edit-article
Home
Up
Delete
Article Name:
Article Description:
[46:12]VIDEO-SUMMARY Introduction to MVC - Lesson 7 - Authentication - by Jon Galloway and Christopher Harrison of Microsoft - introduction to Authentication
Chapter ID/Name:
Status:
Write
Writing
Written
Add Photo:
Owner ID:
Content:
use HTML
Edit Content
<h1 style="text-align: center;">Introduction to MVC</h1> <h2 style="text-align: center;">Lesson 7 - Authentication</h2> <h2>[WHAT]</h2> <ol> <li>] VIDEO SUMMARY - notes on this lesson which explains what authentication is and how you can use it to develop secure web sites</li> </ol> <h2>[WHY]</h2> <ol> <li>] </li> </ol> <h2>[WHERE]</h2> <ol> <li><strong>] WATCH THE FULL VIDEO</strong></li> <ol> <li> <div class="inlineBlock overview-tab-headers semi-bold" title="Basics of MVC and the Moving Parts" data-bind="html: title(), attr: { 'title': title() }">] <a href="https://www.microsoftvirtualacademy.com/en-US/training-courses/introduction-to-asp-net-mvc-8322" target="_blank">Microsoft MVC intro</a> - Lesson 7 - Authentication - by microsoft's <a href="/view/person?id=347" target="_blank">Jon Galloway</a> and Christopher Harrison</div> </li> </ol></ol> <h2>[WHEN]</h2> <ol> <li>] 2014-06-24 - produced</li> </ol> <h2>[EXAMPLE]</h2> <ol> <li><strong>[00:00] Authentication</strong></li> <ol> <li>] Asp.net identity overview</li> <li>] individual user accounts - anything your stroing in</li> <li>] identity extensibility</li> <li>] federated accounts</li> </ol> <li><strong>[00:00] history </strong></li> <ol> <li>] asp.net 1.1 - N/A - write your own security</li> <li>] asp.net 2.0 - 2005 - a big update, worked well for a long time, a few cracks - assumend you had users with un and pw's, no concept of social loginss</li> <li>] asp.net MVC 4- simple membership - wasnt extenisble, wasnt unit testable</li> <li>] asp.net 4/4.5 - universal providers</li> <li>> ] asp.net MVC 5- one asp.net identity - designed to solve all problems, still needs to support un/pw, extensible, testable, work with forms, api, signalR, MVC, ...</li> </ol> <li><strong>[04:00] one asp.net identity FEATURES</strong></li> <ol> <li>] ease of pluggin in profile data about the user - was hard work previously,</li> <li>] persistence control - store the data where you want</li> <li>] unit testability -</li> <li>] role provider - is this user an admin? yes or no</li> <li>] claims based - claim ex "email addresses", provide list of email addresses, a superset of roles</li> <li>] social login provider -</li> <li>] windows azure Active Directory - works with</li> <li>] OWIN integration -</li> <li>] nuget package -</li> </ol> <li><strong>[06:00] Identities and Scenarios</strong></li> <ol> <li>] illustration - options</li> <li>] individual user accounts - the default choice</li> <li>] OPTION Change Authentication - is in NEW project dialog box, if using windows auth, or Active Directory you will need to specify server settings</li> </ol> <li><strong>[08:00] terminology</strong></li> <ol> <li>] identity / credentials -</li> <li>] authentication / authorization - authentication is who you are, , authorization is what you are authorized to do (admin, user, editor, ....)</li> <li>] roles / claims - roles have been around, claims are new, claims give you the ability to move beyond roles, they also work well with social logins</li> <li>] 2 Factor Authentication(2FA) - idea of logging into a site, then a second factor, you then enter a 2nd factor, like sends a SMS code to your phone</li> <li>] Passive / Active protocols - </li> </ol> <li><strong>[11:30] new in Identity 2.0 </strong></li> <ol> <li>] 2FA -</li> <li>] account lockout - too many login attempts, will lockout account for a period of time, prevents brute force attacks on pw</li> <li>] account confirmation - i login, enter email, sends me email, click link to verify</li> <li>] password reset -</li> <li>] sign out everywhere -</li> <li>] enhanced password validator -</li> <li>[ iQueryAble for users and roles -</li> <li>*] updates are being shipped rapidly to build on this foundation</li> </ol> <li><strong>[13:30] DEMO - </strong></li> <ol> <li>] StartupAuth.cs - is class that contains ...</li> <li>] adding Attribute to Method or Controller, in class AlbumsController</li> <li>] example [Authorize()]</li> <li>] demos - requiring authentication and where things are happening</li> <li>] Startup.cs -</li> <li>] AlbumController - your controller, you add Authorize Attribute to methods which require Authorization(Create, Edit, ) </li> <li>] AccountController</li> <li>] StartupAuth.cs -</li> <li>*] default implementation looking for relatively complex pw ( letters, numbers, special char, length)</li> <li>*] if you are modifying the default implementaion, BE CAREFUL - there is a lot of code that does stuff, important stuff</li> </ol> <li><strong>[19:30] asp.net Identity and External Providers</strong></li> <ol> <li>] why force users to create another username and password - this is becoming more tedious to more users, why NOT just let users use an existing account,</li> <li>] this benefits developer as well,</li> <li>] typically all you need is to associate a "login" with a person</li> <li>] AND you - dont have to safeguard their information, password + un, ] ...</li> <li>] can be beneficial to store as little as possible,</li> <li>] asp.net supports external social providers (msft, google, facebook, twitter)</li> <li>] pluggable - using OWIN middleware</li> <li>] supports storing additional user information</li> <li>*] Keep In Mind that a single user can have multiple identities (fb, google, ...) doesnt matter, can login with any</li> <li>+] REFERENCE - Rick Anderson Blog post on using ASP.net Identity - <a href="http://www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on#goog" target="_blank">code walkthrough</a></li> <li>] more infromation</li> </ol> <li><strong>[24:00] DEMO - asp.net Identity - external provider</strong></li> <ol> <li>] many ext. providers require SSL</li> <li>] which authorizes the server ( it is who it says it is )</li> <li>+] REFERENCE troyhunt.com - writes good blog posts about security - <a href="http://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html" target="_blank">including SSL</a> </li> <li><strong>[HOW TO] </strong></li> <li>] enable SSL in project properties - this creates a self signed local certificate</li> <li>] SSL url for site is different then standard url</li> <li>] create and application @ exteranal provider(fb/google/....)</li> <li>] provider gives you an Oauth ] app ID and a ] secret ( your apps login credentials)</li> <li>] in StartupAuth.cs class, uncomment existing code for facebook login, add your own "app id" and "app secret" values</li> <li><span style="background-color: #ff0000;">[IMPORTANT] if your checking your code into PUBLIC repository like github.com OR ... , be SURE TO REMOVE the above values</span></li> <li>] using microsoft.com apps, wont allow you to use localhost, BUT workaround</li> <li>+] REFERENCE - <a href="http://readme.localtest.me" target="_blank">http://readme.localtest.me</a> - you create a url, something.localtest.me, they map it to localhost, solves the msft problem</li> </ol> <li><strong>[33:30] identity extensibility </strong></li> <ol> <li>] class identitymodel.cs was created</li> <li>] if you want to track additional info about your user</li> <li>] add properties, example - birthday</li> <li>] public DateTime Birthday {get; set;}</li> <li>] ....</li> <li>] showing database where data is stored, NO password stored, not even a hash when using external</li> <li>+] REFERENCE - there are a lot of additonal samples in github, also in nuget </li> </ol> <li><strong>[39:00] use nuget package</strong></li> <ol> <li> ] to microsft asp.net Identity Samples</li> </ol> <li><strong>[43:00] federated accounts</strong></li> <ol> <li>] YES - there is support for this</li> <li>] active directory(AD)</li> <li>] azure active directory(AAD)</li> <li>+] REF = <a href="http://asp.net/identity">http://asp.net/identity</a></li> </ol> <li><strong>[43:00] review and @mention</strong></li> <ol> <li>] ? = use 2FA with external providers, you can do this, the external provider is the one who will do the 2 factor authentication, you cant initiate it</li> <li>] identity - what it does</li> <li>] individual user accounts -</li> <li>] where its configured</li> <li>] social authentication - a few steps on the facebook side, uncommented 3 links of code in the project</li> <li>] point is - as simple as simpleMembership but you can take it whereever you want</li> </ol></ol> <h2>[HOW-TO]</h2> <ol> <li>] # 5050 - my project - guide to asp.net - MVC</li> <ol> <li>] # # -</li> </ol></ol> <h2>[REFERENCE]</h2> <ol> <li>] <a href="/view/task?id=5359" target="_blank"># 5359 - overview series</a> </li> </ol><hr /> <h1 style="text-align: left;">quiz</h1> <p style="text-align: left;">status pre quiz = 87% complete, quiz, post quiz = 96 % complete</p> <p style="text-align: left;"> <br />Which features were introduced in Identity 2.0? Choose all that apply.<br />Which two statements about ASP.NET Identity are true?<br />ASP.NET Identity supports Web Forms and MVC applications.</p> <p style="text-align: left;">Which statement describes Simple Membership?<br />A. Simple Membership supports SignalR<br />B. Simple Membership is extensible.<br />C. Simple Membership supports social login.<br />D. Simple Membership supports unit testing.</p> <p style="text-align: left;">Which mechanism was introduced in ASP.NET 4.5?</p> <p> - universal providers, identity, membership provider, simple memberships</p> <p>results</p> <p>4/5, PRB #5]</p> <p> </p> <p> </p> <h1> </h1>