for those users.
Damn you are a telepath 😂. This video is right on time. I am trying to figure that out for quite some time.
This is an answer to a question on the suggestion site. No telepathy needed.
I have always marveled seeing young developers naively attempting to do authentication themselves from scratch. It's not possible to have worked on a real world project and even remotely think that it would make sense to try this yourself. Thanks for these deep insights Tim
You are welcome.
Amazing advice, actually it helped me a lot since Im currently starting a new application and it will handle some PII data at least, so now I know I should not go for custom solution and probably not even the Identity self hosted solution is enough, thanks a lot for that Tim!
You are welcome.
You know i was diving into the rabbit hole of doing myself with the default stuff with identity. I needed to hear "don't do that!"
I am glad it was helpful.
what about keycloak? which level is it? do you recommend it?
Great analogies, great information. Damn I love Tim!
Thank you!
This is the kind of info I was looking for. Thanks. I need to see more code about this. :)
You are welcome.
Excellent video Tim, but how can I work with authentication and JWT with embedded widget, if I make the widget available to a third party company?
I have made good experience with Azure AD B2C, easy to setp, doesn't "pollute" my db with tables like Identity Server and is basically free (up until 50k users).
Thanks for sharing!
One question. What is a business supposed to do about authentication if they are starting out and can't afford any money for a third part authentication system? Also, what if a person can't even figure out how to get a third part authentication system to even work? I had cases where I was unable to use a third part authentication system. The 2 past jobs, I created my own and did not have any problems with it.
What do you usually do if you are told that all the good options are unavailable for you to use for some reason or other? I'm guessing they're past jobs for a reason.
A lack of money is no excuse for exposing your customers to a data breach. Besides, most authentication systems have a free tier to get you started. If your “business” cannot afford authentication by the time they are past the free tier, they aren’t a business. Business has to charge more than the cost of doing business. If a business says that they cannot afford to pay for an application, then they cannot afford to have that application. It is as simple as that. If they cannot afford a facility, they don’t just get to get one for free. If they can’t afford to buy supplies, they don’t just get them for free. If a bank couldn’t afford a vault, they wouldn’t be allowed to store your money in a shoebox.
As for the fact that you built your own and “did not have any problems with it”, the problem is that you exposed your customers to harm. That is absolutely a problem. Just because something works doesn’t make it right. Did you have an external form do penetration testing? Did you constantly monitor updates from .NET and third party vendors to be sure that a bug wouldn’t lead to a vulnerability in your software? Did you ensure that the passwords used were one-way encrypted? Did you offer two-factor authentication? Just because you can validate a user doesn’t mean you can make them safe. Even if what you are protecting is inconsequential, people tend to reuse passwords. If your system gets hacked, you could be exposing them to being hacked in a lot more locations.
I played in traffic twice and didn't get hit by a car.... therefore playing in traffic is probably fine.
So as a question… how many of these 3rd party social system log the time, location, software etc information and sell it on or use it as data points?
Social system logins provide eula for their users. If you give them a few options, they can pick the company that they feel comfortable working with. If you don't want your user's login metadata used in some advertising system, pay money to host an active directory server privately somewhere and use that. There are probably n-1 providers that use the data in a way you don't like, so use the nth provider.
excellent video and explanation as always. Thank you !!!
You are welcome.
Hi Tim. I'm currently building an server side blazor app that would have to store my user's 3rd party API credentials for 2 different services. The first is a get only api while the other one is a posting api that would update product and pricing information on a wordpress wocommerce system. What would you reocommend?
trust me guys, if you have budget and you are building a system for the long run, invest in making your own or cloning an open source because third-party will screw you up one day and you will pay much much more if they wanted to increase their fees
don't place your neck at their hands
That is spectacularly bad advice. It sounds great - own your own destiny by controlling the source. However, as soon as you start relying on your own auth system, even one from an open source base, you are now responsible for every line of code. You need to validate that the system is resistant to hacking, bugs, etc. You need to be doing regular penetration testing. You need to be monitoring for 0-day exploits on systems that your system is built upon. You need to keep up with every change from every vendor throughout your stack (browsers, devices, underlying packages, etc.) to be sure that they don't change how something works in a way that will negatively impact your authentication system. These companies spend hundreds of thousands of dollars on maintaining their authentication systems each year. You want to take all of that on yourself? That's a bad call. The only way you save money here is if you cut corners. Cutting corners is not the way to protect your customers.
@@IAmTimCorey yes, that's why I said if you have the budget. Trust me, no system is safe :)
This is good advice from someone with experience, instead of from a "trend-follower" with a youtube channel that goes on repeating mindlessly and without real arguments and lots of FUD exactly what the big industry players want you to think. Finally a thinking person in the comments.
@@IAmTimCorey MY UNDERLYING PACKAGE IS "IF". BEAT THAT. STOP THE FUD YOU SCAREMONGER.
@@IAmTimCorey "These companies spend hundreds of thousands of dollars on maintaining their authentication systems each year. "
LOL you are SO NAIVE, dude! I can't even... Seriously. No company is spending thousands of dollars on making your clients safe, they are spending it on making themselves profitable. Only you have the true interest of keeping your clients safe therefore if you delegate that to others you have betrayed your clients.
Thanks for the video Tim! I have seen your course on Azure Active Directory B2C and got a lot of value out of it! I have a question though. I found if we want to access data, like the display name and email, of multiple users stored in AAD B2C we need to use an API like Microsoft Graph API. However I can't seem to find it's pricing clearly. Is there a free limit and do you know where I can get more information?
I believe this is what you are looking for: azure.microsoft.com/en-us/pricing/details/graph-data-connect/
Yeah my personal philosophy when it comes to authentication is that unless its a private application no one else is going to use, or a government related thing where you REALLY don't want other parties involved with the transactions, just use OAuth or a third party. First thing I do on anything I setup now for me or friends is go in, disable the built in authentication, enable a third party or OAuth.
I also like to be a tad more secure and I setup auto searches for a dummy google account I use and if it finds it ANYWHERE in a search result the server instantly scrubs the tokens tables so any potentially compromised users have to re-authenticate and it sends out emails letting them know stuff like "Hey, this google account I never login to somehow ended up on the web, you might want to check your own stuff because Google may or may not have had a breach."
So yeah a tad overkill maybe, but better safe then sorry.
Thanks for sharing.
Literally struggling with this myself all weekend. My API doesn't expose anything except the results of widely known optical calculations, I just need to control who gets an API key.
Seems my comment dissappeared...
The timing of this subject was great, I have made an internal application (in company) that uses single signon using the AD account the user is logged in with as the authentication, this part works well... now I would like to add various roles/policies based on those from our Identity Management System, readable through DB and/ord OData api.
I am trying to figure out the best way to do that and keep it updated so that we can manage our role members from the Identity system instead of adding an internal one in the application.
any advice on that?
Which level is Identity Server 4? We are going to implement an ID Server4 for Authentication & Authorization System. I have created customised Authentication and Authorization Systems for some internal applications with SSO. Currently, I have the same feeling that you've talked about. It is not safe to do everything by myself. Thanks for your idea.
That would be a third-party system. A good choice, too.
But isn't it not maintained anymore?
Thanks, currently deep diving into this stuff and this helps clarify things. Have done a basic MS Identity implementation for a Blazor App - easy to see how its better than roll your own 😁 But I've struggled on how to integrate it with something like B2C - would your B2C course help there?
One thing I don't see covered much, is Web API's - we expose some microservice's (minimal api) for use by desktop services (no user ui), how would you integrate authentication for them with B2C? do you cover that?
Thanks.
My B2C course does cover how to set it up and use it. My Suggestion App course (free here on RUclips as well as paid) also shows you how to integrate B2C into a Blazor Server app.
@@IAmTimCorey Thanks! I'll check out the Suggestion App Course, as well as the B2C Course, I could do with a through coverage of the details. Boss has ok'd the time :)
I found there is a lot of things I should know that I have never create and I don’t know how to look for them or even I don’t know that feature exist haha, this one is one of those. I did some Authentication Feature like this and I didn’t know it already exist and there were better ones
I am glad it was helpful.
We have a situation where every site needs to work while there is no internet, but also connect to other private APi's when the internet is restored. What solutions would you recommend? The account they log in with should be able to access those other private API's when online, and be authenticated locally when offline.
That could be any number of authentication systems. Working offline is something that C# handles.
I have started seeing a lot of talk about BFF. Could you do a talk about using BFF with SPAs and AzureAD and other external Auth providers?
Thanks for the suggestion. Please add it to the list on the suggestion site so others can vote on it as well: suggestions.iamtimcorey.com/
Good day
Thanks!
But, for example Payment plataforms can do the most sensible security for you too, at the time of payment is directed to the payment platform, and they do the transaction, for me that is the safest one, and you can't save any high sinsible information from anyone
Not having authentication is a nice solution when you can do it, but it isn't a common occurrence.
an here I am ordered by my boss to do a cookie authentication for a whistleblowing application
What about using JWT for authentication and authorization a small Administration app (with no api's)?
JWT is just the delivery mechanism. You need something to issue them and validate them.
@@IAmTimCorey Yes. Saving the user's password hash, using Claims, etc. like we do when using API's.
Using JWT instead of cookies. Do you think this is nonsense? Sorry Tim, I am little confused here. Cheers from Portugal.
Ah, gotcha. So you are asking if it is better to capture a JWT in the front-end instead of a cookie. My personal opinion is that it does not matter. Yes, technically if you run compromised code on your site and you store that JWT in SessionStorage, that compromised code would have access to that JWT where there is a bit more protection with cookies (not much, though). So, at the end of the day, I'm ok with either.
@@IAmTimCorey Thanks, Tim. That's it.
So i take it dont build your own authentication using the dreaded spring security. So is spring security the "level 0"?
I am glad it was helpful.
very useful suggestion
Great!
Is it possible to do a hybrid of 3rd party for authentication and identity for authorization? Is that something you recommend?
Nooo dont just learn some cybersecurity i would suggest computer phil on youtube to start
Thanks ❤
You're welcome.
Do you have an example of authenticating with .MAUI with AzureAD B2C and Social Media (Google, facebook, etc)?
Not yet. Please add it to the list on the suggestion site so others can vote on it as well: suggestions.iamtimcorey.com/
@@IAmTimCorey will do!
great stuff as usualy
Thank you!
Is there any requirement to host your app on Azure if you are using Azure B2C ?
Nope. You can host it anywhere.
Great video... This is an area that is a bit mysterious to me and it was good to know where to start.
thanks
You are welcome.
2:34 What If instead of a strong authentication system I would rather store my sensitive information in a locked box at home where also lives an angry barking dog ? 2:41 Theft wouldn't happen then, would it...
Yep, that's always safe. But forget putting them at home. Bury them in the backyard. Maybe make a little map to them with a big, red x that marks where they are located.
@@IAmTimCorey I can tell you for sure that the data protection using shepherd dogs at home is underrated compared to the cloud-based OAuth, and even compared to the backyard protection, which is vulnerable to mole attacks.
p.s. Thanks for your tutorials, especially about logging!
Thanks for this video! I really like your levels pyramid.
I don't have any site with lots of users (yet :)) but I always wanted to implement Level 1 with Identity. But I really don't like idea to store passwords (even with Identity) and having resets and all those things seems really complex and usually my sites, like you in your example, only need users because public visitors shouldn't be able to just add new content. But they won't store credit cards and similar data.
Now I think the best approach in my case is Level 2 with Google. Password handling isn't on my end but I have freedom with authorization.
Any further suggestions?
Also, anyone use free 50000 B2C? How does that work?
I really like Azure Active Directory B2C. I use it for the suggestion site ( suggestions.iamtimcorey.com ) and I've rolled it out to a number of other internal sites as well. I've never paid a dime for it because I've never hit the 50,000 active users per month tipping point. It is really simple to implement and once it is running, it all just works. I created a course on how to implement it: www.iamtimcorey.com/courses/azure-active-directory-b2c-from-start-to-finish/
I also published all of the videos for how I built the Suggestion App here on RUclips for free: ruclips.net/p/PLLWMQd6PeGY0cZFMqx5ijmdaD87sJKCsU
@@IAmTimCorey Thanks for the reply, I will definitely try B2C. Also, I really appreciate all the content on this channel!
@@IAmTimCorey Hi Tim I love your videos they are really helpful, thank you very much, A quick question, when you say internal sites, Does it mean We can use b2c to give users access to a site(web app) that, although it is in the cloud, is not for the general public and is intended only for use within a company?
While I agree with you not to DIY!!!
Sometimes we need a LTS system for our customers for example we’ve been using IdentityServer for years :
But they finally turned it into a non free framework and we can’t use the newer versions anymore. Unless we do it ourselves
Security isn't free. If you have customers, you should expect to have to pay something. Free is great, but it probably isn't a great option for your authentication unless you are growing towards a paid plan.
3 minutes of non-argument FUD against coding your own auth system.
Huh? Are you arguing that coding your own auth system is a good idea? Please tell me that's not what you are arguing. Of all of the "it depends" topics you could pick, that's not one of them. Here are just a few people telling you the same thing:
* withblue.ink/2020/04/08/stop-writing-your-own-user-authentication-code.html
* simplelogin.io/blog/do-not-create-own-auth-system/
* dev.to/jordanfinners/make-one-resolution-this-year-never-write-your-own-authentication-3nc1
Even if it wasn't extremely dangerous (and it is), why would you do it? There are companies that spend millions of dollars per year maintaining authentication systems that are really good options that also have free tiers to start out with (Azure AD B2C, Auth0, etc.) Why spend an enormous amount of time to do something that has already been done much more cheaply than you can do? And I reject any argument that includes the "I can do it faster/cheaper". The only way that argument works is if you cut corners and if you also don't continually update it for new security threats.
@@IAmTimCorey Yes, I am arguing that coding my own auth system is a good idea. It is interesting and very telling that instead of simply saying out loud the "killer argument" against my position, you instead have to appeal to authority and get 3 people against me. I remember Einstein once said to a letter signed by 1,000 scientists denouncing his findings, that if he were wrong, only one scientist would suffice.
Anyways, I can argue my position very simply and clearly.
Authorization is nothing but:
- loading from a database a list of which permissions each user has;
- doing an "if" on those permissions on each endpoint to see if it is okay to load that endpoint normally.
That is absolutely all there is to it.
Not everything needs to be a library. In the case of authorization, doing it yourself is better.
Authorization is too simple (just "if's" over "permissions" which are nothing but unique strings associated to users's foreign keys on the database) to have to be abstracted over. And even after you have abstracted over authorization in C# with its standard offering library, you still end up having to writing an "if" on each endpoint (or on the middleware, depending on your access granularity) to ask whether the user has the required permissions; which means that, in trying to run away from simply doing what you cannot avoid, you adopted a whole bunch of boilerplate code from Microsoft that is nothing but an opaque layer over what should be simple business logic.
What exactly is dangerous about my approach? Please answer with a "killer example". Again, my approach is something that you inevitably have to do with your approach as I just described above - nothing can spare you from doing an "if" on each endpoint (again, depending on granularity) over the user's permissions, so why not just do that and avoid the entire scenic route?
"There are companies that spend millions of dollars per year maintaining authentication systems that are really good options that also have free tiers to start out with (Azure AD B2C, Auth0, etc.)"
Yes, and they are the number one group of people invested in propagating an FUD narrative for their fans and clients to repeat. Again, you are not saying anything with substance. I am yet to see a "dangerous" example of a custom-implemented authorization system. It is just "if's" after all.
"Why spend an enormous amount of time to do something that has already been done much more cheaply than you can do?"
Because it takes me longer to (1) learn and then (2) maintain in the long term with (3) changing versions the (4) work of other people, who are usually (5) forced by their clients to shove too much functionality into a library that should be simple. Just look at the authorization videos on RUclips for the standard ASP.NET Core offering library, they're so long. Folks, it's just "if's" over unique strings that mean different permissions associated with the user. Nothing more than that. Please, let's stop complicating things unnecessarily just because of fear.
"And I reject any argument that includes the "I can do it faster/cheaper". "
Again, what I am saying I "can do" is simply the part that you are also forced to do: namely, to do an "if" on the permissions ("Claims") you've loaded from your favorite ASP.NET Auth library. The time I save is from having to learn an entire library around this simple "if" operation, which I consider unnecessary, but I can see how it can act as a safety blanket for people who are quick to believe the marketing narratives put out by service providers.
"The only way that argument works is if you cut corners and if you also don't continually update it for new security threats."
There are no security threats that invalidate the "if" operation. Hopefully through this answer you can better appreciate other perspectives and once again, I encourage you to show me and everyone else an example of a "dangerous custom auth" and for each one you do I can show you a badly-implemented Auth0 code that leaves a website vulnerable because of not understanding what the documentation was going on and on about.
We would have very fast computers by now were it not for people like you afraid of what they don't know and what they readily believe from marketing narratives without checking. Please do your own homework - in this case, write your own auth library - so you can see for yourself how simple it is, and enjoy the freedom that comes with knowledge. I sincerely invite you to do so. Please ask any questions, thank you for engaging in this conversation with me, and I apologize in advance for being a tad rude - I don't mean to come across that way, but I am, so I do; it has nothing to do with you, so please forgive me.
@@jboss1073 Interesting reply and commend your courage.
"There are companies that spend millions of dollars per year maintaining authentication systems that are really good options that also have free tiers to start out with (Azure AD B2C, Auth0, etc.)"
Free? They aren't modern-day Robin Hoods stealing from the rich to give to the poor. They make money on both.
The only thing left is whether or not you can afford to, or it makes sense to set up security properly yourself, and if you want to, but everybody knows that.
Sorry but I disagree... if you publish username and password, assuming the username is the email address, which is used on 99% of sites as the username and given that people kften use the same password on all website... well a person could use those credentials to get access to more important sites stealing more sensjtive informations of that user
I'm not sure what you are disagreeing with.
@@IAmTimCorey with what you said at 14:46 and 14:59 for the reasons I wrote in my first comment.
you have too much faith in our banking system
I'm not sure what you are referring to.
naah bruh dont make it so long and complicated come on I'm just a dude w 6 months of experience who wants to learn how to implement session based or jwt token based auth, don't go this deep man come on, ill go this deep when I understand the basics of implementing this shit
I'm not sure what you were expecting me to say. You don't have the experience to do it on your own. In fact, I highly discourage anyone from doing it on their own. It isn't just a matter of implementing session based or jwt token based auth. That's like saying that all there is to operating a car is turning the key. You will get it to work, but you will have major problems down the road. The solution is to use a third-party system to do the actual authentication for you. Just follow their docs. For example, use Auth0. They have C# docs that will help you implement very easily, and yet they will handle things like password reset, token expiration, two-factor authentication, and LOTS more.
Firebase
If I want to build an authentication system using duende Identity server for my application that has both web and mobile app version, would that be a good idea? @IAmTimCorey