2.2 Roadmap discussion

[glennc]

Discussion for the 2.2 Roadmap announcement: https://github.com/aspnet/Announcements/issues/307

[jhuntsman]

Weighing in on the new OpenID implementation, instead of yet another implementation to learn, embrace and engage with the community efforts of IdentityServer4 and contribute to create an opinionated IdentityServer "Lite" version that could be included from nuget and setup with minimal efforts.

[KPixel]

You are all overreacting. The ASP.NET team is already thinking like all of you. @DamianEdwards talked about it in the most recent Community Standup.

Here is the most relevant part (but I encourage you to listen to all of it):

"We are actually talking to the IdentityServer folks about that now." https://youtu.be/Tzh2EXwgEk8?t=25m15s

[kevinchalet]

Really interesting to see how passionate the discussion around the "MSFT authorization server" project is :smile:

Incidentally, Vittorio Bertocci contacted me exactly 2 years ago to chat about this project as they were considering using OpenIddict (the OIDC server I develop and maintain) as a base for this project. Last year, I was told they preferred going with their own implementation instead of leveraging third-party OSS as it was considered "too strategic" from a business perspective (which is something I could understand).

I'm glad to see they changed their mind and are finally considering using an existing OSS solution like IdentityServer4 instead of creating another thing from scratch: it's a very good signal sent to the .NET community :clap:

[veikkoeeva]

This goes a bit off the thread, but @CrispinH, it looks like you're looking a bit of https://stackoverflow.com/questions/51123289/how-to-generate-a-response-to-a-csr-in-net-core-i-e-to-write-a-csr-signing-se. .NET Core 2.0 includes other facilities to create and work with certificates too. See the comments about running a CA too. The library tooling is almost there and depending of your organization, you might be able to use certificates in some controlled fashion in some server without setting a lot of intrastructure. On that token, reading (DER encoded) certificate signing requests (CSRs) out-of-the-box would be a nice addition -- along with a JSON-LD library. And more crypto in general. :)

[kieronlanning]

I’d love to see some middleware like support for LetsEncrypt - working with App Services in Windows, Linux and Docker in Azure.

[veikkoeeva]

@kieronlanning I agree, in addition to the DER encoding with regards to CSR signing mentioned earlier (albeit adding support without edge cases doesn't look like that difficult). There's a few libraries for .NET (also listed on Let's Encrypt pages), but also a bit of trouble. For instance, the most actively maintained .NET with regards to Let's Encryptc one looks like being Certes, but it takes a dependecy on BouncyCastle. It would be nice if someone helped it to to be .NET Standard 2.0 only. One reason for me is that it BouncyCastle doesn't work nicely with Orleans TaskScheduler. :)

About the crypto mentioning, though not strictly a ASP.NET Core issue, MS seemingly is pushing heavily on blockchains, but .NET lacks on crypto ability. On the surface a lot of this has to do with ASP.NET core too (like, for instance, the various blockchain explorer implementations, such as https://etherscan.io/) and it'd be nice to have more support to libraries like like Inferno and just more abilities baked into the platform. One outstanding issue is at https://github.com/sdrapkin/SecurityDriven.Inferno/issues/10#issuecomment-395778931 (lending some eyes here if someone has the chops to help).

[RehanSaeed]

This from @kieronlanning would be my number one feature request:

"I’d love to see some middleware like support for LetsEncrypt."

Here is the open issue: https://github.com/aspnet/Home/issues/1190. Please do go and upvote it.

[vpaulino]

Is it being considered messagepack to be available on asp.net core to all frameworks and not only on SignalR ? Since Http2 framming is binary are you considering messagepack for that ?

[marcrib]

authorization server released on preview3?

[leastprivilege]

It already exists. Https://IdentityServer.io

[marcrib]

@leastprivilege I like and use IdentityServer But I'm very curious to see the Microsoft implementation and and understand why (microsoft) did not incorporate the identityserver in your core

[Eilon]

@danroth27 - can you share the latest?

[leastprivilege]

Microsoft is using IdentityServer.

[MichelZ]

So how is this working? Microsoft uses IDS4 code directly? Microsoft trims down IDS4 features? What's the model here? What should be our expectations? Is there a possible migration path between them?

[leastprivilege]

Microsoft will use our standard nuget package and use our configuration API to give you some default settings to play nice with the template and ASP.NET Identity. That's all.

You can achieve the exactly same thing today already.

[Ruard]

It's probably me, but I'm surprised to read that the gap of Microsoft authorization server is filled by IdentityServer4. As per my understanding the main concern of IdentityServer is authentication, not authorization.

For me IdentityServer is fine as authentication server, but doesn't work as authorization server. I assumed that that was the reason that PolicyServer was created.

@leastprivilege Will IdentityServer be extended with something like PolicyServer?

[blowdart]

@Ruard So its confusing (and Dominick will probably cringe or pick on my explanation).

OAuth is authentication, but it has authorization as it's first step, and then issues a grant based on scopes etc. So, in our wrapping, Identity Server will perform the login, validate it, validate the scopes required (which in the initial case will always succeed because we're using the default scope), then pass a token back to the caller, which is then sent to the API which will validate it, and then, optionally, you can go further with authorization rules within the API. OIDC provides OIDC confused it further by being a way to acquire a user's identity information, including authorization that the app is allowed to have it ...

So, basically, Identity Server will give us an identity, authorizing that the app is allowed to have it, and then you can use ASP.NET's authorization pieces to further control access.

[blowdart]

@MichelZ there will be a grow up story. We'll configure for simple scenarios, and once you go outside those you can explore the full power of the IdentityServer configuration model.

[MichelZ]

@blowdart We already use IdentityServer (and are impressed with the capabilities!), however getting the benefit from Microsoft's "long-term-support" policies is also a big plus for us. So whichever synergies you can provide here are very much welcome. We love both products, ASP.NET Core and IdentityServer (4) the same way. It's definitely a step into the right direction IMHO. However, we also recognize that all these protocols are not exactly "straight forward". They arent't rocket science one you understand them, but still, they aren't straight forward either.

I wish someone would invent a REALLY simple protocol, leaving behind ALL legacy implementations and focus on the future.

[blowdart]

If you're already using it, then your use won't really change, you have it working :)

We're aiming at File New > Web API with Individual Authentication, and then adding other APIs, and everything is convention based. That's not going to work for existing apps, because the conventions will be new. I wouldn't plan to replace your config with ours :)

[brockallen]

I wish someone would invent a REALLY simple protocol, leaving behind ALL legacy implementations and focus on the future.

This is the problem -- apps are getting more complicated not less. To secure them, the security is also complicated. I've always pushed back when I hear people say that IdentityServer is complicated -- it's not. It's your application's security requirements that are complicated. Often people don't have the perspective to recognize that.

[MichelZ]

Yes, it's working - and it's working well - but still, that additional assurance it (may) give you, when Microsoft officially "endorses" and ultimately "supports" a technology is pure gold.... ! You have been lifted onto a whole new level!

[MichelZ]

@brockallen Yes, applications probably complicate things a LOT. However, the OIDC protocol undeniably inherited some stuff from OAuth 2.0 that it would better have shook off. Some of your teammembers (I think it was @leastprivilege) said that if OIDC would be developed from the ground up, it would probably look fairly different from what we have now.

I'm not saying what we have now is "bad", I really appreciate what we have, and it's really functional for our purposes, and I hope everyone involved in the creation of it is proud of the work they did!

[BenHayat]

@Team; For preview 3, could you please provide some detail docs on the "Authorization Server" and how it will function using with Web API and client side JS, like Vue? We need to make a decision and this preview on the Authorization Server is a critical preview and any detail docs will give us info on our decision.

Thanks!

[leastprivilege]

As discussed before

https://identityserver.io

[veikkoeeva]

Just noticed also U.S. open data APIs are in JSON-LD: https://project-open-data.cio.gov/v1.1/schema/ . This seems to be a rapidly growing trend, so a well resourced JSON-LD .NET library used with ASP.NET would be nice. :)

[khellang]

@veikkoeeva So are (at least part of) the NuGet APIs. They're using json-ld.net, no need for another library.

[veikkoeeva]

@khellang And there are other libraries too, this particular library could use maintainers (https://github.com/linked-data-dotnet/json-ld.net/issues/26). I realize it's open source and in theory I could step in to contribute, but for the time being at least I'm spread too thin to help with this. Put otherwise, perhaps, I'd like to bring this into attention that a lot of data sets seem to be moving towards semantic formats and it's not clear how to efficiently work with that using .NET.

[mikeandersun]

IMHO, add IdentityServer4 to the core of ASP.Net Core is a bad idea. Please don't make the .NetCore as a monolithic framework. .NetCore is there and IdentityServer4 is there , people make the architecture base on own's authentication and authorization needs.

[poke]

@mikeandersun The plan is only to have an easy default configuration that you can add to your project to make it work out of the box.

You can still not use it, and it won't affect you. You can still use IdSrv and fully configure it yourself. You can still choose what components to include in your project. None of this is making ASP.NET Core monolithic.

ASP.NET Core != .NET Core btw.

[yzorg]

Will 2.2 be an LTS release? (Asking if it's already been announced, not asking you to make a new announcement.)

[Tratcher]

@yzorg no that has not been announced. That determination is often made after release based on quality/stability.

[Ponant]

@blowdart , would this template provide identity server with an Web app MVC client instead of an API?

[blowdart]

@Ponant No. It's aimed at APIs only. We'll reevaluate that in the 3.x timeline.

[BenHayat]

Interesting... This question came up in a meeting yesterday. If we build a full "MVC" project without the use of Web API, can we use the new ASP.Net 2.2 IS4 template that is integrated in 2.2? Looks the big boss (Barry) just answered the question.

[Ponant]

@blowdart allias big boss: why isn't that done in one shot? It seems trivial at first sight to use an mvc client or a web api talking to a asp.net core identity IS4 server.

[blowdart]

@Ponant Because we don't have infinite resources. What features would you have liked us to drop in order to put everyone on changing a major part of MVC flow which wouldn't give any new features, just change how an existing one works? An individual authenticated API has been a gap between full framework and ASP.NET Core. The focus of work was on filling that gap. Identity Server already has working templates for MVC with Identity Server as the "core".

[papyr]

@CrispinH @blowdart I agree with you whole heatedly, User Administration, Roles, Tenancy and User-Groups is needed desperately. Look at this - there are 7 Uservoice tickets all complaining about this hundres of developers and companies. Sadly many other tech like Java blueRay portal JSR 182 or 173 such a beautiful job here!

--> So many requests for user/groups/tenant management

---

--> AGAIN here people complaining ... it goes on, even on twitter and facebook.. this is the reason - why other platforms like WP and PHP are easier!

While @manigandham believes identity server is a great fit, they charge A LOT for the GUI administration tool and its not cheap for many countries and developers, it also goes against the low TCO developer. How many people can really afford this. It has been a HUGE obstacle and step back, a basic vanilla functionality and GUI to manage the Users/roles/Roles-User_groups/Tenants is needed, which can then be enhanced by the developer

[poke]

@papyr Why don’t you just start an open source project for this? A full GUI for everything does not need to be built into the framework (templates). And just seeing how difficult it already is for the team to keep the templates updates e.g. with changes to Bootstrap, I don’t really want them to waste more effort on that. But on the other side, I totally get that this would be a useful thing to exist, so why don’t you just make this a community effort?

[joeaudette]

@papyr @poke no need for a new open source project, there are excellent existing projects.

If you want something open source from MS designed to compete with WordPress then look at Orchard: https://github.com/OrchardCMS/OrchardCore

If you want more of a library approach instead of a framework check out cloudscribe, which has nugets for multi-tenancy and user and role and claim management ui pre-built with an optional identityserver4 integration and optional cms (cloudscribe.Simple/content) as additional nugets. https://www.cloudscribe.com/docs/introduction https://github.com/cloudscribe/cloudscribe https://github.com/cloudscribe/cloudscribe.SimpleContent

[KPixel]

If you want something open source from MS designed to compete with WordPress then look at Orchard: https://github.com/OrchardCMS/OrchardCore

I second this recommendation.

And Orchard Core is designed to be extremely modular. For example, it is possible to extract just its multi-tenancy module and use it in your own projects. It also already has modules to manage users & roles, and I'm sure they would appreciate your contribution to make it even better.

You can watch a lot of demos of its various features on their channel.

[brockallen]

@papyr Why don’t you just start an open source project for this?

https://github.com/IdentityManager/IdentityManager2

[veikkoeeva]

This UI thing can be tricky, albeit helpful to get basic things quickly. It seem recently I've come across cases building the UI isn't the biggest task, but figuring out how to fullfil the "process needs" such as pre-approving some emails (that do something application specific), calling APIs that call APIs, some of which might mean joins in the database or calls to somewhere else etc. and then adding them to tokens and UI logic.

So having good tutorials such as https://mcguirev10.com/2018/01/28/login-identity-management-best-practices.html or those at https://mcguirev10.com/page2/ feels more important than UI (especially if one can't or doesn't want to use EF). Then maybe search for UI for one's chosen tech (Aurelia/Angular/Razor/React/Vue etc.) and how they implement some data handling.

On naming projects and names, besides @scottbrady91, I've found it very educating to check @LindaLawton, https://github.com/abergs/fido2-net-lib (@abergs, @aseigler), @TomCJones, @mackie1001 (Gitter) etc. to provide additional explanations and code to peek into when stepping even a bit outside of the basic need. I've forgot to add some names and projects. :)

[jimgwhit]

Why cant .net core have normal razor web pages? When I do complex reports I like doing all from a single razor (c#) page. Or at least the ability to use just a view at times only with no model or controller.

In other words the basic ability to connect to sql in the view and receive GET and POST request, sanitized of course, I currently use a class called Striptag.cs.

[benaadams]

Why cant .net core have normal razor web pages?

You can use Razor pages for this https://docs.microsoft.com/en-us/aspnet/core/razor-pages/?view=aspnetcore-2.1&tabs=visual-studio

Having a backing page model class is optional; you can just have a single page

[jimgwhit]

benaadams thanks for the answer, how would I use GET and POST request directly in a razor page, and make a basic connection to sql server. The connection for regular queries, not ado entities, or linq, or ORM. I always prefer normal queries.

Like:

var msql = "SELECT * FROM customerss WHERE lastname LIKE @0 ORDER BY lastname OFFSET " + thisoffset + " ROWS FETCH NEXT 5 ROWS ONLY";

I know the connection string is in a json file now, but don't know how to use it in view. Some things aren't deeply documented.

[tpetrina]

Well, it has a learning curve. If you want to fetch data before loading the view, you do it in the corresponding action. So, for HomeController.ViewReports action and Views/Home/ViewReports.cshtml page you write:

public class HomeController
{
  public ActionResult ViewReports()
  {
    // fetch data from the SQL using...something...
    return View(data);
  }
}

If you want to fetch data after page load, you typically use AJAX requests to some pure GET/POST endpoint that returns JSON formatted data.

[benaadams]

Can still do it on a page without any controller or action; something like

@page
@using System.Data.SqlClient
@using Microsoft.AspNetCore.Http
@using Microsoft.Extensions.Configuration
@inject IConfiguration Configuration

@{
    var lastname = Request.Query["lastname"];
    if (!string.IsNullOrEmpty(lastname))
    {
        var offset = 0;
        var count = 5;
        if (Request.Method == HttpMethods.Post)
        {
            int.TryParse(Request.Form["offset"], out offset);
            int.TryParse(Request.Form["count"], out count);
            count = Math.Min(count, 50);
        }

        var connectionString = Configuration.GetConnectionString("MyConnectionString");
        using (var conn = new SqlConnection(connectionString))
        {
            using (var cmd = new SqlCommand(@"
            SELECT * FROM customers
            WHERE lastname LIKE @lastname
            ORDER BY lastname
                OFFSET (@offset) ROWS
                FETCH NEXT (@count) ROWS ONLY"))
            {
                cmd.Parameters.AddWithValue("@lastname", lastname);
                cmd.Parameters.AddWithValue("@offset", offset);
                cmd.Parameters.AddWithValue("@count", count);

                await conn.OpenAsync();
                using (var reader = await cmd.ExecuteReaderAsync())
                {
                    while (await reader.ReadAsync())
                    {
                        <div>@reader["lastname"]</div>
                    }
                }
            }
        }
    }
    else
    {
        <div>Nothing chosen</div>
    }
}

[jimgwhit]

I have used mvc asp.net and webforms and old razor pages, so I am not new to this. I have spent 3 hours and still cannot get a simple test razor page to work, I have:

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8" />
    <title></title>
</head>
<body>
    <form id="petform" method="post" action="pets/razdb3">
        <input type="text" name="psearch" id="psearch" />
        <input type="submit" />
    </form>

</body>
</html>

Just an html page and loads.

Model

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.RazorPages;

namespace petnewtry.Pages.pets
{
    public class razdb3Model : PageModel
    {
        public string myvar { get; set; }

        public void OnGet()
        {

        }

        public void OnPost()
        {
            myvar = Request.Form["psearch"];
        }
    }
}

View:

@page
@model petnewtry.Pages.pets.razdb3Model
@{
    Layout = null;
}

<!DOCTYPE html>

<html>
<head>
    <meta name="viewport" content="width=device-width" />
    <title>razdb3</title>
</head>
<body>
    <div>@Model.myvar</div>
    <div>hello</div>
</body>
</html>

3 hours and all I get is a blank page. I tried a return statement, etc

If I just type in http://localhost:51307/pets/razdb3 I get the second divisions "hello", but the @Model.myvar I get nothing.

I am new to .net core, and would have never imagined it would or could be so hard to simple display a razor page.

In VS community 2017

[benaadams]

the @Model.myvar I get nothing.

You set the myvar value on a post request (OnPost) with from the form value psearch; so you'd need to make a POST request with that value to set it?

In the GET request (OnGet) which you get from just navigating to the url from the browser; rather than a form postback isn't not being set to anything.

Try setting it to a default value so it shows up when you don't set it to confirm the model is flowing through:

public string myvar { get; set; } = "Not Set";