Customizing ASP.NET Authentication with Identity: (01) Overview of Identity

Sign in to queue

Description

Learn the history of the membership/identity systems in ASP.NET. Get the details on what the new ASP.NET Identity system brings to the table, and see an overview.

  • [03:45] - What is ASP.NET Identity?
  • [10:45] - A history lesson
  • [13:23] - Architecture of ASP.NET Identity
  • [28:48] - Demo: Web Template Walkthrough

Embed

Download

Download this episode

Download captions

The Discussion

  • User profile image
    Adam Tuliper

    Winslow, we could be totally dry and bland :)
    What specifically would you have liked to see more in Identity? Feedback so far has been pretty positive, curious where you felt it was lacking?

  • User profile image
    liammcmullen

    To be fair to these two guys - they do a really first rate job of putting this new version of identity into context in a fairly straightforward way. I've just looked at the first video and it clears up a few  things for me around Usermanager and SigninManager.  

  • User profile image
    LukePuplett

    I disagree with Winslow, the presenters are just being friendly, and they are.

    For the record, I'm thankful for these videos, they're really helping to unravel the mountains of generated junk I now have to try and rework in my new site - no one just starts using templates without making it conform to the ways of your team.

    I've never before started an MVC project and then immediately needed to take the day off to watch several videos about all the crap in the template.

    I have a general rant here about that:

    http://forums.asp.net/p/2032663/5852431.aspx?ASP+NET+MVC+5+Template+Project+with+Owin+and+OAuth+and+EF+is+too+complicated

    But specifically about this video, I would really warn against taking the view that "magic" will mean we don't need to know anything.

    Quote: "This is just template code, you don't necessarily have to understand what's going on here."

    Man. I need to know what that code is doing. Also, it's why I'm watching this video. It's this thinking that's left the template with such a lack of comments, both proper XML comments and tons of prose about what's going on and why. Who reviewed this template?

    Please stop being happy about framework magic. It makes us stupid and its not discoverable.

    Also, you don't explain Owin within the context of IIS. Although I've followed Owin and Katana for a while, I was under the impression that Owin was an alternative pipeline that was only used when not on IIS. I guess at some point, we have to move across. Are we running two pipelines now? What's the deal? If this is new and the future, and its so important for auth, then it needs more focus.

    I think you needed to spend a bit more time in the opening minutes on comparing the old world with the new. How Owin is exposed to and permeates an MVC 5 application today.

    There are some odd things going on in the template (no comments of course) like in the ChallengeResult, where it's seemingly having to communicate a response to two pipelines; it reaches down to Owin to send a Challenge and then also returns a traditional response message. It's odd.

    I'm sorry to sound so down, but we have to continually keep up with changes across the entire breadth of the .NET stack, plus Azure (OMG Azure is so huge so fast), JS, HTML, as well as deliver code, pretend we like the latest coding fad, learn an existing codebase, and keep abreast of change in the industry sectors we work in, its very hard work.

    Thank you for the video.

  • User profile image
    LukePuplett

    I have some more feedback, you're welcome :)

    The ApplicationUserManager.Create method. You fail to firstly mention that its a factory method for the class and to discuss the arguments being sent in, what the options are needed for.

    The method also news-up its own UserStore instance, which is confusing because I thought the UserStore was the dependency seam, so I'd have expected it to be passed in: you explained that a UserManager does CRUD on users via UserStore which is a repository (though you didn't use that recognisable term). So I'd have thought it would be parameter injected.

    You also talk about the defaults being set in code, as opposed to config file, but you say its better because config files are not compiled-in. Which is the whole point and benefit of config files. This code is not production ready but instead of highlighting that, you pretend its better its better to have to recompile and redeploy an app to change some settings.

  • User profile image
    Ian_Robinson

    Having experience in ASP.Net MVC and having used the membership stuff before, I found this video very useful.  A good introduction on where we were years ago, where we are now, and what Identity is capable of.  I expected an overview and I didn't expect every aspect of Identity to be explained to me, and this is exactly what this video does.  Thanks guys.  Looking forward to watching the rest in this series.

  • User profile image
    Manish

    This is second JumpStart video I watched, and I rate this 9/10. It tells everything I wanted to know and more, it also does cover a brief overview of untouched corners like 2FA, facebook, twitter integration, claims and how they are stored, little on various ways to store userinfo. I like it. Also liked Adam guy who was asking some really simple and insightful questions. Thanks to you both. I disagree with Winslow above who seem to have criticized without coming up with a reason as to why?

  • User profile image
    JKhalaf

    Disagree with Winslow. I thought it was a good intro. Off to watch the next video in the series. 

  • User profile image
    Ashutosh Singh

    Really great session, giving insight into the ground level details of the identity system.
    Enables you to answer where this class or object is coming from and so on.

  • User profile image
    amirza10

    Such a great and well explained tutorial..

    yup i disagreed with Winslow

  • User profile image
    amityksharma

    Thank so much.

    In my project Web API It was implemented now I got it correctly

    Again thanks Channel 9  

  • User profile image
    HUGHESIE

    @Adam Tuliper: Hi Adam, great videos!  Was there a way to download the demo's used in the videos.

  • User profile image
    John

    You guys are likable but there are so many little pieces that could be better. You could make things a lot clearer by simply adding words like "on your (web)site" to describe specifically where you want someone to focus. For instance, in video 2 when you're talking about going to /Account/some bogus path and you won't be authorized, it took me a minute to figure out what you're actually talking about because you started typing in the model or wherever. I didn't know you meant on the site, until I saw you hi-lite the /Account/Login path in the comments section later.

    The other dude is likable, but get rid of him, he's simply distracting at the exact wrong moments and not adding a lot of useful info.

    Your vocabulary is failing you in a lot of ways too. For instance, in video 2 you couldn't spit out SQL Object Explorer. So, I had to skip back and pause the video to figure out what that was. Not only that (and this is not on you), I had to skip back to even figure out how to get to it...as it's not really apparent, even though I've done it several times now. The option always seems to disappear. I must have skipped back, forth and paused your video 50 times. These are just a couple of the numerous cases that make these videos good and not great. I think 3.5 stars is a fair assessment.

    As far as Identity though, it's not very impressive from where I'm sitting. Microsoft is pushing unnecessary new products every year or two, and this is all that's been done in years for this type of thing? Seems like baby steps. As a developer, and not a very good one, I'm having trouble getting from making tables on a page to the next level. Everything is either incredibly easy now...or incredibly over my head. There is no middle ground. Either the uber-geeks are blowing my mind, or someone is showing me how to create a new project and db again and get data to a table for the millionth time. I've watched training videos, read manuals, endless google searches and nothing seems to bridge the gap that isn't full of hot air and/or cryptic. It also seems every way is not the right way to do something. It's just incredibly frustrating for the novice/intermediate programmer. If you guys can figure out how to tie the simple stuff to the more advanced stuff, you'll be on to something (and I'm not talking about a manual with 70% filler material and 30% substance). As it stands, Identity just looks like something I'll learn today and forget the commands tomorrow. It's really not intuitive, my best hope is that I'll simply remember the concept and a crafty google search will remind me how to do all that stuff. For something this important, it should have it's own tool or whatever, not go here, go there, do this, do that, type this, type that, etc etc...and wala! we renamed a table. Boooooo! ... or here are the 10 steps to add a custom field... Boooo!!! It's just clunky at best.

    Why is there no tool to migrate from SimpleMembership to Identity? ..or why is there no tool to add Identity to your current project (one that generates the tables and necessary code)? ...Again, there's not a lot of good blogs out there either on how to do this. Seems to me, in an ideal world, I should just click a button and boom, my new tables are generated and the controllers and models are upgraded too in whatever project I'm working in, leaving my old tables and code to delete at a later time... I realize the people have probably had to drastically customize Simplemembership because it's really not good, but why not just give me an option to get the basic tables, etc to get everything started in my current project? Instead, I have to create a new project, script those tables and copy the controllers over, etc..

    Today when I was trying to set all this up, it was never apparent to me that creating the first user "on your project website" in a "new project." is what generates the user tables in the db for Identity. Why wait to generate the tables? It just seems like this is a practical joke. I must have wasted an hour or more messing around with that trying to figure out why there were no tables I could script to put in my other project. Unbelievable. If it's not the information gap, it's weird little version conflicts and bizarre behaviors like this that just makes you want to smash your face on the desk.

    Anyway, I will say there was a lot of good info in this video though once I really dissected the parts I needed, but I think it's sad that I'm having to use this as a tutorial rather than it appearing to simply be an overview.

  • User profile image
    wuyuhu

    Can I have the video with Chinese subtitles?

  • User profile image
    NLopeDe​Barrios

    @John: I have to say I totally agree with you. Thank you for taking the time to write such remarkable insight about the video.

    To the authors, I've been developing with Visual Studio LightSwitch for the past 2 years and I love to see a tutorial on how to migrate from that (it uses the good old ASP.NET Membership) to Identity, considering there are tons of auto-generated code and a custom login page (HTML client) with the code behind hidden to the developer.

  • User profile image
    DanielGale

    I have Visual Studio Ultimate 2013 but when I create the same MVC project I do not have any of the ApplicationSignInManger code. Is there another template or way to include this code when creating a new project?

  • User profile image
    JasonDev

    Just wanted to say I really appreciate the videos and they are very helpful.

    Thanks!

    Jason

  • User profile image
    Danny Fardy Jhonston B

    Well, i'd like to share the second part of this session:
    https://channel9.msdn.com/Series/Customizing-ASPNET-Authentication-with-Identity/02

    Thanks.

  • User profile image
    David R

    VERY helpful. Implementating now and enjoyed seeing/hearing a different/better take on the fundamentals that were occuring. All good!

  • User profile image
    Bob Letts

    Very good. I liked this video. I am searching for more revelations so I can learn more quickly.

  • User profile image
    PaulAnthony

    @lukePuplett, agree with your comments and it seems that developers are having to spend about 20 hours per week just reading up on stuff just to keep afloat.

    I often wonder if MS just make stuff because they can.

    A couple years back you could watch REAL video tutorials
    over on the on ASP.NET website and it all made beautiful sense, ok so the presenters didn't win any prizes for being 'Glam'(no hair gel or designer stubble) but delivery was good and content pertinent.

    Sadly that content is now outdated, so we are left with choices:
    either bash on with the old and get left behind or read up on mountains of stuff while your productivity levels fall back to a slow idle.

    Thanks for reading

  • User profile image
    HackerFerret

    Hey guys thanks for the help. I appreciate what you guys are doing (witty banter and all). Please keep up the good work. 

  • User profile image
    Ibrahim

    Its odd that Identity is a claims based system yet demo of claims were not done.

  • User profile image
    Isak84

    Thanks for making this video.

    I stumbled upon an error. I followed your example and created a new MVC project. Then I launched the project i Chrome, and clicked on register user. When I wrote an password and email. and clicked save button, it processed the info, and later showed an error message.
     
    The error message said something about: servererror. The error was found in AccountController.cs  row 155. 

  • User profile image
    MrFoxcroft

    This is not a personal attack on the presenters. It's a criticism of their company, Microsoft, failing to provide serious engineering documentation that totally explains how to use this Identify Framework to build a commercial quality authentication system.

    These videos are only good enough to automatically setup one particular template application built of the Identity Framework. Beyond that, you are not going to be able to use these videos to really understand how it all works. The presenters simply highlight some lines of code and say this statement speaks to this component and that statement talks to that component. And those statements are not recognizable as normal C# grammar. Many of the lines of code they highlight are so far removed from the core syntax of C#, that I bet, most viewers have never seen before and don't understand.

    I must say that I can't even explain to a customer how this all works, much less, write a document for those who, after I have left, need to learn how this works. How will those people know how to design and control access to new website directories and files that will be added in the future with no explanation?

    From my perspective, this framework is missing serious engineering documentation for professionals such as architects and software engineers. The kind of documentation that clearly explains the architecture, its components, structure, the calls and parameters, how they are all related to each other, and how they all operate in an event driven view.

    Someone may say to me that you should read the API documentation to learn how it all works, but that is naive and not practical. API documentation is not design documentation.

    Other people may say "study the code example" to learn how it works. It is too complicated and far, far too time consuming.

    I have also searched around for relevant documentation on this subject, but it is also simply superficial at best.

    Just to further reinforce my point, one very important concept was never explained in these videos: how do you prevent access to a particular directory or file when a user is not logged in, and then give them access to that specific resource after they login? That clearly is really the only purpose of the framework, but not explained.

    I think the product manager for Identity Framework must hire a technical writer to write that specialized documentation for all of us to use. What have you got to lose?

    Without any serious, high quality, engineering documentation from Microsoft on how to design a solution with ASP.NET Identity, this is not a framework I can confidently say I can go with without running into time consuming technical obstacles and learning barriers.

    Underneath all this abstraction is cookie management on the client and logic on the server deciding whether or not to give access to a resource. How much time will it take for me to learn how to implement the ASP.NET Identity Framework as compared to creating my own solution with JavaScript and MySQL Server? Keep in mind that ASP.Net eventually converts to JavaScript on the client. So I have to make that decision. It might be worth pursuing, because my solution may be a less complex, easier to document, not become obsolete, and platform independent. I don't know at this time.

  • User profile image
    adamtuliper

    @MrFoxcroft: Thanks for the feedback. If there's specifics you feel the docs are missing, we'd love to hear what would help you so we can fill that gap on http://docs.microsoft.com. Identity is a fairly lightweight plugin system for authorization.

     

    You mentioned re folder access "That clearly is really the only purpose of the framework, but not explained." Identity's purpose isn't to provide access to folders, Windows Authentication has been the solution for years for that - since it works on the security that's already used on your folders. You can find details for example here: https://docs.microsoft.com/en-us/aspnet/core/security/authentication/windowsauth

    If you are looking for solutions with more configuration, features, etc then check out the list we maintain at https://docs.microsoft.com/en-us/aspnet/core/security/authentication/community and you'll find some really nice ones there like IdentityServer.

    If you want a simple, easy to configure Identity solution to enable users to add login functionality to your application through custom accounts or third party providers, then Identity works well here. It should require little configuration to get up and running, the out of the box templates give you enough to get started, we wanted to dive into customizing a bit more in the video but that doesn't mean what we covered isn't documented. Check out https://docs.microsoft.com/en-us/aspnet/core/security/authentication/identity?tabs=visual-studio

    Other features we discussed are documented, like two factor authentication (https://docs.microsoft.com/en-us/aspnet/core/security/authentication/2fa). We've put a ton of work into docs.microsoft.com and if you feel it's missing something let us know we want to make it right!

    Be sure to check out github for various samples as well. These differ on the type of sample you are looking for but for example a quick Startup.cs to show various config options: https://github.com/aspnet/Docs/tree/master/aspnetcore/security/authentication/identity/sample/src

    Thank you!

Add Your 2 Cents