@@RawCoding Not even sure what to ask. There was just so much info tossed out w/no time to absorb anything that it's incredibly overwhelming for someone who hasn't dealt with this. I'm sure it's great info, but it's just too much at once too fast.
Well you watched a video about authentication schemas, you clicked on it for some reason - what were you hoping to learn about authentication schemas that you didn’t in this video? Point to a time stamp that confused you and why.
@@RawCoding So I thought about this for a while this evening and I think it goes back to my original message in your previous video about needing to break this up into a series. If you were to look at this video as a chapter in a book about auth, it would be near the back after all the supporting information was presented. In other words, it needs context as to what is happening from a 60,000' view, why things are done a particular way, how they fit together, and how they're used in relation to real world scenarios. Putting the code out there is fine for those already versed in the subject and can take it from there, but for those trying to learn the subject, there's not much there but some code to parrot. In effect, you're giving us a fish instead of teaching us to fish. Hope that makes sense.
@@dasfahrer8187 thank you for taking the time to muster up the feedback. > If you were to look at this video as a chapter in a book about auth, it would be near the back after all the supporting information was presented. this is 3rd video after I presented authentication, and the logic that sits behind it (the auth handler not in depth but it's there). If you ever used a dictionary and you are familiar with key-value pairs, that is what an Authentication Schema is - it's a key and points to the authentication handler. > In other words, it needs context as to what is happening from a 60,000' view, why things are done a particular way, how they fit together, and how they're used in relation to real world scenarios. there are authentication methods which are not tied to asp.net core (cookie, passwordless, openid, etc...) you are more likely confused about that landscape rather than an authentication schema. When you know how you want to authentication you just identify that logic with a string - which is the authentication schema. The mist/confusion is around the authentication handler - which is the logic (the schema, the description, the journey, the shape of authentication). Authentication Schema just points to the auth handler, however the logic may short circuit, redirect to other schemas etc... wether they do it or not depends on the authentication method, which are more like well defined standards.
Great Authentication/Authorization series. The best in the market, with many useful details. Quite advanced I would say, that is why some people got lost or confused.
I'm really glad you are making auth videos. I started working on a new project a few weeks ago, they have an old authentication implementation and they asked me to build a new implementation with Oauth2.0 and OpenID (yes, in this case they really need an IdentiyServer) and I haven't done any authentication work before (as it was always done by someone else), so this is awesome for me. Great timing, thanks as always. I will definitely be joining the Patreon again 👍
Thanks, I love ur videos, this is something I should've put time and effort into a long time ago, u are making a somewhat hard concepts and simplifying them so well But I don't mean to patronize anyone, I understand those who find the videos tricky, this is intermediate territory so I think as a newbie(to the subject) one might struggle since there are many terms that a newbie might not know A tip for anyone struggling with it: take ur time, it is ok to experiment and fail along the way, the more u fail the more u learn
Thank you for this playlist. God bless you. Hope more courses from you, p.e., dependency injection, software architecture, reflection, performant code (I mean, C# ways of doing the same thing with different performance), etc.
Hi Very good and informative video. I learned a lot and this also opened my mind how authentication schemas can be used. I read microsoft docs and didn't get this perspective. May i ask your source how do get insight like this or i guess you learn by de-compiling the source code :) Great Content
Hello Anton, Thank you for your time in creating these videos. They are helpful! You mentionned a video on hosting an SPA on ASPcore. I'd love to see your approach. Could you ref that video for me?
Great video series so far. What are the differences when handling JWT tokens that are dished out by your Authentication providers? Is there a recommended secure way of storing these tokens (Both using something like MVC/Razor and a SPA like Blazor Wasm)?
not sure what difference you're pointing out, but the token is hashed in to the cookie, so the cookie becomes the token. You want to make sure the token doesn't reach the browser - then the solution is secure (yes that means you need a backend that will process the token via backchannel for SPA/Blazor/Native and the like)
@@RawCoding Thanks! So use a Backend for Frontend to ensure the JWT from the Identity provider is placed in a cookie (Would this also mean that BFF would negotiate for the Authorization Code instead of the client)?
If you watch the OAuth videos you’ll get a better idea of the callback path. It’s where the user agent should return to process the code. The route is intercepted inside the handler and on the example Auth server that we used that parameter doesn’t need to be configured or validated.
@@RawCoding I am consuming now the rest of the series, so I guess I will encounter it later, but I have to say, man, you are a legend, I have never seen so crystal clear exposition of the subject. Outstanding work!
In your custom implementation of an AuthenticationHandler, specifically the CookieAuthenticationHandler, are we auto issuing the cookie in the same request if authentication fails because a user will always initially be a visitor in this usecase? Also is it typical to be implementing our own authentication handlers
Hello, I am bit confused on the external auth. I have seen that you first login locally, create the specific cookie and then connect to external provider to create the additional cookie require for patreon. Isn't straight foward easier to authenticate with patreon and don't have local information like password and such?
Thanks a lot for this video. I have a question about how to add these authentication schemas dynamically. If I am supporting more than one oauth provider dynamically (i.e. through a web page in my application that "local" admin uses to add other oauth providers like patrion). Again, thanks for the beatiful and helpful content you are creating.
Thanks for the series. I kind of getting to know Authentication schemas but not 100% confident. Let's say i have got a visitor cookie and browsed few pages and then logged in as patreon user. instead of having two cookies can i merge my visitor cookie into patreon cookie?
Where the refresh token concept fits in this whole histories? Is it possible to do a refresh token alike using cookies? (I'm completely new with that, sorry for the dumb question). How can I manage to invalidade all sessions of a user? I mean, something like fb does, and force the user to login again. Is that possible using cookies, oauth, sso or whatever?
Thanks for the video. Do you think it is possible to use roles instead of authentication schemas in order to identify the user? Something like - in case we know that user Authenticated through Patreon we add him a new role "Patreon", etc. Or this is something completely different concept? Thanks.
This is completely a different concept. A role is simply a Claim that you add to a user identity. Therefore, you can create Authorization schemes to allow specific users based on a role to allow access to specific endpoints in your API.
that is an issue with the correlation cookie, before you redirect to auth server that cookie is created and finally processed on the callback. This issue could arise if the cookie wasn't saved, or timed out, or app is restarted.
I like your content. I guess if you provide a paid course like your c# programming course - maybe a 'Auth/Cookie/etc. demystified'-course with some more background information, you can become a (hopefully well paid) hero :)
This is all well and good, but this is the typical MSFT BS that is convoluted and overly complex. You have to understand how different AuthN schemes work, then figure out how to express it in .NET with these interdependent options with no clear associations.
There is a problem, after setting authentication redirection to external-patreon in the settings set return point /cb-patreon to which will return a string of user data, but this endpoint you do not have in the example, and gets an error, and the cookie-patreon is not created
Holy crap this is complicated and confusing.
Make sure to ask questions on what you find confusing so I can explain.
@@RawCoding Not even sure what to ask. There was just so much info tossed out w/no time to absorb anything that it's incredibly overwhelming for someone who hasn't dealt with this. I'm sure it's great info, but it's just too much at once too fast.
Well you watched a video about authentication schemas, you clicked on it for some reason - what were you hoping to learn about authentication schemas that you didn’t in this video? Point to a time stamp that confused you and why.
@@RawCoding So I thought about this for a while this evening and I think it goes back to my original message in your previous video about needing to break this up into a series.
If you were to look at this video as a chapter in a book about auth, it would be near the back after all the supporting information was presented. In other words, it needs context as to what is happening from a 60,000' view, why things are done a particular way, how they fit together, and how they're used in relation to real world scenarios.
Putting the code out there is fine for those already versed in the subject and can take it from there, but for those trying to learn the subject, there's not much there but some code to parrot. In effect, you're giving us a fish instead of teaching us to fish.
Hope that makes sense.
@@dasfahrer8187 thank you for taking the time to muster up the feedback.
> If you were to look at this video as a chapter in a book about auth, it would be near the back after all the supporting information was presented.
this is 3rd video after I presented authentication, and the logic that sits behind it (the auth handler not in depth but it's there). If you ever used a dictionary and you are familiar with key-value pairs, that is what an Authentication Schema is - it's a key and points to the authentication handler.
> In other words, it needs context as to what is happening from a 60,000' view, why things are done a particular way, how they fit together, and how they're used in relation to real world scenarios.
there are authentication methods which are not tied to asp.net core (cookie, passwordless, openid, etc...) you are more likely confused about that landscape rather than an authentication schema. When you know how you want to authentication you just identify that logic with a string - which is the authentication schema.
The mist/confusion is around the authentication handler - which is the logic (the schema, the description, the journey, the shape of authentication). Authentication Schema just points to the auth handler, however the logic may short circuit, redirect to other schemas etc... wether they do it or not depends on the authentication method, which are more like well defined standards.
This is definitely complex, but you're doing a good job breaking the different pieces apart. Well done!
cheers!
Also, Please continue with this topics of authentication and authorization. Security tutorials are not there too much. Thanks a lot!
Great Authentication/Authorization series.
The best in the market, with many useful details. Quite advanced I would say, that is why some people got lost or confused.
This is a come back to video after you’re a bit more comfortable with auth
I'm really glad you are making auth videos. I started working on a new project a few weeks ago, they have an old authentication implementation and they asked me to build a new implementation with Oauth2.0 and OpenID (yes, in this case they really need an IdentiyServer) and I haven't done any authentication work before (as it was always done by someone else), so this is awesome for me. Great timing, thanks as always. I will definitely be joining the Patreon again 👍
A lot to unpack in this video but I am able to slowly make sense of how these schemas work, thanks so much for the series!
Love your videos, thanks a lot. I will need to watch them multiple times to get this properly
Make sure to actually write the code and explore on your own those 2 skills are far greater than just watching the video.
Thanks, I love ur videos, this is something I should've put time and effort into a long time ago, u are making a somewhat hard concepts and simplifying them so well
But I don't mean to patronize anyone, I understand those who find the videos tricky, this is intermediate territory so I think as a newbie(to the subject) one might struggle since there are many terms that a newbie might not know
A tip for anyone struggling with it: take ur time, it is ok to experiment and fail along the way, the more u fail the more u learn
Thank you for this playlist. God bless you. Hope more courses from you, p.e., dependency injection, software architecture, reflection, performant code (I mean, C# ways of doing the same thing with different performance), etc.
i have been learning auth from you , lets see, for 3 years ! This year, your more understandable and fluent !
BTW schema == scheme ?
cheers, and yes (aka authentication type)
Hi
Very good and informative video. I learned a lot and this also opened my mind how authentication schemas can be used. I read microsoft docs and didn't get this perspective. May i ask your source how do get insight like this or i guess you learn by de-compiling the source code :)
Great Content
look at source code, google and try things.
Thanks! It was really clear for me.
Great video. Just what I wanted! Thanks!
NASA of programming videos
trying to be spaceX
Bro, thank you very much! Your videos are top!
Hello Anton,
Thank you for your time in creating these videos. They are helpful!
You mentionned a video on hosting an SPA on ASPcore. I'd love to see your approach. Could you ref that video for me?
Keep them coming
auth machine goes brrrrr
Great video series so far.
What are the differences when handling JWT tokens that are dished out by your Authentication providers? Is there a recommended secure way of storing these tokens (Both using something like MVC/Razor and a SPA like Blazor Wasm)?
not sure what difference you're pointing out, but the token is hashed in to the cookie, so the cookie becomes the token. You want to make sure the token doesn't reach the browser - then the solution is secure (yes that means you need a backend that will process the token via backchannel for SPA/Blazor/Native and the like)
@@RawCoding Thanks! So use a Backend for Frontend to ensure the JWT from the Identity provider is placed in a cookie (Would this also mean that BFF would negotiate for the Authorization Code instead of the client)?
Yes, tho with BFF token is stored on the backend, and cookie is just an id
thank you so much , learn a lot from your videos,. thanks a lot
Why did you use the "/cb-patreon" as CallbackPath (which you didn't use anywhere) and didn't set it to "/" as the return url? Am I missing something?
If you watch the OAuth videos you’ll get a better idea of the callback path. It’s where the user agent should return to process the code. The route is intercepted inside the handler and on the example Auth server that we used that parameter doesn’t need to be configured or validated.
@@RawCoding I am consuming now the rest of the series, so I guess I will encounter it later, but I have to say, man, you are a legend, I have never seen so crystal clear exposition of the subject. Outstanding work!
thanks a lot !!! for posting one more video on your favorite topic.
In your custom implementation of an AuthenticationHandler, specifically the CookieAuthenticationHandler, are we auto issuing the cookie in the same request if authentication fails because a user will always initially be a visitor in this usecase?
Also is it typical to be implementing our own authentication handlers
So informative, thanks a lot!
Hello, I am bit confused on the external auth. I have seen that you first login locally, create the specific cookie and then connect to external provider to create the additional cookie require for patreon. Isn't straight foward easier to authenticate with patreon and don't have local information like password and such?
If that’s all you need then yes )
Remember the video is about authentication schemas.
Thanks you are great
Thanks a lot for this video. I have a question about how to add these authentication schemas dynamically. If I am supporting more than one oauth provider dynamically (i.e. through a web page in my application that "local" admin uses to add other oauth providers like patrion). Again, thanks for the beatiful and helpful content you are creating.
Rather than adding schemas dynamically, you want a "dynamic" schema )
Thanks for the series. I kind of getting to know Authentication schemas but not 100% confident. Let's say i have got a visitor cookie and browsed few pages and then logged in as patreon user. instead of having two cookies can i merge my visitor cookie into patreon cookie?
Yes, you’d sign out of the visitior schema as you are signing in to the patreon one
Thanks@@RawCoding for responding back. Do i need signout if yes, is there any video that shows that. do i have ability to merge
love this video so much. In future, can you make video on SSO like identity Server 4 without Identity Server
?
Check the playlist
thank you. How different is this process in .NET 8?
Where the refresh token concept fits in this whole histories? Is it possible to do a refresh token alike using cookies? (I'm completely new with that, sorry for the dumb question).
How can I manage to invalidade all sessions of a user? I mean, something like fb does, and force the user to login again. Is that possible using cookies, oauth, sso or whatever?
A bit long to explain, there will be a video on it after.
which of these videos is more related to ws federation auth?
Thanks for the video. Do you think it is possible to use roles instead of authentication schemas in order to identify the user? Something like - in case we know that user Authenticated through Patreon we add him a new role "Patreon", etc. Or this is something completely different concept? Thanks.
This is completely a different concept. A role is simply a Claim that you add to a user identity. Therefore, you can create Authorization schemes to allow specific users based on a role to allow access to specific endpoints in your API.
It's a awesome video. But where can i get the example source code?
Via patreon
@@RawCoding Thank you!
HELP! When i put a sample into the daw, the sample slides instead of moving in steps, how can i get the sample to move in steps?
?
I am getting Correlation failed error on Callback url. could you please shed some light on this? Thanks.
that is an issue with the correlation cookie, before you redirect to auth server that cookie is created and finally processed on the callback. This issue could arise if the cookie wasn't saved, or timed out, or app is restarted.
@@RawCoding o.CorrelationCookie.SameSite = SameSiteMode.Unspecified; this fixes the correlation error at least on .NET 7
I like your content. I guess if you provide a paid course like your c# programming course - maybe a 'Auth/Cookie/etc. demystified'-course with some more background information, you can become a (hopefully well paid) hero :)
Maybe at some point in the future, currently too busy
@@RawCoding you know what it means in real (programmer’s) life to say "I'll do it later..." 😁
Thank god I’m not a real programmer
RUclips videos are just fine, don't need a whole course on it man.
thanks
Cool
Holy fuck I understand now
What happened to your hair LMAO
mans went from Jesus of code to the Chad of .Net
@@daumisss54 this is the most accurate description, hands down
This is all well and good, but this is the typical MSFT BS that is convoluted and overly complex. You have to understand how different AuthN schemes work, then figure out how to express it in .NET with these interdependent options with no clear associations.
Whats a better alternative? i think its not that bad.
There is a problem, after setting authentication redirection to external-patreon in the settings set return point /cb-patreon to which will return a string of user data, but this endpoint you do not have in the example, and gets an error, and the cookie-patreon is not created
You also have to specify the following at least with .NET 7.0.101:
o.CorrelationCookie.SameSite = SameSiteMode.Unspecified;
Wow this is an amazing tutorial, where is the documentation for this on docs.microsoft? docs.microsoft is lacking at explaining these.