WEBVTT 00:00:00.200 --> 00:00:04.000 [Music] 00:00:15.680 --> 00:00:20.590 Hello. Welcome to ASP.NET authentication with Identity Jumpstart. 00:00:21.260 --> 00:00:23.200 I am Adam Tuliper. Here? 00:00:23.250 --> 00:00:24.250 >> Code Foster. 00:00:24.620 --> 00:00:25.610 >> Code Foster. I love it. 00:00:25.660 --> 00:00:28.040 >> I'll go by Jeremy Foster today, though. 00:00:28.090 --> 00:00:30.380 >> This is our identity. We couldn't get the moustaches and the 00:00:30.430 --> 00:00:32.720 hats, so this is what we're going to kind of do here. 00:00:32.770 --> 00:00:34.460 >> Adam and I have an identity problem. 00:00:34.510 --> 00:00:35.350 >> We have any identity problem. 00:00:35.400 --> 00:00:36.710 >> But we're going to solve it today. 00:00:36.760 --> 00:00:38.380 >> We're going to solve it today, and we can show you how to solve 00:00:38.430 --> 00:00:41.380 your identity problem, as well. I might even call it a crisis. 00:00:41.430 --> 00:00:42.020 >> Identity crisis. 00:00:42.070 --> 00:00:43.040 >> Identity crisis. 00:00:43.710 --> 00:00:44.610 So shall we get rolling? 00:00:44.660 --> 00:00:45.450 >> Yeah, let's do it. 00:00:45.500 --> 00:00:48.950 >> A little bit about moi. I'm Adam Tuliper. You can find me 00:00:49.000 --> 00:00:52.240 on Twitter, Adam Tuliper, @AdamTuliper. I'm a Technical Evangelist 00:00:52.290 --> 00:00:55.130 for Microsoft. I love pretty much all things technology. My wife 00:00:55.180 --> 00:00:57.720 calls me a geek, so I guess I have to accept that term. 00:00:57.770 --> 00:01:00.350 Been a software architect for many years, and try to help other 00:01:00.400 --> 00:01:04.100 folks implement their great solutions using a Microsoft technology stack. 00:01:04.150 --> 00:01:07.330 >> Cool. And I'm Jeremy Foster. You can find me online at codefoster.com. 00:01:07.940 --> 00:01:11.050 Also, follow me on twitter @CodeFoster. I use Twitter quite 00:01:11.100 --> 00:01:14.740 a bit, and I think that the things that I tweet about are valuable, 00:01:14.790 --> 00:01:16.020 but I don't know. That's just me. 00:01:16.070 --> 00:01:16.770 >> I think they are. 00:01:16.820 --> 00:01:20.150 >> Anyway, yeah, so you can find my blog at codefoster.com. 00:01:20.200 --> 00:01:22.780 I'm an author, presenter, coder, also a Developer Evangelist 00:01:22.830 --> 00:01:27.430 here at Microsoft, a direct compadre with Adam here, my good 00:01:27.480 --> 00:01:31.810 friend Adam, and I also do a podcast called Code Chat. You can 00:01:31.860 --> 00:01:35.360 sign into Code Chat and subscribe. That's kind of fun, and Code 00:01:35.410 --> 00:01:38.580 Show is a project that I and some other contributors work on. 00:01:38.630 --> 00:01:39.510 So yeah, that's me. 00:01:40.210 --> 00:01:42.930 >> Very cool. We've got lots of great topics today... six, to 00:01:42.980 --> 00:01:45.930 be exact, with many, many sub-talks inside of them. We're going 00:01:45.980 --> 00:01:48.360 to give you guys a great overview of identity, to get you a base 00:01:48.410 --> 00:01:52.140 understanding of what it is, talk about local authentication 00:01:52.190 --> 00:01:56.270 using database users, external login providers, two-factor authentication. 00:01:56.320 --> 00:01:59.160 That's a huge thing nowadays. In fact, what is two factor? 00:01:59.210 --> 00:02:00.980 We're going to get to all of that and show you how to use it 00:02:01.030 --> 00:02:01.940 in your applications. 00:02:02.550 --> 00:02:05.310 And I've got a lot of old web applications. I want to know how 00:02:05.360 --> 00:02:08.220 to migrate them over from membership to identity, so we're going 00:02:08.270 --> 00:02:10.510 to do that, and then finally, we're going to close up with some 00:02:10.560 --> 00:02:12.600 identity tips and recommendations at the end of the day. 00:02:12.650 --> 00:02:15.540 >> Now, Adam, tell me this. How much experience do you suppose 00:02:15.590 --> 00:02:18.580 a person coming into this course should have? 00:02:19.780 --> 00:02:24.770 >> Zero to I'm somewhat familiar with identity. If you are an 00:02:24.820 --> 00:02:28.110 absolute expert in identity, I'm hoping that you're here to... 00:02:28.160 --> 00:02:30.690 >> To help answer questions in the chat. 00:02:30.740 --> 00:02:34.940 >> So everybody is welcome. We're happy to have you. So everybody 00:02:34.990 --> 00:02:37.150 out there, we want you to join the MVA community, tell all your 00:02:37.200 --> 00:02:39.510 family and friends about it, as well. Microsoft Virtual Academy 00:02:39.560 --> 00:02:40.960 now has over 2.5 00:02:42.310 --> 00:02:44.170 million registered users. That's huge. 00:02:44.220 --> 00:02:44.640 >> Million. 00:02:44.690 --> 00:02:48.420 >> Million. Not hundred, not thousand, million. You can't see 00:02:48.470 --> 00:02:49.970 my little pinky up here. 00:02:51.250 --> 00:02:58.300 Million. So get 50 MVA points for this event. Using aka.ms/mva-voucher, 00:02:59.350 --> 00:03:01.580 and there's a code that's on the slide deck there that you can 00:03:01.630 --> 00:03:05.130 use, as well, that expires 12/22. So, again, thanks for joining, 00:03:05.180 --> 00:03:08.180 and shall we get rolling on an overview of identity? 00:03:08.230 --> 00:03:09.020 >> Oh, we shall. 00:03:10.710 --> 00:03:14.600 >> So we're going to talk about what is identity, a history lesson 00:03:14.650 --> 00:03:18.120 for everybody. I liked history in high school and college, so 00:03:18.170 --> 00:03:20.720 we'll give you guy a little history lesson today, architecture 00:03:20.770 --> 00:03:23.410 of ASP.NET identity, and we'll walk through a template for Web 00:03:23.460 --> 00:03:26.420 Forms and MVC, which might leave folks wondering, are we going 00:03:26.470 --> 00:03:30.610 to be covering Web Forms? Are we going to be covering MVC today? 00:03:30.660 --> 00:03:33.450 Primarily MVC. However, we are going to throw some Web Forms 00:03:33.500 --> 00:03:37.560 in there, as well. The good news is, the code is very, very similar 00:03:37.610 --> 00:03:40.030 between both of them, so once you understand the basic concepts, 00:03:40.080 --> 00:03:42.970 they will map over to either one pretty much all the same. 00:03:44.250 --> 00:03:47.910 Jeremy, what is identity? 00:03:47.960 --> 00:03:49.280 >> Do you want my opinion? 00:03:49.760 --> 00:03:52.390 >> Tell me your opinion, before I even show the first bullet point 00:03:52.440 --> 00:03:53.060 on the slide. 00:03:54.430 --> 00:03:57.590 >> My opinion is getting the person right. 00:03:58.300 --> 00:04:01.310 Who is it? I don't know, making sure. 00:04:01.360 --> 00:04:02.120 >> Making sure. 00:04:02.910 --> 00:04:08.820 Could it be all about the user? What about if they want to access something? 00:04:08.870 --> 00:04:11.730 Can I look at all of your Facebook photos? Can I look at your 00:04:11.780 --> 00:04:15.850 user accounts? Can I do this? So we want to be able to authenticate... 00:04:15.900 --> 00:04:20.020 too many auths. We want to be able to authenticate and authorize users. 00:04:20.580 --> 00:04:23.620 So everybody's got a different definition. When you go on the 00:04:23.670 --> 00:04:26.270 net and look up identity, you're going to see some folks refer 00:04:26.320 --> 00:04:30.110 to it as this, maybe just managing a user. Some say using authorization 00:04:30.160 --> 00:04:33.050 and authentication, as well. So to me, it kind of all rolls up 00:04:33.100 --> 00:04:34.900 into one, and we're going to talk about how we actually do all 00:04:34.950 --> 00:04:37.470 of those today, managing you're users, how we're going to authenticate 00:04:37.520 --> 00:04:39.060 and how we're going to authorize users. 00:04:39.870 --> 00:04:42.080 Now, there's been some big, big changes, and we'll look at that 00:04:42.130 --> 00:04:44.370 when we look at the history slides, but identity works with OWIN 00:04:44.420 --> 00:04:47.910 middleware, which you're probably going to say, what is OWIN middleware? 00:04:48.180 --> 00:04:51.360 Something fairly new to ASP.NET, and so we'll talk about that 00:04:51.410 --> 00:04:52.070 in a little bit. 00:04:53.040 --> 00:04:55.950 And it is a claims-based system. A claims-based system, we're 00:04:56.000 --> 00:04:59.460 going to talk about what claims are, as well, but basically, 00:04:59.710 --> 00:05:04.800 your claim stores, the system itself stores logins, stores claims 00:05:05.070 --> 00:05:07.720 and stores roles. And we'll look at actually what all those are, 00:05:07.770 --> 00:05:12.680 as well. Now, ASP.NET identity, as of v1, they were added as 00:05:12.730 --> 00:05:15.890 NuGet packages, so you can install them literally into any project 00:05:15.940 --> 00:05:17.710 that runs on ASP.NET 4.5. 00:05:19.920 --> 00:05:23.230 What does ASP.NET identity support? This is a cool slide, because 00:05:23.280 --> 00:05:26.700 this shows really you can integrate with almost anything that 00:05:26.750 --> 00:05:29.130 you need to for your application. If you want to integrate with 00:05:29.180 --> 00:05:32.560 OAuth or OpenID, or you're going to use like Azure Active Directory, 00:05:32.610 --> 00:05:36.130 which we actually have a demo of later on, if you want just your 00:05:36.180 --> 00:05:39.120 own SQL Database, individual database back end, or maybe you 00:05:39.170 --> 00:05:45.260 want a Raven DB or MySQL back end, no problem. And again, supports 00:05:45.310 --> 00:05:48.940 roles, supports claims. Now, you'll notice as we're going through 00:05:48.990 --> 00:05:52.590 the decks today that Windows authentication isn't really covered, 00:05:52.640 --> 00:05:55.130 because that doesn't really fit into the identity system, because 00:05:55.180 --> 00:06:01.110 that's really having... more for intranet applications, and the 00:06:01.160 --> 00:06:03.110 way that those handles tokens. Everything and all that doesn't 00:06:03.160 --> 00:06:06.330 hit the database that would be used for identity, so that information 00:06:06.380 --> 00:06:08.210 is stored separately, so it doesn't quite fit into what we're 00:06:08.260 --> 00:06:11.860 going to cover today, but we are going to look at virtually everything else. 00:06:11.910 --> 00:06:15.960 >> So we're talking about knowing who users on the Internet are, 00:06:16.010 --> 00:06:18.670 users in the world, finding out who they are. Not necessarily 00:06:18.720 --> 00:06:20.420 users my corporation... perhaps. 00:06:20.470 --> 00:06:22.710 >> It could be users in the corporations. I've been in a lot 00:06:22.760 --> 00:06:25.910 of environments where we created web applications internally, 00:06:25.960 --> 00:06:29.680 but we chose not to use Windows authentication for whatever the 00:06:29.730 --> 00:06:31.870 business reason was at the time or technical reason was at the 00:06:31.920 --> 00:06:34.760 time, where we had local databases authenticating users or we 00:06:34.810 --> 00:06:37.810 had a single sign on solution so we didn't go to something else. 00:06:37.860 --> 00:06:42.760 So it could be intranet, or it could be Internet. Identity will 00:06:42.810 --> 00:06:45.690 cover either. It's just Windows authentication is pretty much 00:06:45.740 --> 00:06:47.820 just used for an intranet-type scenario. 00:06:50.430 --> 00:06:51.780 What is single sign on? 00:06:52.730 --> 00:06:56.150 Single sign on allows a user to provide... and again, this is 00:06:56.200 --> 00:06:58.620 something that you'll see different definitions of, depending 00:06:58.670 --> 00:07:02.070 where you look it up, but a good summary of that, the user provides 00:07:02.120 --> 00:07:05.470 either the same credentials to access multiple services, or the 00:07:05.520 --> 00:07:09.520 user provides credentials once. That allows them to access multiple services. 00:07:09.570 --> 00:07:12.430 The idea is you want to make it easier for the user to not have 00:07:12.480 --> 00:07:15.220 to remember, oh, I've got this password here, this password there, 00:07:15.270 --> 00:07:17.320 this password there. Now, this isn't the same as kind of sharing 00:07:17.370 --> 00:07:20.030 that one password amongst every single site. 00:07:21.140 --> 00:07:23.130 The single sign on experience is ideally supposed to make it 00:07:23.180 --> 00:07:25.700 a little bit easier for the user, make it easier to manage user 00:07:25.750 --> 00:07:26.590 accounts, as well. 00:07:28.770 --> 00:07:32.740 So I mentioned that identity is a claims-based system. What the 00:07:32.790 --> 00:07:36.380 heck are claims? I'm going to take these glasses off now, because 00:07:36.430 --> 00:07:40.080 I think you know my identity, I know your identity. Set these good. 00:07:41.180 --> 00:07:45.820 So claims, a claims-based system, it's a little bit odd to get 00:07:45.870 --> 00:07:48.110 your head around. If you've been doing anything with membership 00:07:48.430 --> 00:07:51.460 or anything with authentication, authorization, with ASP.NET 00:07:51.510 --> 00:07:55.310 in the past, using what was built in, unless you were using Windows 00:07:55.360 --> 00:07:59.530 Identity Foundation, you typically were using a role-based system, 00:07:59.580 --> 00:08:02.020 where you basically said, is this person an administrator? 00:08:02.170 --> 00:08:05.630 Is this person a user? Are they an accounting user? So claims 00:08:05.680 --> 00:08:08.710 allows us to have a lot more power on top of that. That allows 00:08:08.760 --> 00:08:13.030 us to assign many different attributes to a user. We could have 00:08:13.080 --> 00:08:15.950 an email address. Now, granted, it could also be profile information, 00:08:16.000 --> 00:08:18.090 but we could have email address. We could have other private 00:08:18.140 --> 00:08:20.180 information that we don't want anybody seeing, but that we're 00:08:20.230 --> 00:08:24.850 using to make a decision about that user. It's not just do they 00:08:24.900 --> 00:08:28.610 happen to be an accountant? We could assign all sorts of attributes there. 00:08:28.660 --> 00:08:31.970 Do belong to Microsoft? Do they belong to this building? 00:08:32.020 --> 00:08:35.060 Can you think of any other things that we might use claims for? 00:08:35.110 --> 00:08:37.740 >> Oh, man, there's a million. I was just going to say that I 00:08:37.790 --> 00:08:41.230 think that claims are kind of a superset of roles. Roles are 00:08:41.280 --> 00:08:44.310 kind of categories, categories of people, people in this department 00:08:44.360 --> 00:08:46.580 or people that are this type or whatever, and claims are kind 00:08:46.630 --> 00:08:50.420 of a superset, and I like to think of them as they're a little 00:08:50.470 --> 00:08:54.280 difficult to wrap your head around, because they are more abstract. 00:08:54.780 --> 00:08:59.430 But I like to think of them as more atomic. I can actually define 00:08:59.480 --> 00:09:02.460 what it is that I want to do more atomically when I'm using claims 00:09:02.510 --> 00:09:04.050 based than when I'm using roles based. 00:09:04.100 --> 00:09:06.030 >> Absolutely, absolutely. And we can see the class here on the 00:09:06.080 --> 00:09:08.950 right-hand side for claims, they've got a bunch of properties 00:09:09.000 --> 00:09:12.830 on there, but mainly, it's a key value system. So the user delivers 00:09:12.880 --> 00:09:14.520 claims on over to your application. 00:09:15.150 --> 00:09:17.580 They come from all sorts of different... you can have them stored 00:09:17.630 --> 00:09:20.480 in the database. You can have them assigned at runtime. 00:09:20.530 --> 00:09:23.680 Your code can assign them maybe on a per request basis, or you 00:09:23.730 --> 00:09:25.590 can actually store them in the database and the identity system 00:09:25.640 --> 00:09:28.020 will pull them out there and add them to your token. 00:09:29.930 --> 00:09:34.100 And claims can really... anything you want to contain as information 00:09:34.150 --> 00:09:36.610 for a user. Now, you have to be careful here, because claims 00:09:36.660 --> 00:09:38.800 can get stored with that user's token that follows them around 00:09:38.850 --> 00:09:42.320 on their browser. So I wouldn't probably go and store a thousand 00:09:42.370 --> 00:09:45.290 pieces of information in there. Not to be confused with storing 00:09:45.340 --> 00:09:47.740 information about a user's profile, which I just wanted to keep 00:09:47.790 --> 00:09:50.320 in a table and pull out as I needed. Claims is something that 00:09:50.370 --> 00:09:54.260 you want to use for either an authentication or an authorization-type 00:09:54.310 --> 00:09:56.700 basis, not just like, hey, what's your favorite color? 00:09:57.340 --> 00:09:59.730 If I want to store that profile information about a user, we'll 00:09:59.780 --> 00:10:01.670 keep that in a separate table, and we'll talk about how to add 00:10:01.720 --> 00:10:04.790 those types of fields on to a user account, as well. 00:10:05.840 --> 00:10:11.050 And roles are typically single value, like I mentioned, administrator, accounting. 00:10:11.390 --> 00:10:15.110 Claims, key value, so you can say we're actually going to look 00:10:15.160 --> 00:10:17.880 at a demo here, Facebook access token. We can store all sorts 00:10:17.930 --> 00:10:20.130 of custom information on there, so claims are really cool, and 00:10:20.180 --> 00:10:23.020 that's what the whole identity system is based around. Even if 00:10:23.070 --> 00:10:25.440 we're using roles, everything on the back end, still, it's a 00:10:25.490 --> 00:10:26.250 claim-based system. 00:10:26.300 --> 00:10:28.850 >> So are you saying I can define whatever key I want? 00:10:28.900 --> 00:10:30.350 >> You can, absolutely. 00:10:31.040 --> 00:10:33.730 There are some built-in ones. There are some enumerations in 00:10:33.780 --> 00:10:37.470 there for name and ones that have been defined in the public 00:10:37.520 --> 00:10:40.010 community, and then there's other ones you can store whatever 00:10:40.060 --> 00:10:40.310 you want in there. 00:10:40.360 --> 00:10:41.630 >> Like some standards that we agree on. 00:10:41.680 --> 00:10:42.150 >> Yes. 00:10:42.200 --> 00:10:42.700 >> Great. 00:10:43.840 --> 00:10:47.210 >> Let's talk about history. I like history. Do you like history, Jeremy? 00:10:47.260 --> 00:10:48.950 >> Sure. Especially when it's technical. 00:10:49.000 --> 00:10:51.850 >> Technical history. That is interesting. We've got over at 00:10:51.900 --> 00:10:55.950 the headquarters building... my building knowledge here is pretty bad. 00:10:56.930 --> 00:10:57.640 >> 92? 00:10:57.690 --> 00:11:00.190 >> Maybe. The museum where you can walk through and see all that 00:11:00.240 --> 00:11:02.420 stuff in there, and the library's got some really cool stuff in. 00:11:02.470 --> 00:11:05.170 If you ever get a chance, stop by the campus and tour it out there. 00:11:05.220 --> 00:11:08.530 So history of ASP.NET account services. I don't want to say 00:11:08.580 --> 00:11:12.350 identity, because I consider identity something that's pretty recent. 00:11:12.400 --> 00:11:17.110 Let's go way, way, way back in time, 2005, November. 00:11:17.470 --> 00:11:18.680 >> I can hardly remember. 00:11:18.730 --> 00:11:21.300 >> I was living in Pennsylvania, it was a rainy month. 00:11:21.350 --> 00:11:24.490 >> It was rainy here. 00:11:24.540 --> 00:11:26.720 >> It was rainy here. I got off the plane last night and, sure 00:11:26.770 --> 00:11:29.210 enough, what did I hit? Rain. I live in southern California, 00:11:29.260 --> 00:11:33.520 so it's sunny. I'm not used to this rain. So 2005, ASP.NET 2.0 00:11:33.570 --> 00:11:36.320 came out, and that brought membership. That was an exciting 00:11:36.370 --> 00:11:39.710 time, because now we had something that everybody was home rolling. 00:11:39.760 --> 00:11:43.360 Everybody was creating their own tables with a login, and a lot 00:11:43.410 --> 00:11:45.950 of folks were just storing a plaintext password. Some were hashing 00:11:46.000 --> 00:11:49.280 it, some were encrypting it, so this brand-new system came out. 00:11:49.330 --> 00:11:51.810 It supported SQL Server and SQL Express. 00:11:52.760 --> 00:11:57.960 Then, in May of 2012, Microsoft released the Universal Providers, 00:11:58.220 --> 00:12:01.660 and that was first released as a NuGet package, and that supported 00:12:01.710 --> 00:12:04.620 finally all of our databases. Previously, you couldn't use something 00:12:04.670 --> 00:12:08.100 like SQL C. Now, you could use the universal providers to access 00:12:08.150 --> 00:12:14.640 basically all of our databases, SQL C, Azure, SQL Express, like 00:12:14.690 --> 00:12:18.490 it could be 4, full SQL Server, so it allowed you to access everything. 00:12:19.230 --> 00:12:22.840 And then in 2012, we came out with simple membership, and that 00:12:22.890 --> 00:12:25.590 was something that it seemed like it was new, because it came 00:12:25.640 --> 00:12:29.000 out in MVC, but that was actually sourced on our Web Pages technology. 00:12:29.050 --> 00:12:31.360 And you could also install it in Web Forms 2. There were some 00:12:31.410 --> 00:12:33.380 blog posts on that, but it didn't come out of the box that way. 00:12:34.470 --> 00:12:39.040 In October of 2013, finally, brand-new identity system, completely 00:12:39.090 --> 00:12:41.160 different than anything we ever had before, 00:12:42.530 --> 00:12:45.750 and then, really, not that much longer later, about five months 00:12:45.800 --> 00:12:46.520 after that. 00:12:47.030 --> 00:12:51.590 ASP.NET Identity v2, so lots of innovation in the space here 00:12:52.090 --> 00:12:54.760 into our identity system, brought two-factor authentication, 00:12:54.990 --> 00:13:00.600 account lockout, account confirmation, password and account reset, 00:13:00.650 --> 00:13:02.800 so some really neat features that just came out just a few months 00:13:02.850 --> 00:13:07.650 ago in there. And now, finally, looking forward, we have the 00:13:07.700 --> 00:13:09.960 preview bits that have come out for ASP.NET 00:13:11.200 --> 00:13:14.210 vNext, ASP.NET 5, so we're not going to cover that too much right 00:13:14.260 --> 00:13:16.660 now today, because that is a future technology, and things can 00:13:16.710 --> 00:13:19.720 always change, but we will touch upon just a couple of minor 00:13:19.770 --> 00:13:20.750 points with that, as well. 00:13:22.120 --> 00:13:25.800 All right, Jeremy, let's talk about the architecture of ASP.NET identity. 00:13:27.400 --> 00:13:29.420 So first, I do want to mention, because this helped me a lot 00:13:29.470 --> 00:13:33.700 in learning the identity system, the source code to v3... 00:13:33.750 --> 00:13:37.010 now, most of what we're going to cover today is v2, but the source 00:13:37.060 --> 00:13:40.110 code, the v3 is available on GitHub. V2 is not currently available 00:13:40.160 --> 00:13:43.120 as source code, but v3, there are many, many things that are 00:13:43.170 --> 00:13:47.460 the same, and that's a great place to open it up and kind of 00:13:47.510 --> 00:13:49.200 learn about how everything's structured in there. 00:13:50.110 --> 00:13:52.310 Contribute. It's an open-source project. We definitely want 00:13:52.360 --> 00:13:53.930 your ideas. If you have something that you think would make the 00:13:53.980 --> 00:13:58.120 identity system more awesomer, then by all means, go ahead, go 00:13:58.170 --> 00:14:04.600 on the GitHub and make some changes and recommend them to us. Next. Katana. 00:14:04.650 --> 00:14:05.400 >> Katana. 00:14:05.990 --> 00:14:07.530 >> Katana and OWIN. 00:14:07.580 --> 00:14:10.600 >> Not to be confused with Cortana. 00:14:11.110 --> 00:14:11.970 This is a different 'tana. 00:14:12.020 --> 00:14:16.580 >> This is totally, totally, totally different. 00:14:18.260 --> 00:14:19.280 Nope, not even... 00:14:19.880 --> 00:14:23.640 you could say Cortana, show me a Katana. Yes, that would probably 00:14:23.690 --> 00:14:28.430 work well. So what is Katana and what is OWIN? 00:14:29.070 --> 00:14:32.970 So let's understand a little bit of a separation here. 00:14:33.540 --> 00:14:38.110 Identity, to be able to fully use identity, there's a security 00:14:38.160 --> 00:14:40.280 middleware, so there's a lot of things that you don't want to 00:14:40.330 --> 00:14:43.130 have to manage, and there's two systems here. We've got a security 00:14:43.180 --> 00:14:46.790 system and an identity system, and they kind of work hand in hand. 00:14:48.180 --> 00:14:54.310 Microsoft, there's a standard OWIN, and we decided to say, let's 00:14:54.360 --> 00:14:57.490 go ahead and abstract out something that you can code against 00:14:57.540 --> 00:15:02.210 and not have to tie things maybe directly to IIS. Maybe you 00:15:02.260 --> 00:15:04.510 have scenarios where you want to self-host your application. 00:15:04.560 --> 00:15:07.410 You may or may not be running in an IIS environment. Well, then 00:15:07.460 --> 00:15:10.320 you have to have code that detects that and maybe uses IIS-specific 00:15:10.370 --> 00:15:13.590 features or doesn't use those features. So as you start looking 00:15:13.640 --> 00:15:17.640 at the back end of ASP.NET, you realize there's a lot of kind 00:15:17.690 --> 00:15:19.780 of hard dependencies on things, and this kind of helps free that up. 00:15:19.830 --> 00:15:23.750 You can code to what OWIN supports, and it just works. You don't 00:15:23.800 --> 00:15:25.910 have to worry about what's plugged in on the back end there. 00:15:25.960 --> 00:15:29.000 >> And besides just the adaptability, you also have the ability 00:15:29.050 --> 00:15:33.730 to interchange these OWIN modules and only take exactly what 00:15:33.780 --> 00:15:37.050 you need and no more, so you're not taking a larger dependence. 00:15:37.100 --> 00:15:39.790 You're taking whatever smaller dependencies you happen to need 00:15:39.840 --> 00:15:40.850 in your application. 00:15:41.100 --> 00:15:44.060 >> Absolutely. Katana, if you're searching on the Net and you 00:15:44.110 --> 00:15:47.250 start doing a little bit of research on Katana and OWIN, going 00:15:47.300 --> 00:15:50.820 forward, the name Katana, everything there has been fully interested 00:15:50.870 --> 00:15:55.800 into ASP.NET v5, so it's no longer going to be called Katana. 00:15:55.850 --> 00:15:57.850 So if you're going to go out and do a little research going forward, 00:15:57.900 --> 00:16:00.490 you're watching this module down the road, just take note of that. 00:16:00.540 --> 00:16:03.920 >> So the thing to look for now is ASP.NET Identity, correct? 00:16:03.970 --> 00:16:09.470 >> Correct. You can also look in OWIN, so you can still code against 00:16:09.520 --> 00:16:12.730 that definition, so I would actually say research OWIN, and I 00:16:12.780 --> 00:16:14.910 do have a link at the end of this deck, where you can go in and 00:16:14.960 --> 00:16:18.450 learn a little bit more about that, but just basically, if you 00:16:18.500 --> 00:16:23.160 have an OWIN module, it really defines something easy that allows 00:16:23.460 --> 00:16:25.160 a pipeline to communicate across. 00:16:26.040 --> 00:16:29.410 Your OWIN module essentially just gets a dictionary that's keyed 00:16:29.460 --> 00:16:32.260 by a string and stores an object in there. So you could look 00:16:32.310 --> 00:16:35.120 at your request headers in there. You can look for any sort 00:16:35.170 --> 00:16:39.210 of custom data. Let's say you're integrating with Facebook authentication. 00:16:39.260 --> 00:16:41.880 You can look for specific tokens coming back. You don't have 00:16:41.930 --> 00:16:44.660 to do all this coding against specific things. You get the simple 00:16:44.710 --> 00:16:47.520 collection, this dictionary object. You look in there for the 00:16:47.570 --> 00:16:49.960 information you need, you add whatever you need to it, and then 00:16:50.010 --> 00:16:53.310 the next module processes it. It's a really, really simple interface 00:16:53.360 --> 00:16:56.580 that allows you to develop these modules or use whatever Microsoft 00:16:56.630 --> 00:16:58.170 has developed for their modules, as well. 00:17:00.120 --> 00:17:05.600 Now, the ASP.NET security middleware can be used in any OWIN-based application. 00:17:05.650 --> 00:17:09.700 Now, again, we have two systems. We have security and we have identity. 00:17:09.990 --> 00:17:14.170 >> Now, would you say that security is roughly analogous to authorization, 00:17:14.230 --> 00:17:17.540 whereas identity is roughly analogous to authentication? 00:17:18.650 --> 00:17:20.380 >> I would in some cases. 00:17:21.170 --> 00:17:24.860 When we get to the external login providers, you could authenticate 00:17:25.280 --> 00:17:27.940 with the external providers, so there are some times you're going 00:17:27.990 --> 00:17:30.080 to authenticate locally, sometimes you're going to authenticate 00:17:30.130 --> 00:17:31.240 remotely, as well. 00:17:31.970 --> 00:17:37.800 The security components, though, take away, they abstract that 00:17:37.850 --> 00:17:42.600 out for you. So identity think of as typically keeping track 00:17:42.650 --> 00:17:46.220 of your user account, who you are, what your roles are, what 00:17:46.270 --> 00:17:48.260 your claims are, and we'll look at the schema very shortly when 00:17:48.310 --> 00:17:50.930 we open up a demo and kind of walk through that. So it just 00:17:50.980 --> 00:17:54.450 kind of helps you keep track of your user account and the attributes 00:17:54.500 --> 00:17:57.590 surrounding that user account. The security modules on there 00:17:57.640 --> 00:18:01.360 help integrate with Facebook, Twitter, Microsoft authentication. 00:18:01.410 --> 00:18:04.830 They do kind of that heavy lifting as opposed to just kind of 00:18:04.880 --> 00:18:08.180 maybe storing a token and storing your user account details. 00:18:08.230 --> 00:18:10.740 So they do a lot more of that heavy lifting for you. 00:18:12.480 --> 00:18:15.110 All right, now in understanding what we're going to look at when 00:18:15.160 --> 00:18:18.210 we walk through template walk through here, with identity, one 00:18:18.260 --> 00:18:21.910 of the important things that we want to look at is using managers 00:18:21.960 --> 00:18:22.890 and stores. 00:18:23.590 --> 00:18:26.720 So there's a UserManager and a RoleManager. If you want to go 00:18:26.770 --> 00:18:30.600 ahead and manually query a user, you would use the UserManager. 00:18:30.650 --> 00:18:34.330 And on the right-hand of this slide here, you check out... 00:18:34.380 --> 00:18:35.430 there we go, this mouse. 00:18:36.520 --> 00:18:40.530 Our applications talk to a manager. That's the API that you 00:18:40.580 --> 00:18:41.620 are typically going to use. 00:18:43.170 --> 00:18:45.910 If you want to store a role in the database, you would use a RoleManager. 00:18:45.960 --> 00:18:48.960 If you want to store a user, use a UserManager. If you want 00:18:49.010 --> 00:18:52.030 to query the claims for a user, you would use a UserManager. 00:18:52.080 --> 00:18:55.910 If you want to query the roles for a user, you would use a UserManager. 00:18:56.520 --> 00:19:01.540 If you want to create, delete, everything around the user, which 00:19:01.590 --> 00:19:03.790 one would you guess it's using? 00:19:03.840 --> 00:19:04.520 >> I'm guessing... 00:19:04.570 --> 00:19:08.470 >> UserManager. The UserManager, all of the managers then talk 00:19:08.520 --> 00:19:12.990 to a store via an interface, so meaning that you can kind of... 00:19:13.720 --> 00:19:16.250 because you're coding against an interface, an abstraction there, 00:19:16.300 --> 00:19:19.050 you can plug things in and out, so you might change your underlying 00:19:19.100 --> 00:19:21.660 store and never, ever have to change your UserManager. It might 00:19:21.710 --> 00:19:25.290 just work with it. Now, my little icons down there, lower right-hand 00:19:25.340 --> 00:19:28.200 corner, since we're talking about managers and stores, that actually 00:19:28.250 --> 00:19:31.710 is a manager. It looks kind of like Superman. But if you notice... 00:19:31.760 --> 00:19:34.750 it's probably hard to see, he's got IT. I figured that guy was 00:19:34.800 --> 00:19:37.670 an IT manager, so that's where the manager comes from, and the 00:19:37.720 --> 00:19:38.840 store, of course, on the right-hand side. 00:19:38.890 --> 00:19:42.240 >> It's too bad you have to explain your slide. I don't want 00:19:42.290 --> 00:19:45.300 it to be mistaken there, Superman. This is definitely an IT 00:19:45.350 --> 00:19:48.140 manager, who could be synonymous with Superman. 00:19:48.190 --> 00:19:49.740 >> Sure, sure. A lot of respect there. 00:19:49.790 --> 00:19:53.410 >> A lot of respect there. All right, so you are typically going 00:19:53.460 --> 00:19:55.850 to work with a UserManager, and it's going to talk to everything 00:19:55.900 --> 00:19:58.330 else down the line. It will talk to the store, which in turn 00:19:58.380 --> 00:20:01.380 talks to your data access layer, which in turn talks to the actual 00:20:01.430 --> 00:20:05.220 data source, database itself. So it's pretty easy for you to 00:20:05.270 --> 00:20:07.940 use, and that template code does a lot of footwork, which we'll 00:20:07.990 --> 00:20:08.830 look at, as well. 00:20:09.440 --> 00:20:13.870 So again, if you wanted to store a role, would you be using the UserManager? 00:20:15.210 --> 00:20:18.030 You would use the RoleManager. If you wanted to store a role 00:20:18.080 --> 00:20:20.610 for a user, then you would be using a UserManager. 00:20:20.660 --> 00:20:23.670 All right, key components here. 00:20:25.210 --> 00:20:28.210 The identity side, you notice the components are pretty simple 00:20:28.260 --> 00:20:31.950 there, because remember, identity is storing information about you. 00:20:32.000 --> 00:20:34.810 So there's identity, which contains all the base interfaces, 00:20:35.290 --> 00:20:39.680 IUser, all of the interfaces for storing a phone number, for 00:20:39.730 --> 00:20:43.480 all of your stores, everything behind the scenes, the majority 00:20:43.530 --> 00:20:45.640 of that work is stored in Microsoft.AspNet.Identity. 00:20:47.280 --> 00:20:51.030 The Entity Framework is a specific implementation of that that 00:20:51.080 --> 00:20:53.620 gives you something out of the box that works with our databases, 00:20:53.670 --> 00:20:55.610 and that's why we use Entity Framework, because Entity Framework, 00:20:55.660 --> 00:20:58.340 because Entity Framework works across our databases. On the 00:20:58.390 --> 00:21:01.390 security side, this kind of gives you a little bit of a differentiation, 00:21:01.980 --> 00:21:05.390 where you get to see what the middleware does for you. So on 00:21:05.440 --> 00:21:07.280 the right-hand side, the Entity Framework, that stores stuff 00:21:07.330 --> 00:21:10.890 out to a SQL Database. On the left-hand side, our security middleware, 00:21:10.940 --> 00:21:13.600 that does all the heavy lifting. So if you want to communicate 00:21:13.650 --> 00:21:17.400 with Facebook, Google, Microsoft account, you want to do OAuth, 00:21:17.450 --> 00:21:19.790 Twitter, that's all over there. 00:21:20.640 --> 00:21:22.780 For the most part, you don't talk to that. You let that all 00:21:22.830 --> 00:21:25.120 kind of handle that plugs into your system, looks for the information 00:21:25.170 --> 00:21:27.820 that it needs and processes it. So most of what we're going to 00:21:27.870 --> 00:21:31.010 be looking at today is all on the identity side, although we're 00:21:31.060 --> 00:21:34.280 going to look at how the security side integrates with that. 00:21:36.850 --> 00:21:40.480 Now, I caution, don't stare too long at this slide. I wanted 00:21:40.530 --> 00:21:42.560 to put a lot of information on here as kind of a reference slide, 00:21:42.610 --> 00:21:45.090 and you can see, for those that really like it, go back and look 00:21:45.140 --> 00:21:47.690 at this slide. But if you understand everything on this slide, 00:21:47.740 --> 00:21:53.220 you really understand most of what you would need to do, 99.9% 00:21:53.900 --> 00:21:56.850 of what you do in identity. So let's talk about some of these 00:21:56.900 --> 00:21:59.130 classes in here. I talked about you have a UserManager and you 00:21:59.180 --> 00:22:03.530 have a RoleManager. There's an IdentityUser, and that's you. 00:22:03.580 --> 00:22:07.140 That's an IUser interface. IdentityUser happens to be, as it 00:22:07.190 --> 00:22:10.790 stands now, it's an Entity Framework implementation of an IUser 00:22:10.840 --> 00:22:14.360 interface, so out of the box, you can store things to... 00:22:14.410 --> 00:22:18.310 >> So I'll find IdentityUser in the EF namespaces? 00:22:18.360 --> 00:22:21.560 >> You will now. That's... again, I don't want to talk about 00:22:21.610 --> 00:22:24.200 vNext too much. That's one minor thing that's changing vNext. 00:22:24.250 --> 00:22:27.230 Some of the namespaces are changing, but IdentityUser right now 00:22:27.280 --> 00:22:28.990 is in the Entity Framework namespace, yes. 00:22:29.040 --> 00:22:29.540 >> Okay. 00:22:32.680 --> 00:22:36.540 >> EmailService, SmsService. You can tell by the name that this 00:22:36.590 --> 00:22:39.290 probably doesn't get you food, probably doesn't do laundry. 00:22:39.340 --> 00:22:43.820 This deals with emails and text messages. This is notified during 00:22:43.870 --> 00:22:46.280 two-factor authentication, which we're going to look at in a 00:22:46.330 --> 00:22:49.740 separate module, and also when you want to do account confirmation, 00:22:50.010 --> 00:22:54.320 so EmailService, SmsService, that's what gets called when you 00:22:54.370 --> 00:22:55.530 do two-factor authentication. 00:22:55.580 --> 00:22:57.680 >> Is there a food service provider built into the framework? 00:22:57.730 --> 00:23:00.070 >> You can make one. So this is all extensible. You can do IFoodServiceProvider. 00:23:00.120 --> 00:23:03.010 I'm going to look on GitHub, so if 00:23:04.680 --> 00:23:06.350 they come out with that soon. 00:23:06.400 --> 00:23:10.330 >> Yes, that's going to be popping up. UserManager, those are 00:23:10.380 --> 00:23:14.230 the APIs that, as I mentioned, probably ad nauseam so far, that 00:23:14.280 --> 00:23:16.600 is what you are going to store and access everything about the 00:23:16.650 --> 00:23:21.830 user with. User claim and authentication info, that all talks 00:23:21.880 --> 00:23:24.450 to the UserStore, so that abstracts it away from you. If you 00:23:24.500 --> 00:23:27.280 want, you could talk to the UserStore, but the UserManager essentially 00:23:27.330 --> 00:23:29.160 does everything that you need for you. 00:23:30.160 --> 00:23:31.780 Next, RoleManager. 00:23:32.780 --> 00:23:35.360 Talked about that, too. That is what talks to the RoleStore. 00:23:35.410 --> 00:23:38.620 If you want to store a RoleName called administrator, if you 00:23:38.670 --> 00:23:42.180 want to store a RoleName called accounting, you would use a RoleManager. 00:23:42.230 --> 00:23:45.560 If you want to find the roles for that user, you would use UserManager, 00:23:45.610 --> 00:23:47.650 because now you're talking about a specific user. 00:23:48.150 --> 00:23:51.480 >> So the claims and the roles really work in parallel, and we 00:23:51.530 --> 00:23:54.720 still have the concept of a role even in a claims-based system? 00:23:54.770 --> 00:23:59.010 >> Yes, behind the scenes, that all gets read out and gets packaged 00:23:59.060 --> 00:24:03.200 into all of your claims, which gets written out to a cookie. 00:24:03.250 --> 00:24:06.260 So even though the roles still work, it's still behind the scenes 00:24:06.310 --> 00:24:07.190 in a claims-based system. 00:24:07.240 --> 00:24:07.810 >> Oh, I see. 00:24:09.050 --> 00:24:12.520 >> Now, the UserStore, that is what talks to the DataStore. 00:24:12.570 --> 00:24:14.440 In the case of what we're going to look at, that's what talks 00:24:14.490 --> 00:24:17.270 to Entity Framework. We have another demo where we're going to 00:24:17.320 --> 00:24:21.460 talk to RavenDB, as well, so if you want do any of your own custom 00:24:21.510 --> 00:24:23.890 implementation, then you write your own UserStore, but there's 00:24:23.940 --> 00:24:25.520 one out of the box for you that works. 00:24:28.380 --> 00:24:32.100 And then we have a RoleStore, which same thing as a UserStore, 00:24:32.150 --> 00:24:35.710 that's what actually talks to your data provider to in turn talk 00:24:35.760 --> 00:24:42.460 to your DataStore. SigninManager. This one is a cool class, 00:24:42.510 --> 00:24:45.530 and that's just a high-level API to sign a user in. So I talked 00:24:45.580 --> 00:24:50.260 about getting user info, storing user info, storing roles, but 00:24:50.310 --> 00:24:52.280 what if you just want to sign in a user, and that's when you 00:24:52.330 --> 00:24:55.010 talk to this high-level SigninManager. Now, again, don't stare 00:24:55.060 --> 00:24:56.510 at this too long, because we're going to simplify this. 00:24:56.560 --> 00:24:57.230 Ready? 00:24:57.280 --> 00:24:57.760 >> Let's go. 00:24:58.500 --> 00:24:59.400 >> Let's simplify. 00:25:01.540 --> 00:25:06.110 Again, IdentityUser, that's you with your properties, username, 00:25:06.160 --> 00:25:09.150 email, email verified, all the custom information, and we're 00:25:09.200 --> 00:25:11.110 going to look at how you can customize that class a little bit more. 00:25:11.160 --> 00:25:14.430 >> Now, in normal practice, is the IdentityUser something that 00:25:15.040 --> 00:25:19.110 I inherit, override and create my own IdentityUser that's derived 00:25:19.160 --> 00:25:22.470 from this one, or do I tend to use the IdentityUser itself? 00:25:22.520 --> 00:25:26.330 >> So in the basic template as it stands, they have an application 00:25:26.380 --> 00:25:27.940 user that inherits from IdentityUser. 00:25:27.990 --> 00:25:30.470 >> And that's a specific one for that application. 00:25:30.520 --> 00:25:33.510 >> Yes, and that you can add all of your own custom stuff to that. 00:25:33.560 --> 00:25:35.480 They just give you something out of the box that's pretty empty 00:25:35.530 --> 00:25:38.080 with properties. It gets whatever IdentityUser has on it, so 00:25:38.130 --> 00:25:40.820 IdentityUser has a bunch of those built in properties, and then 00:25:40.870 --> 00:25:43.650 they give you... since that's stored in a separate namespace 00:25:43.700 --> 00:25:47.020 in a precompiled assembly, out of the box, they give you an application 00:25:47.070 --> 00:25:48.900 user, so you have something you can look at and just go in and 00:25:48.950 --> 00:25:50.530 modify, and we'll look at how we do that, too. 00:25:52.330 --> 00:25:56.780 Next, EmailService, SmsService. As I mentioned, that is not an IFoodServiceProvider. 00:25:57.090 --> 00:25:59.380 That's what's going to be notified. 00:26:02.180 --> 00:26:06.050 ApplicationUserManager, that's what you call to manage your users. 00:26:06.100 --> 00:26:10.300 So a UserManager, as I've talked about about 100 times so far, 00:26:10.350 --> 00:26:12.980 that's what's going to deal with everything with your users storing it. 00:26:13.030 --> 00:26:16.470 The ApplicationUserManager is kind of like your application user. 00:26:16.520 --> 00:26:18.860 It just gives you code in your application, so when we open up 00:26:18.910 --> 00:26:22.200 this demo project, we're going to see, there's an ApplicationUserManager 00:26:22.250 --> 00:26:24.270 class in there. It gives us something that we can customize a 00:26:24.320 --> 00:26:25.300 little bit easier. 00:26:26.950 --> 00:26:30.800 SigninManager, that's it. So this is a simplified version of that. 00:26:30.850 --> 00:26:34.290 If you understand this today, as we leave here, I will be a very, 00:26:34.340 --> 00:26:35.100 very happy man. 00:26:35.150 --> 00:26:38.440 >> Can you explain one more time what a UserStore is? 00:26:38.490 --> 00:26:40.570 >> UserStore implements IFoodServiceProvider. 00:26:40.620 --> 00:26:43.010 >> No, I know that's not right. 00:26:43.060 --> 00:26:46.990 >> So a UserStore stores information about the user. 00:26:47.680 --> 00:26:51.760 If you want to create a user account, if you want to 00:26:54.090 --> 00:26:57.830 store a phone number on that user, if you want to say Jeremy 00:26:57.880 --> 00:27:02.040 Foster has the role accounting, then I talk to the UserManager 00:27:02.090 --> 00:27:05.270 to talk to the UserStore to save that out. 00:27:05.320 --> 00:27:08.910 >> Now, like an IdentityUser, is a UserStore, at least at this 00:27:08.960 --> 00:27:11.140 point, an Entity Framework concept? 00:27:12.360 --> 00:27:14.000 >> A UserStore itself... 00:27:14.820 --> 00:27:17.660 well, IUserStore, I think it is, is a generic concept. 00:27:18.590 --> 00:27:23.360 A UserStore is a specific implementation that talks to Entity Framework. 00:27:23.410 --> 00:27:25.870 So if you want to create your own custom implementation, then 00:27:25.920 --> 00:27:27.090 you would create your own. 00:27:27.140 --> 00:27:29.960 >> So if I want to store my users in XML files, or if I want it 00:27:30.010 --> 00:27:32.310 store them in RavenDB? 00:27:32.360 --> 00:27:35.280 >> You create your own custom UserStore then that uses the appropriate 00:27:35.330 --> 00:27:38.150 interface, so everything can talk to it, and then it just talks to... 00:27:38.200 --> 00:27:42.180 it either can read-write XML files or talk to RavenDB's API or 00:27:42.230 --> 00:27:44.840 talk to Entity Framework, but that UserStore... so you see how 00:27:44.890 --> 00:27:47.500 everything is kind of abstracted away here? You write it out 00:27:47.550 --> 00:27:50.470 to the UserStore, you talk to the UserStore, and it takes care 00:27:50.520 --> 00:27:53.090 of all the rest for you. Now, will this... in response to an 00:27:53.140 --> 00:27:55.420 answer in the chat room, will a system like this... 00:27:55.470 --> 00:27:58.300 obviously, it'll handle an application, and all of the users 00:27:58.350 --> 00:28:02.080 that apply to that application. Will this out of the box, or 00:28:02.130 --> 00:28:05.540 with some customizations, handle a multi-tenant environment, 00:28:05.590 --> 00:28:09.050 where I have a framework that handles multiple applications? 00:28:09.100 --> 00:28:12.090 >> This does not. I'm trying to recall if I have a slide in our 00:28:12.140 --> 00:28:15.260 many modules today on that. This does not out of the box. 00:28:16.640 --> 00:28:20.630 So in a case like that, you would either have to add your own custom... 00:28:20.680 --> 00:28:22.820 I think I actually do mention this, because I think I have a 00:28:22.870 --> 00:28:26.510 URL to someone who has a project on GitHub for that. It's not 00:28:26.560 --> 00:28:29.260 out of the box, but somebody has already code for it out there 00:28:29.310 --> 00:28:29.910 on GitHub to be able to do it. 00:28:29.960 --> 00:28:31.720 >> And that kind of feels right. It doesn't feel like it should 00:28:31.770 --> 00:28:32.900 belong in the core. 00:28:32.950 --> 00:28:33.300 >> Yes. 00:28:35.110 --> 00:28:41.170 Okay. Pretty easy so far, right? This makes it a little bit easier, 00:28:41.220 --> 00:28:43.160 IdentityUser, EmailService, UserManager, SigninManager. 00:28:43.210 --> 00:28:43.910 >> Clear as mud. 00:28:45.240 --> 00:28:45.980 >> Clear as mud. 00:28:46.990 --> 00:28:51.840 All right, so let's go ahead and look at a template. 00:28:52.510 --> 00:28:53.380 I think I will use... 00:28:54.280 --> 00:28:58.900 I'm going to use Visual Studio 2015 for this one. It's a preview 00:28:58.950 --> 00:28:59.700 right now. 00:28:59.750 --> 00:29:01.640 >> That's what I call a code cowboy. 00:29:01.690 --> 00:29:03.140 >> A code cowboy. 00:29:03.190 --> 00:29:09.110 Yee-haw. So the point I want to drive home with this, if you 00:29:09.160 --> 00:29:13.810 at home and you're using Visual Studio 2013, let's say, no problem. 00:29:13.860 --> 00:29:16.150 I just want to show you you can do the exact same thing in either 00:29:16.200 --> 00:29:18.690 system here. I'm going to create a new project, 00:29:21.530 --> 00:29:26.260 and ASP.NET Web Application, this is essentially the same thing 00:29:26.310 --> 00:29:28.980 that you're going to get in Visual Studio 2013, even though I'm 00:29:29.030 --> 00:29:30.290 in 2015. 00:29:32.480 --> 00:29:35.160 Let me take one step back here. 00:29:35.900 --> 00:29:39.300 This is almost the same. There's one more step I need to go through here. 00:29:39.350 --> 00:29:44.440 So we'll call this basic template. Oops, look at those. 00:29:48.800 --> 00:29:50.670 Always messes you up a little bit when you get on a keyboard 00:29:50.720 --> 00:29:53.850 that you're not quite used to, a little bit different than the 00:29:53.900 --> 00:29:54.760 one you use at home. 00:29:55.920 --> 00:29:59.460 Now, we're going to talk about a couple differences here. 00:30:00.050 --> 00:30:00.930 This is where... 00:30:01.750 --> 00:30:04.140 this guy right here, this is the same thing that you're going 00:30:04.190 --> 00:30:08.220 to get in Visual Studio 2013. Again, I'm in 2015 right now, but 00:30:08.270 --> 00:30:13.180 notice, they differentiate here, ASP.NET 5, empty, ASP.NET 5 00:30:13.230 --> 00:30:16.590 Starter Website, this here is the same thing that you're going 00:30:16.640 --> 00:30:19.260 to get in 2013 right now. So it's kind of cool that it supports 00:30:19.310 --> 00:30:20.400 one or the other. 00:30:20.940 --> 00:30:24.980 So we're going to stick with the 2013 one, essentially. 00:30:25.800 --> 00:30:33.530 I don't know if you saw that, so while that's loading, I'm going 00:30:33.580 --> 00:30:35.320 to create another one here, just to show you 00:30:37.500 --> 00:30:40.850 this guy right here, since this deals with authentication. 00:30:40.900 --> 00:30:44.400 Notice, on the new project dialog here, change authentication. 00:30:44.930 --> 00:30:47.150 The default here was individual user account. 00:30:48.840 --> 00:30:50.790 No authentication, well, that kind of makes sense. 00:30:51.780 --> 00:30:54.880 Individual user accounts for applications that store user profiles 00:30:54.930 --> 00:30:58.640 in a SQL Server database, or you can use things like Facebook, 00:30:58.690 --> 00:31:01.300 Twitter, Google, Microsoft, and we're going to talk about all 00:31:01.350 --> 00:31:03.940 that today. Organizational accounts, we're actually going to 00:31:03.990 --> 00:31:07.610 talk about this, as well, and then I covered Windows authentication 00:31:07.660 --> 00:31:09.950 for intranet applications. Doesn't quite fit into the identity 00:31:10.000 --> 00:31:12.610 system here, so we're going to stick to these two guys today, 00:31:12.660 --> 00:31:14.440 individual user accounts for the most part, and we're going to 00:31:14.490 --> 00:31:16.290 touch upon organizational accounts. 00:31:19.940 --> 00:31:22.160 So going back to the template that I just created here, 00:31:23.400 --> 00:31:25.890 so we'll do this for MVC, and then we'll go through and I'll 00:31:25.940 --> 00:31:28.120 show you the differences in Web Forms as well, here. 00:31:29.440 --> 00:31:30.520 Let's run this. 00:31:34.250 --> 00:31:36.730 And this gives you a nice-looking basic template here that gives 00:31:36.780 --> 00:31:37.690 you the ability to... 00:31:39.140 --> 00:31:43.830 I'll wait until this comes up... register for an account or login. 00:31:44.430 --> 00:31:46.460 Now, clearly, we don't have any logins yet. 00:31:47.240 --> 00:31:48.560 If I go ahead and register, 00:31:54.260 --> 00:31:57.260 we'll use this guy, adamtuliper@live.com, 00:32:06.100 --> 00:32:08.140 and I notice my password length is different. 00:32:10.240 --> 00:32:11.560 Once I register here, 00:32:13.120 --> 00:32:15.690 some really interesting things are happening behind the scenes. 00:32:16.890 --> 00:32:20.530 All right, see that I'm signed in here. Let's look at... 00:32:22.640 --> 00:32:24.210 we'll go into detach from this. 00:32:30.270 --> 00:32:32.190 And pin this little window here, because what I want to look 00:32:32.240 --> 00:32:34.700 at are data connections. 00:32:35.720 --> 00:32:39.200 If you don't run your application first, this is going to be 00:32:39.250 --> 00:32:41.990 empty, and so what this has done... the first time that we ran 00:32:42.040 --> 00:32:43.910 this, because this uses Entity Framework... 00:32:44.750 --> 00:32:46.760 now, you might say, I don't know Entity Framework. 00:32:47.520 --> 00:32:51.020 That's perfectly fine. Just know that it does all the heavy lifting 00:32:51.070 --> 00:32:54.390 to talk to the SQL Database on the back end. 00:32:55.140 --> 00:32:57.690 But the other cool thing that it does is if the database doesn't 00:32:57.740 --> 00:33:00.220 exist, it will actually create it for you, and that's really, 00:33:00.270 --> 00:33:03.230 really handled in a default template. So that's what this did 00:33:03.280 --> 00:33:06.340 right now. This is actually pointing to a database that it created. 00:33:07.320 --> 00:33:10.490 For those that had been using the technology in the past and 00:33:10.540 --> 00:33:14.470 would add a database to the app_data folder, notice, you don't 00:33:14.520 --> 00:33:17.910 see anything there, but behind the scenes, there is actually 00:33:17.960 --> 00:33:19.740 this database that was created for you. 00:33:20.450 --> 00:33:23.180 And Entity Framework did that. As soon as we brought it up and 00:33:23.230 --> 00:33:26.840 registered, it said, does this database exist? Does not exist? 00:33:26.890 --> 00:33:29.400 And it actually created the database for you, based on some of 00:33:29.450 --> 00:33:31.280 the classes we're going to look at, very, very powerful. 00:33:31.330 --> 00:33:34.380 >> Because of that feature, I feel like I'll never have to go 00:33:34.430 --> 00:33:36.280 create a database again. 00:33:36.930 --> 00:33:39.530 If it already exists, I'll connect to it. If it doesn't exist 00:33:39.580 --> 00:33:42.460 yet, I'll just write the code or I'll use a framework like this 00:33:42.510 --> 00:33:45.450 and let it generate the database for me. 00:33:45.500 --> 00:33:47.190 >> Absolutely. And for the folks that wondered, well, how can 00:33:47.240 --> 00:33:50.500 we take this database, and what if I have another database? 00:33:50.550 --> 00:33:52.590 What if I don't want to use this database? Or maybe I want to 00:33:52.640 --> 00:33:54.820 use this database for testing, and I need to migrate these changes 00:33:54.870 --> 00:33:56.720 to another database? We're going to look at that, too. 00:33:57.610 --> 00:34:00.900 So I come over here to these data connections. I expand it. 00:34:00.950 --> 00:34:03.390 And again, you must run it first so that it gets created. 00:34:03.440 --> 00:34:05.140 Otherwise, you won't see this database here. 00:34:06.130 --> 00:34:07.030 Now, tables, 00:34:09.000 --> 00:34:10.600 we have users and roles. 00:34:11.200 --> 00:34:13.690 So as I registered my user here, let's go ahead and say show 00:34:13.740 --> 00:34:14.500 table data, 00:34:17.090 --> 00:34:20.180 and if we look, there's a GUID here is the ID. This is actually 00:34:20.230 --> 00:34:21.040 a string. 00:34:22.140 --> 00:34:28.700 My email, EmailConfirmed, notice, never, ever, ever store a plaintext password. 00:34:28.750 --> 00:34:30.650 This is actually a hash, so it's not even encrypted. It's a 00:34:30.700 --> 00:34:35.440 mathematical function that comes up with this long binary mess, 00:34:36.220 --> 00:34:37.140 and that 00:34:38.420 --> 00:34:41.320 can't just immediately be decrypted. There are techniques that 00:34:41.370 --> 00:34:44.910 people use to try to break hashes, so they'll take a password, 00:34:44.960 --> 00:34:48.010 and they will hash that password and see if it mashes this hash, 00:34:48.060 --> 00:34:50.020 and so then what you do is you hash repeatedly, over and over 00:34:50.070 --> 00:34:53.200 and over again. Some security experts actually go so far as recommending 00:34:53.250 --> 00:34:57.780 that some systems hash a password for a full one second, which 00:34:57.830 --> 00:35:01.090 is a bazillion times of hashes, just over and over and over again, 00:35:01.140 --> 00:35:04.430 so it makes it a little bit more difficult for attackers to hash 00:35:04.480 --> 00:35:05.750 a password and compare it to yours. 00:35:05.800 --> 00:35:09.440 >> I heard it said that a good hashing algorithm is not a fast one. 00:35:09.490 --> 00:35:13.740 You actually want it to be slow, because if you have the resources, 00:35:14.190 --> 00:35:17.370 certainly, a person has the time to wait long enough for that 00:35:17.420 --> 00:35:18.540 level of security. 00:35:18.590 --> 00:35:19.080 >> Absolutely. 00:35:19.130 --> 00:35:22.710 >> The interesting thing about a hash is that the same exact password 00:35:22.760 --> 00:35:26.960 always hashes the exact same, but once it's hashed, you don't 00:35:27.010 --> 00:35:28.310 come back from that hash. 00:35:29.120 --> 00:35:29.740 >> That is true. 00:35:29.790 --> 00:35:30.320 >> Without supercomputers. 00:35:30.370 --> 00:35:32.810 >> Yes, absolutely. And there's a minor variation on there. 00:35:32.860 --> 00:35:35.650 You can actually have a salt that's applied to the beginning 00:35:35.700 --> 00:35:38.450 of a hash that kind of mixes it up even more, so if you hash 00:35:38.500 --> 00:35:41.000 a password and it's got a different salt, it actually makes that 00:35:41.050 --> 00:35:43.720 a different resulting hash. All sorts of fun stuff they do with 00:35:43.770 --> 00:35:44.720 hashes nowadays. 00:35:45.520 --> 00:35:49.140 Okay so notice I've got a couple of fields here. In this case, 00:35:49.190 --> 00:35:50.550 let me just expand this. 00:35:51.240 --> 00:35:53.570 You can see the fields in there easier. Email, EmailConfirmed, 00:35:53.620 --> 00:35:57.170 a phone number's there. So these are the default fields, and 00:35:57.220 --> 00:35:58.950 we're going to get to how you customize these. 00:35:59.750 --> 00:36:02.390 So that's your user account. This the one I just created. That's me. 00:36:03.140 --> 00:36:06.230 Now, roles, we don't have anything in roles yet, and a role is 00:36:06.280 --> 00:36:09.290 pretty simple. It's an ID and a name, so again, like accounting. 00:36:11.870 --> 00:36:15.530 User roles, what roles does a particular user have? So you just 00:36:15.580 --> 00:36:19.260 have a key to roles and a key to the user. Easy enough. 00:36:20.660 --> 00:36:23.330 Now, the ASP.NET user logins table, this is used when you're 00:36:23.380 --> 00:36:25.780 dealing with external login providers, so we'll look at this 00:36:25.830 --> 00:36:27.580 in Module 3. 00:36:30.480 --> 00:36:33.990 ASP.NET user claims, this stores all the claims for the user, 00:36:34.040 --> 00:36:37.500 so claim type, claim value. Remember, I said it was a key value 00:36:37.550 --> 00:36:41.620 pair, the user ID, and just an ID for that table. So this is 00:36:41.670 --> 00:36:44.260 what it gives you by default, and we're going to look at in the 00:36:44.310 --> 00:36:47.600 next module how you customize these tables a little bit. So let's 00:36:47.650 --> 00:36:50.030 see what happens here, the magic in our application. 00:36:55.930 --> 00:36:58.680 So when we look at this template here, our application starts 00:36:58.730 --> 00:37:03.400 up, and notice, OWIN startup attribute calls this configuration, 00:37:03.450 --> 00:37:06.920 configure auth. So your application starts up, and this is going 00:37:06.970 --> 00:37:09.490 configure all the OWIN magic that happens for you. 00:37:10.990 --> 00:37:13.650 So let's navigate to this and move these windows around just 00:37:13.700 --> 00:37:15.790 a little bit here. Actually, I'm going to close this, since we 00:37:15.840 --> 00:37:16.790 looked at that already. 00:37:16.840 --> 00:37:19.200 >> So that's the startup auth file that you're in now. Where is 00:37:19.250 --> 00:37:20.190 that stored? 00:37:21.110 --> 00:37:24.680 >> So startup called startup auth, which is in app_start, and 00:37:24.730 --> 00:37:27.520 that might seem like it's a special folder name, like in Web 00:37:27.570 --> 00:37:30.920 Forms, they had all sorts of special folder names, and this is 00:37:30.970 --> 00:37:34.280 just a convention. The fact that it's called app_start means nothing. 00:37:34.330 --> 00:37:36.300 It's just a convention that folks use for any of your startup 00:37:36.350 --> 00:37:37.050 code here. 00:37:37.630 --> 00:37:41.070 >> So in there is Startup.Auth, and you have Identity.Config. 00:37:41.120 --> 00:37:44.160 These are the two that are used for the security and identity, 00:37:44.210 --> 00:37:46.830 to configure it. So when I look at Startup.Auth, 00:37:48.840 --> 00:37:51.460 we're configuring a couple of things here, and this is just template code. 00:37:51.510 --> 00:37:53.700 You don't necessarily need to understand what's going on here. 00:37:54.380 --> 00:37:57.700 This is creating your context. Essentially, it's talking to Entity 00:37:57.750 --> 00:38:01.320 Framework and it's storing it, so we can pull it out later on. 00:38:02.060 --> 00:38:03.760 This is changing a little bit going forward to make it a little 00:38:03.810 --> 00:38:05.850 bit easier to plug in with dependency injection. 00:38:06.820 --> 00:38:09.980 >> Now, can you talk for a second about this ApplicationDbContext, 00:38:10.030 --> 00:38:11.790 what is that entity? 00:38:11.840 --> 00:38:15.770 >> So our ApplicationDbContext, this is our code. Let's navigate 00:38:15.820 --> 00:38:16.410 to this guy. 00:38:18.200 --> 00:38:22.140 This is Entity Framework-specific code, so a DB Context is an 00:38:22.190 --> 00:38:23.970 Entity Framework class where you define 00:38:25.370 --> 00:38:29.330 what you are going to look at in your database, what entities. 00:38:29.680 --> 00:38:32.580 Essentially, that relates to what tables you're going to be looking at. 00:38:32.630 --> 00:38:33.950 So this is the magic. 00:38:34.000 --> 00:38:37.360 >> I like to think of it as the DB manager. They use that term 00:38:37.410 --> 00:38:42.760 manager for collections of things, and the DB Context is like 00:38:42.810 --> 00:38:45.130 the thing that represents your entire database, so that you can 00:38:45.180 --> 00:38:48.320 always go to it and say, I'm interested in some data from a table, 00:38:48.370 --> 00:38:50.310 or I need to put some data in a table. 00:38:50.360 --> 00:38:51.110 >> Absolutely. 00:38:51.760 --> 00:38:52.990 >> Everything is going to go through that. 00:38:53.040 --> 00:38:55.650 >> So we've got the DB Context, and then I see here that we've 00:38:56.750 --> 00:38:59.570 got an IdentityDbContext, likely derived from that. 00:38:59.620 --> 00:39:00.710 >> Yes, so if we go to 00:39:02.050 --> 00:39:05.890 IdentityDbContext, we see that, as of v2 of Identity, this is 00:39:05.940 --> 00:39:07.360 indeed Microsoft.AspNet.Identity.EntityFramework, 00:39:08.930 --> 00:39:13.100 so a specific application that is Entity Framework specific. 00:39:13.150 --> 00:39:13.740 >> All right, 00:39:15.050 --> 00:39:17.170 and then what's deriving from that again? We've got 00:39:18.980 --> 00:39:19.670 the ApplicationDbContext. 00:39:19.720 --> 00:39:21.600 >> ApplicationDbContext. You'll find that the convention here 00:39:21.650 --> 00:39:25.810 is Application something. So ApplicationDbContext gives you something 00:39:25.860 --> 00:39:28.450 that you can work with. Because they've defined a bunch of stuff 00:39:28.500 --> 00:39:31.890 already in that Entity Framework namespace for identity, so when 00:39:31.940 --> 00:39:33.460 we look at this guy here... 00:39:34.270 --> 00:39:37.240 >> Not to sidetrack you too much, but I'd like to see where the 00:39:38.450 --> 00:39:40.750 ApplicationDbContext is defined. Maybe that's where you're taking us. 00:39:40.800 --> 00:39:44.800 >> Yes. IdentityDbContext, that exists in a compiled library that 00:39:44.850 --> 00:39:47.070 Microsoft provides, so you can't really do much with that. 00:39:47.120 --> 00:39:50.200 So what this application does, the template does, is it gives 00:39:50.250 --> 00:39:54.330 you one, an ApplicationDbContext, and that code is in underneath 00:39:54.380 --> 00:39:55.620 your models folder, 00:39:57.230 --> 00:40:00.850 in your IdentityModels class. So this just gives you some template code. 00:40:00.900 --> 00:40:03.280 It says, you know what? We're inheriting from what's provided 00:40:03.330 --> 00:40:04.620 in the compiled libraries. 00:40:04.870 --> 00:40:08.530 >> So yours might not be called ApplicationDbContext. In your 00:40:08.580 --> 00:40:10.240 application, you might call yours something else. 00:40:10.290 --> 00:40:13.190 >> Yes. This is the template code. You can actually change these. 00:40:13.240 --> 00:40:15.510 You can change pretty much any of the naming conventions that 00:40:15.560 --> 00:40:17.240 you want, and we'll look at it a little bit in the next module 00:40:17.290 --> 00:40:18.880 and how you customize that a little bit more. 00:40:20.750 --> 00:40:24.760 When we go down here, we can see that the various OWIN providers, 00:40:25.370 --> 00:40:27.950 they use extension methods. Extension methods are really cool. 00:40:28.540 --> 00:40:32.460 They allow you to add on to an existing object, so let's say 00:40:32.510 --> 00:40:35.690 you have a string, and you wanted to add a new function. On every 00:40:35.740 --> 00:40:38.530 string, you can say this is my String.BeAFoodServiceProvider. 00:40:43.600 --> 00:40:47.270 So extension methods allow you to add on to existing objects, 00:40:48.010 --> 00:40:51.580 and that's what these own components do. We've got this IAppBuilder, 00:40:52.540 --> 00:40:56.910 and when we bring in other modules for OWIN, we looked at some 00:40:56.960 --> 00:41:00.770 of those namespaces before. They allow you to do Microsoft account, 00:41:00.820 --> 00:41:01.620 Facebook, etc. 00:41:03.300 --> 00:41:04.100 If we do dot, 00:41:07.730 --> 00:41:10.640 we can see that some of these things here, they're just extensions 00:41:10.690 --> 00:41:15.170 that get added on by those OWIN components. So we can say app.UseFacebookAuthentication, 00:41:15.880 --> 00:41:19.530 and then we bring into our project let's say the Google authentication 00:41:19.580 --> 00:41:22.330 OWIN provider, and then we get that method that shows up, and 00:41:22.380 --> 00:41:24.730 then we bring in the Microsoft module, that shows up. So they're 00:41:24.780 --> 00:41:28.780 not all there by default. As you bring in modules, they add extension 00:41:28.830 --> 00:41:31.900 methods that make that show up for you. And so the cookie authentication, 00:41:31.950 --> 00:41:33.800 that's what we're used to. Think of in Web Forms, we had forms 00:41:33.850 --> 00:41:36.860 authentication, stored a cookie on the back end. This does something 00:41:36.910 --> 00:41:39.630 similar, a little bit different technology, but the same idea, 00:41:39.680 --> 00:41:42.550 this stores a cookie with some information in it, and that's 00:41:42.600 --> 00:41:46.620 the information that configures it, so when OWIN is dealing with 00:41:46.670 --> 00:41:48.870 the cookies, this is the information it's going to use, and it 00:41:48.920 --> 00:41:49.470 knows how to 00:41:53.130 --> 00:41:55.630 deal with that. UseExternalSignInCookie, UseTwoFactorSignInCookie, 00:41:55.640 --> 00:41:59.040 TwoFactorRememberBrowserCheck, so some basic template code that 00:41:59.090 --> 00:42:02.390 enables some things. So if you want to use two-factor sign in, 00:42:02.440 --> 00:42:04.770 most of it is enabled, but we'll look at that in the two-factor 00:42:04.820 --> 00:42:08.570 module on how we can actually make that fully work. It doesn't 00:42:08.620 --> 00:42:10.780 fully work out of the box, and that's intentional. There's just 00:42:10.830 --> 00:42:12.910 a couple minor things you have to tweak to get it to work. 00:42:14.030 --> 00:42:17.600 And then here, we'll look at these different providers in the 00:42:17.650 --> 00:42:20.170 external login providers module, but this is just some common 00:42:20.220 --> 00:42:22.390 code when you want to do Microsoft account, Twitter, Facebook, 00:42:22.440 --> 00:42:24.760 etc., and again, we'll look at that a little bit later. 00:42:25.820 --> 00:42:28.250 >> So now, if we go to... let me close this file out. 00:42:29.100 --> 00:42:30.360 That's just some startup code. 00:42:32.550 --> 00:42:36.030 That tells OWIN what to look for, and again, that's in the security 00:42:36.080 --> 00:42:38.750 side of it. Now, we have the identity side of it, and here's 00:42:38.800 --> 00:42:41.630 our identity classes here. Remember, I said there was an EmailService, 00:42:41.680 --> 00:42:46.100 an SmsService, a UserManager and a SigninManager. 00:42:46.770 --> 00:42:51.100 So if we look at the SmsService, it's just a simple interface, IIdentityMessageService. 00:42:51.150 --> 00:42:54.700 And we're going to look at these classes in a little bit more 00:42:54.750 --> 00:42:59.840 detail when we get to some of the future modules here, like when 00:42:59.890 --> 00:43:01.880 we do two-factor authentication. 00:43:03.250 --> 00:43:05.470 EmailService, and I said the UserManager and SigninManager. 00:43:05.520 --> 00:43:07.240 So let's look at the UserManager here. 00:43:08.540 --> 00:43:10.150 The UserManager is something that you're going to talk to. 00:43:10.200 --> 00:43:12.480 Remember, the UserManager talks to the UserStore. 00:43:14.340 --> 00:43:16.940 Again, these are defined in 00:43:18.780 --> 00:43:22.200 Microsoft.AspNet.Identity, so this is in a compiled module that 00:43:22.250 --> 00:43:23.490 you don't have access to. 00:43:24.220 --> 00:43:25.900 So here, we're just giving you a basic class. 00:43:25.950 --> 00:43:27.700 >> Well, you do now that .NET is open source. 00:43:27.750 --> 00:43:28.260 >> You do. 00:43:29.120 --> 00:43:31.880 You do in v3, correct. V2, no source yet. 00:43:32.930 --> 00:43:34.590 So this is some template code here. 00:43:35.260 --> 00:43:36.000 If we look at 00:43:38.620 --> 00:43:43.380 it, UserValidator, AllowOnlyAlphanumericUserNames, RequireUniqueEmail. 00:43:43.430 --> 00:43:44.500 Clearly, I want that. 00:43:45.120 --> 00:43:47.200 How do we do password validation? 00:43:48.500 --> 00:43:51.430 Right here. We plug that in just like that. New PasswordValidator, 00:43:51.480 --> 00:43:52.150 RequiredLength is 6, 00:43:54.140 --> 00:43:56.860 RequiredDigit equals true, so it's real easy to add on these 00:43:56.910 --> 00:43:58.690 different values. Remember, previously, 00:44:00.040 --> 00:44:03.240 you could add all of this in say, in your web.config file, to 00:44:03.290 --> 00:44:05.080 change all these values. 00:44:05.670 --> 00:44:07.930 I don't like that approach, because one, it's not compiled. 00:44:07.980 --> 00:44:09.920 I can't really refactor easily. It's just something sitting in 00:44:09.970 --> 00:44:10.790 a config file. 00:44:11.330 --> 00:44:13.930 I like the fact that we have this nice, fluent API that we can 00:44:13.980 --> 00:44:14.640 use here. 00:44:16.160 --> 00:44:19.640 User lockouts, is it enabled by default? 00:44:19.690 --> 00:44:22.260 True. How long do you want it to be locked out for? And we're 00:44:22.310 --> 00:44:24.880 going to look at this a little bit later in more detail. 00:44:25.370 --> 00:44:27.320 Two-factor providers, we're going to look at that, as well. 00:44:27.370 --> 00:44:29.640 I don't want you to get confused by all this boilerplate code. 00:44:29.690 --> 00:44:31.360 We're going to kind of pick this apart as we go on. 00:44:33.290 --> 00:44:36.230 Let's go to our login now. 00:44:43.220 --> 00:44:45.340 So when we log in, I 00:44:46.720 --> 00:44:49.350 mentioned that we have a... there's a UserManager we can talk 00:44:49.400 --> 00:44:51.600 to and a SigninManager. 00:44:52.430 --> 00:44:54.320 Well, here it is. Here's our SigninManager class. 00:44:55.400 --> 00:45:00.960 When we log in, we take the credentials that user specified and 00:45:01.010 --> 00:45:04.440 email a password if they checked off Remember Me on the webpage, 00:45:05.490 --> 00:45:09.120 and should we lock the account out if it fails? In other words, 00:45:09.170 --> 00:45:11.510 if we increment that lockout count. And we're going to cover 00:45:11.560 --> 00:45:13.630 account lockout a little bit later, so we can kind of ignore 00:45:13.680 --> 00:45:14.540 the lockout for now. 00:45:15.900 --> 00:45:18.890 We try to sign in the user. What is the result. Success, it 00:45:18.940 --> 00:45:20.980 worked okay8, the account's locked out. 00:45:22.180 --> 00:45:25.940 We have to verify this account or it's a failure. Very easy. 00:45:25.990 --> 00:45:28.440 The SigninManager handles all of that for us. 00:45:29.500 --> 00:45:32.950 Now, on the other hand, we have register user, 00:45:34.570 --> 00:45:36.320 and our register user here, 00:45:39.660 --> 00:45:42.700 the user clicks on the page. They click on the button to register 00:45:42.750 --> 00:45:46.020 the user, so they click on... let me log off here. 00:45:49.550 --> 00:45:52.350 Let me Ctrl-F5 this to start without debugging. 00:45:57.870 --> 00:46:01.290 User registers, email, password, confirm password, they click 00:46:01.340 --> 00:46:04.240 on register. That brings them into this method, and we pass in 00:46:04.290 --> 00:46:06.430 some details. We have the email password and all that passed 00:46:06.480 --> 00:46:07.080 in with us. 00:46:09.140 --> 00:46:10.930 UserManager, if we want to create a user... remember, I said 00:46:10.980 --> 00:46:13.510 we talk to the UserManager. That's all we're doing here. 00:46:13.560 --> 00:46:16.360 We're saying UserManager, create that user for us, 00:46:18.420 --> 00:46:21.200 and a lot of things now, if there's a delay talking to a database, 00:46:21.250 --> 00:46:24.870 you'll see that we do an asynchronous call, and so this syntax 00:46:24.920 --> 00:46:28.030 here, this await and async, it might look a little confusing. 00:46:28.080 --> 00:46:30.600 Behind the scenes, it does a lot of really cool work for you, 00:46:30.650 --> 00:46:32.270 but it's easy to understand. 00:46:33.810 --> 00:46:37.530 If you have await, which in turn requires you to have async for 00:46:37.580 --> 00:46:41.000 your method call, when you are running this in ASP.NET, it comes 00:46:41.050 --> 00:46:43.470 down and it hits this method, there is going to be a delay talking 00:46:43.520 --> 00:46:44.720 to your database in the back end. 00:46:45.400 --> 00:46:48.580 It might seem short to you, but if you have a system that's handling 00:46:48.630 --> 00:46:51.650 thousands or millions of user requests, that could be a lot of 00:46:51.700 --> 00:46:54.040 delay, and those are threads that aren't being used to handle 00:46:54.090 --> 00:46:58.030 other requests. So this essentially says, hey, let this finish. 00:46:58.080 --> 00:47:01.450 We're going to take this thread off and return it back to service 00:47:01.500 --> 00:47:04.550 other users. And when this call comes back, we'll pick it back 00:47:04.600 --> 00:47:07.840 right up where it left off and continue again. So for performance, 00:47:07.890 --> 00:47:11.070 this is great. It allows it to essentially... the runtime to 00:47:11.120 --> 00:47:13.660 handle more user requests, and it allows this to kind of call 00:47:13.710 --> 00:47:15.900 off to the database, let it do its work, however long that delay 00:47:15.950 --> 00:47:16.910 is, and then come back to you. 00:47:18.170 --> 00:47:21.320 If the result succeeded, then we sign on our users. So we register 00:47:21.370 --> 00:47:23.140 them, sign them in, and then they're good to go. 00:47:24.170 --> 00:47:29.390 So again, real easy. You deal with a UserManager and a SigninManager. 00:47:29.800 --> 00:47:32.190 And when we're all done, we just redirect them to the homepage, 00:47:32.240 --> 00:47:33.600 which is what we saw before. 00:47:36.770 --> 00:47:44.060 Adam@no.com, I'll register, 00:47:47.920 --> 00:47:51.880 and there I go. I'm redirected back to this essentially homepage here. 00:47:52.510 --> 00:47:54.800 So real simple. Let's look at 00:47:56.780 --> 00:47:58.720 the same type of thing as we go to... 00:47:59.930 --> 00:48:00.460 let's do 00:48:03.340 --> 00:48:06.490 Web Forms. We'll also do individual user accounts. 00:48:09.080 --> 00:48:11.530 So same thing I did before for MVC, but we're just going to do 00:48:11.580 --> 00:48:12.760 this for Web Forms. 00:48:13.790 --> 00:48:15.750 And remember, we talked to a UserManager and a SigninManager, 00:48:15.800 --> 00:48:24.670 and there's an application user. Okay. So our models, 00:48:26.010 --> 00:48:29.920 we have our identity models. Same thing. We have an ApplicationUser, 00:48:30.000 --> 00:48:32.330 we have an ApplicationDbContext. 00:48:37.920 --> 00:48:41.090 Our application starts up. We also have a startup class, just 00:48:41.140 --> 00:48:42.090 like we had in MVC. 00:48:44.120 --> 00:48:47.140 That in turn calls our startup method, our startup.auth class, 00:48:47.190 --> 00:48:48.840 the same thing that we had in MVC. 00:48:49.920 --> 00:48:52.900 Notice, this code looks identical. 00:48:55.150 --> 00:48:57.700 Now, the actual user itself, we go into the account folder. 00:48:57.750 --> 00:48:59.820 Let me collapse a little of these so you can see it more. 00:48:59.870 --> 00:49:00.770 So account, 00:49:02.380 --> 00:49:03.720 when a user registers, 00:49:05.600 --> 00:49:07.160 let's look at that code behind here. 00:49:09.960 --> 00:49:12.190 So we're getting a reference to the UserManager, and we're 00:49:13.810 --> 00:49:16.910 getting a reference to the SigninManager. Those are the things 00:49:16.960 --> 00:49:17.870 that we want to talk to. 00:49:18.580 --> 00:49:22.310 We're going to create a new ApplicationUser, which behind the 00:49:22.360 --> 00:49:25.060 scenes goes to IdentityUser, which is an IUser. 00:49:26.040 --> 00:49:32.030 We give it the required information, we call the ApplicationUserManager.Create. 00:49:32.300 --> 00:49:35.080 Remember, if we want to create a user, we talk to the UserManager, 00:49:35.130 --> 00:49:41.310 and then we sign in that user, and we redirect them back to a URL. 00:49:41.360 --> 00:49:44.540 So it's calling the exact same code behind the scenes. For those 00:49:44.590 --> 00:49:47.310 that have been used to using Web Forms, there's no login 00:49:48.600 --> 00:49:51.620 control that you would use previously here, and that allows you 00:49:51.670 --> 00:49:54.770 to have virtually the same code between the systems, and all 00:49:54.820 --> 00:49:57.380 the template code is here for you. If you want to create your 00:49:57.430 --> 00:50:01.610 user, register your user, login your user, all that code is provided 00:50:01.660 --> 00:50:03.410 for you, and it's virtually... 00:50:04.000 --> 00:50:06.050 outside of some minor differences here, like 00:50:08.000 --> 00:50:09.400 where you get the context... 00:50:10.000 --> 00:50:12.330 in other words, where you refer to the UserManager and where 00:50:12.380 --> 00:50:16.640 you refer to the SigninManager, outside of some differences between 00:50:16.690 --> 00:50:18.630 MVC and Web Forms on how you would do that, or where you would 00:50:18.680 --> 00:50:21.350 do that, I should say, everything else is virtually the same. 00:50:21.400 --> 00:50:24.170 We call a SigninManager to sign them in, and we get a result 00:50:24.220 --> 00:50:28.170 code that comes back that we check the exact same way. So, again, 00:50:28.220 --> 00:50:32.420 most of this code is virtually the same between Web Forms and MVC. 00:50:34.300 --> 00:50:35.080 Make sense so far? 00:50:36.160 --> 00:50:36.340 >> Yes. 00:50:36.390 --> 00:50:38.080 >> Hopefully, it's a little clearer than mud right now. 00:50:38.130 --> 00:50:40.480 >> Yes, no. We've got really good discussion in the chat room 00:50:40.530 --> 00:50:44.740 right now, people asking some good questions, and it sounds like 00:50:44.790 --> 00:50:45.480 they're understanding. 00:50:45.530 --> 00:50:48.690 >> Very good, very good. So, again, UserManager, ApplicationUserManager, 00:50:48.740 --> 00:50:53.530 SigninManager to sign in a user. We talk to the UserManager 00:50:53.580 --> 00:50:57.830 to create an account, get roles for a user, etc. 00:50:58.640 --> 00:51:01.330 We sign in a user using a SigninManager, we check the result, 00:51:01.380 --> 00:51:05.640 and then we are essentially done. So a very, very simple process there. 00:51:06.310 --> 00:51:09.400 Out of the box, uses the Entity Framework behind the scenes and 00:51:09.450 --> 00:51:12.430 creates a database for you, fills in all that information, so 00:51:12.480 --> 00:51:14.810 you don't have to manage any of that, and in the next module, 00:51:16.300 --> 00:51:19.860 we're going to look at how to customize that a little bit more, 00:51:19.910 --> 00:51:21.960 how to look at this data in a little bit more detail, and then 00:51:22.010 --> 00:51:23.940 we want to change the names. Maybe we want to add some custom 00:51:23.990 --> 00:51:26.980 fields into there. So we'll see you back shortly. Here's a couple 00:51:27.030 --> 00:51:29.160 resources for you, and thanks for joining us again, and we'll 00:51:29.210 --> 00:51:30.100 see you in the next module. 00:51:30.150 --> 00:51:31.260 >> Let's take a 10-minute break.