@@ApheliontI'm seriously thinking about this right now.

@Apheliont I'd always recommend against implementing your own solution (and said so to my company!), but they didn't want to pay the license fee for Duende. Anyways, deep diving into Identity/Open ID was a good learning experience for me so I can't complain

@@eg8568 Azure has 50 000 MAU for free on B2C

You are not alone.

@eg8568 Why did you not have a look at dunde ?

November 14, 2023 ASP .NET Core 8, with its much-anticipated features and enhancements, is scheduled to be officially released on November 14, 2023

Is this thing secure?

I've been using OrchardCore just for its out of the box OpenIddict.

My other comment got deleted because I linked the repo.. There is code in the Asp Net Core project for handling OIDC flows (including I believe opaque tokens). If you don't need to be an IdP it's all buried in there and you can scaffold out the UI and see the stuff in action via the Razor pages right now.

second this, very correct

yeah they destroyed the authentication that we actually need

Exact!

I have to agree. My learning experience with auth was painful at best and has led to a lot of confusion as to best practices. In the end I found using third party solutions was less painful as a rule.

That's the point

yeah! it's like a marketing feature😅 this is for programmers who like to compare programming languages by writing helloworld application )) loook, in python enough "print('hello')" in c# it needs so many codes like (class program { static void Main(string[] args) { Console.WriteLine('hello'); }😂😂

I guess you have to scaffold the endpoints and do what's necessary. Additional fields most likely is just a matter of adding properties as those endpoints will work on T where IdentityUser

True

Yes

+1 here wondering whether this can be used with an independent auth server for multiple services!

@marklnz why wouldn't you call the extension method to add the endpoints? Functionality such as resetting user passwords etc would likely still be needed

Also, are there any improvements in net8 that work more efficiently with Azure Functions ??

@@marklnz I tend to favour Azure AD instead of local auth db. Azure B2B can be overkill at times but then you don't need to worry much about the authN functionality.

Yea, I was just thinking if this could replace IdentityServer and came to the same conclusion that this is mostly for single apps that doesn't require oidc or single sign on.

Would love to see that! I'm looking for an example in .NET8, where I have a service that is used for login/token authentication and other API (separated service) that will use the token to call the service. Looks like any example assumes that the services API are the SAME as the authentication API.

What approach did you go for? Have a video?

@@d0neall_ I use the backend for frontend approach, I don't think there is an video about it it's pretty new

Pretty easy to use bcrypt or argon2 with this. You just specify the password hashed singleton for the DI to use (I’ve done this for both already)

Ha! I was going to beg for the same thing! All of our apps require KC use. Scopes and refresh are an added bonus!

Oidc and oauth protocols does not require token to be in JWT format.

Will be seamless with Swagger, they are just endpoints. I’m guess that the difference is that this token is not base64url encoded, and does not contain client readable info, unlike a jwt

@@kabal911I don't see these endpoints in swagger edit: I had to add builder.Services.AddEndpointsApiExplorer(); builder.Services.AddControllers(); I worked on blazor dotnet 8 app and it wasn't included by default.

Well, i think the idea is that you can call the API from anywhere in your server-side logic.

If by seeding you are talking about creating the default admins, then you can do that before you run the app. You can manually create a scope and get the db context.

@@arjix8738that’s problematic if your app is distributed

this is usually done via a post deployment script. if using ef core migrations you can do this in your db context class.. you can do this in your "OnModelCreating" method via the "HasData" method.

Simply add the field on the user object

1. It is using data protection yes. 2. The token is not a JWT, it's a different format. 3. If there are still timing issues with data protection providers, we'll need to fix them, these tokens are on top of that subsystem.

@@davidfowl Thanks for the response. I did catch in Nick's video that he said they aren't JWTs, but then the tokens in the login response looked a lot like what you get back in the OAuth OIDC client flow, so my brain went to JWTs. If I remember correctly, the easiest way to recreate the SQL Server DP provider timing issue was to stop all the nodes in the cluster, delete the DP keys from the database and then start the cluster. In my case, I was using Cloud Foundry with an app that I scaled up to something like 10 nodes. Even though I know the DP subsystem has some level of control around how nodes handle key rotation, I wanted to see what would happen if multiple nodes in the cluster were trying to create new keys at nearly the same time. The result in my test was that some nodes ended up with different DP keys than others because the SQL Server DP provider doesn't do any locking, which I believe could be necessary. The DP subsystem tries to get a key from the provider and if it doesn't exist, it tries having the provider write/save the one and then calls the get method again. If multiple nodes fail to get a key (because a write/save hasn't yet completed), each of those node's write/save key method will be hit, which can result in some nodes having different keys. It's pretty fringe case but was still concerning enough for me to write my own SQL provider for DP.

This does not look like OpenID