(public).sospep.subjects ~ view article ~ introduction-MVC-lesson-7

<h1 style="text-align: center;">Introduction to MVC</h1>
<h2 style="text-align: center;">Lesson&nbsp;7 - Authentication</h2>
<h2>[WHAT]</h2>
<ol>
<li>]&nbsp;VIDEO SUMMARY -&nbsp;notes on this lesson which explains what&nbsp;authentication is and how you can use it to develop secure web sites</li>
</ol>
<h2>[WHY]</h2>
<ol>
<li>]&nbsp;</li>
</ol>
<h2>[WHERE]</h2>
<ol>
<li><strong>] WATCH THE FULL VIDEO</strong></li>
<ol>
<li>
<div class="inlineBlock overview-tab-headers semi-bold" title="Basics of MVC and the Moving Parts" data-bind="html: title(), attr: { 'title': title() }">] <a href="https://www.microsoftvirtualacademy.com/en-US/training-courses/introduction-to-asp-net-mvc-8322" target="_blank">Microsoft MVC intro</a>&nbsp;- Lesson&nbsp;7 -&nbsp;Authentication - &nbsp;by microsoft's <a href="/view/person?id=347" target="_blank">Jon Galloway</a> and Christopher Harrison</div>
</li>
</ol></ol>
<h2>[WHEN]</h2>
<ol>
<li>] 2014-06-24 -&nbsp;produced</li>
</ol>
<h2>[EXAMPLE]</h2>
<ol>
<li><strong>[00:00] Authentication</strong></li>
<ol>
<li>] Asp.net identity overview</li>
<li>] individual user accounts - anything your stroing in</li>
<li>] identity extensibility</li>
<li>] federated accounts</li>
</ol>
<li><strong>[00:00] history </strong></li>
<ol>
<li>] asp.net 1.1 - N/A - write your own security</li>
<li>] asp.net 2.0 - 2005 - a big update, worked well for a long time, a few cracks - assumend you had users with un and pw's, no concept of social loginss</li>
<li>] asp.net MVC 4- simple membership - wasnt extenisble, wasnt unit testable</li>
<li>] asp.net 4/4.5 - universal providers</li>
<li>&gt; ] asp.net MVC 5- one asp.net identity - designed to solve all problems, still needs to support un/pw, extensible, testable, work with forms, api, signalR, MVC, ...</li>
</ol>
<li><strong>[04:00] one asp.net identity FEATURES</strong></li>
<ol>
<li>] ease of pluggin in profile data about the user&nbsp; - was hard work previously,</li>
<li>] persistence control - store the data where you want</li>
<li>] unit testability -</li>
<li>] role provider - is this user an admin? yes or no</li>
<li>] claims based - claim ex "email addresses", provide list of email addresses, a superset of roles</li>
<li>] social login provider -</li>
<li>] windows azure Active Directory - works with</li>
<li>] OWIN integration -</li>
<li>] nuget package -</li>
</ol>
<li><strong>[06:00] Identities and Scenarios</strong></li>
<ol>
<li>] illustration - options</li>
<li>] individual user accounts - the default choice</li>
<li>] OPTION Change Authentication - is in NEW project dialog box, if using windows auth, or Active Directory you will need to specify server settings</li>
</ol>
<li><strong>[08:00] terminology</strong></li>
<ol>
<li>] identity / credentials -</li>
<li>] authentication / authorization - authentication is who you are, , authorization is what you are authorized to do (admin, user, editor, ....)</li>
<li>] roles / claims - roles have been around, claims are new, claims give you the ability to move beyond roles, they also work well with social logins</li>
<li>] 2 Factor Authentication(2FA) -&nbsp; idea of logging into a site, then a second factor, you then enter a 2nd factor, like sends a SMS code to your phone</li>
<li>] Passive / Active protocols -&nbsp;</li>
</ol>
<li><strong>[11:30] new in Identity 2.0 </strong></li>
<ol>
<li>] 2FA -</li>
<li>] account lockout - too many login attempts, will lockout account for a period of time, prevents brute force attacks on pw</li>
<li>] account confirmation - i login, enter email, sends me email, click link to verify</li>
<li>] password reset -</li>
<li>] sign out everywhere -</li>
<li>] enhanced password validator -</li>
<li>[ iQueryAble for users and roles -</li>
<li>*] updates are being shipped rapidly to build on this foundation</li>
</ol>
<li><strong>[13:30] DEMO - </strong></li>
<ol>
<li>] StartupAuth.cs - is class that contains ...</li>
<li>] adding Attribute to Method or Controller, in class AlbumsController</li>
<li>] example&nbsp;[Authorize()]</li>
<li>] demos - requiring authentication and where things are happening</li>
<li>] Startup.cs -</li>
<li>] AlbumController - your controller, you add Authorize Attribute to&nbsp;methods which require Authorization(Create, Edit, )&nbsp;</li>
<li>] AccountController</li>
<li>] StartupAuth.cs -</li>
<li>*] default implementation looking for relatively complex pw ( letters, numbers, special char, length)</li>
<li>*] if you are modifying the default implementaion, BE CAREFUL - there is a lot of code that does stuff, important stuff</li>
</ol>
<li><strong>[19:30] asp.net Identity&nbsp;and External Providers</strong></li>
<ol>
<li>] why force users to create another username and password - this is becoming more tedious to more users, why NOT just let users use an existing account,</li>
<li>] this benefits developer as well,</li>
<li>] typically all you need is to associate a "login" with a person</li>
<li>] AND you - dont have to safeguard their information, password + un, ] ...</li>
<li>] can be beneficial to store as little as possible,</li>
<li>] asp.net supports external social providers (msft, google, facebook, twitter)</li>
<li>] pluggable - using OWIN middleware</li>
<li>] supports&nbsp;storing additional user information</li>
<li>*] Keep In Mind that a single user can have multiple identities (fb, google, ...) doesnt matter, can login with any</li>
<li>+] REFERENCE - Rick Anderson Blog post on using ASP.net Identity - <a href="http://www.asp.net/mvc/overview/security/create-an-aspnet-mvc-5-app-with-facebook-and-google-oauth2-and-openid-sign-on#goog" target="_blank">code walkthrough</a></li>
<li>] more infromation</li>
</ol>
<li><strong>[24:00] DEMO - asp.net Identity - external provider</strong></li>
<ol>
<li>] many ext. providers require SSL</li>
<li>] which authorizes the server ( it is who it says it is )</li>
<li>+] REFERENCE&nbsp;troyhunt.com - writes good blog posts about security - <a href="http://www.troyhunt.com/2011/01/ssl-is-not-about-encryption.html" target="_blank">including SSL</a>&nbsp;</li>
<li><strong>[HOW TO] </strong></li>
<li>] enable SSL in project properties - this creates a self signed local certificate</li>
<li>] SSL url for site is different then standard url</li>
<li>] create and application @ exteranal provider(fb/google/....)</li>
<li>] provider gives you an Oauth&nbsp; ] app ID and a ] secret ( your apps login credentials)</li>
<li>] in StartupAuth.cs class, uncomment existing code for facebook login, add your own "app id" and "app secret" values</li>
<li><span style="background-color: #ff0000;">[IMPORTANT] if your&nbsp;checking your code into PUBLIC repository like github.com OR ... , be SURE TO REMOVE the above values</span></li>
<li>] using microsoft.com apps, wont allow you to use localhost, BUT workaround</li>
<li>+] REFERENCE - <a href="http://readme.localtest.me" target="_blank">http://readme.localtest.me</a>&nbsp;- you create a url, something.localtest.me, they map it to localhost, solves the msft problem</li>
</ol>
<li><strong>[33:30] identity extensibility&nbsp;</strong></li>
<ol>
<li>] class identitymodel.cs was created</li>
<li>] if you want to track additional info about your user</li>
<li>] add properties, example - birthday</li>
<li>] public DateTime Birthday {get; set;}</li>
<li>] ....</li>
<li>] showing database where data is stored, NO password stored, not even a hash when using external</li>
<li>+] REFERENCE - there are a lot of additonal samples in github, also in nuget &nbsp;</li>
</ol>
<li><strong>[39:00] use nuget package</strong></li>
<ol>
<li>&nbsp;] to microsft asp.net Identity Samples</li>
</ol>
<li><strong>[43:00] federated accounts</strong></li>
<ol>
<li>] YES - there is support for this</li>
<li>] active directory(AD)</li>
<li>] azure active directory(AAD)</li>
<li>+] REF = <a href="http://asp.net/identity">http://asp.net/identity</a></li>
</ol>
<li><strong>[43:00] review and @mention</strong></li>
<ol>
<li>] ? = use 2FA with external providers, you can do this, the external provider is the one who will do the 2 factor authentication, you cant initiate it</li>
<li>] identity - what it does</li>
<li>] individual user accounts -</li>
<li>] where its configured</li>
<li>] social authentication - a few steps on the facebook side, uncommented 3 links of code in the project</li>
<li>] point is - as simple as simpleMembership but you can take it whereever you want</li>
</ol></ol>
<h2>[HOW-TO]</h2>
<ol>
<li>] # 5050 - my project - guide to asp.net - MVC</li>
<ol>
<li>] # # -</li>
</ol></ol>
<h2>[REFERENCE]</h2>
<ol>
<li>] <a href="/view/task?id=5359" target="_blank"># 5359 - overview series</a>&nbsp;</li>
</ol><hr />
<h1 style="text-align: left;">quiz</h1>
<p style="text-align: left;">status pre quiz = 87% complete, quiz, post quiz =&nbsp;96 % complete</p>
<p style="text-align: left;">&nbsp;<br />Which features were introduced in Identity 2.0? Choose all that apply.<br />Which two statements about ASP.NET Identity are true?<br />ASP.NET Identity supports Web Forms and MVC applications.</p>
<p style="text-align: left;">Which statement describes Simple Membership?<br />A. Simple Membership supports SignalR<br />B. Simple Membership is extensible.<br />C. Simple Membership supports social login.<br />D. Simple Membership supports unit testing.</p>
<p style="text-align: left;">Which mechanism was introduced in ASP.NET 4.5?</p>
<p>&nbsp;- universal providers, identity, membership provider, simple memberships</p>
<p>results</p>
<p>4/5, PRB #5]</p>
<p>&nbsp;</p>
<p>&nbsp;</p>
<h1>&nbsp;</h1>

~ view article ~ Chapter] ch-100-introduction-to-MVC FROM [ Book] asp.net IN [ libraries] technology-developer-www