Espionage
Espionage
PostsComments
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
I ended up solving for the problem - I had mistakenly used the wrong Authentication scheme when setting up. I had: CookieAuthenticationDefaults.AuthenticationScheme I needed: IdentityConstants.ApplicationScheme This works: 
builder.Services.AddAuthentication(IdentityConstants.ApplicationScheme)
                .AddCookie(options =>
                {
                    options.LoginPath = "/account/login";
                    options.Cookie.HttpOnly = true;
                    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
                    options.Cookie.SameSite = SameSiteMode.Strict;
                });
builder.Services.AddAuthentication(IdentityConstants.ApplicationScheme)
                .AddCookie(options =>
                {
                    options.LoginPath = "/account/login";
                    options.Cookie.HttpOnly = true;
                    options.Cookie.SecurePolicy = CookieSecurePolicy.Always;
                    options.Cookie.SameSite = SameSiteMode.Strict;
                });
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
I guess the one thing I am missing, is session right now in my implementation, so I'll add it and see if thats the secret sauce.
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
It's a small app for a sub 10 user operation, why should I add the complexity of JWT(i know its minimal, but its the principal)? I think that the approach your describing works and is the default case when your planning to build a distributed system with multiple services, but I'm not. I'm building a dedicated application with a frontend whose only meaning in life is to talk to this single API and perform crud operations. The only reason I use OAuth is to validate users within the organisation, so they don't have to login to the system and manage multiple credentials. And if I dont want to use an access token, I'm sure I dont have to, Im just not familiar enough with Identity. If I envision the project scaling to larger sizes - I might consider the complexity as worth while, as yes an access token is more useful when you have multiple API's for a user to interact with (I'm not arguing against JWT's) - but in my case, with a single API I just dont see why I should take that direction yet. And nobody has yet chimed in with any domain knowledge on cookie based authentication to say that my approach is wrong.
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
Like my server has sessions, I store sessions in db, sessions tie to users tie to roles.
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
I think thats of no consequence except performance no?
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
That assumes token based authentication though, and I don't see why it would inherently be worse.
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
I want them to then have a valid session with my API, and I dont need the original token from the provider. At this point I said to myself, why do I need an Access Token, cant I just setup a session?
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
Well again, I dont want to use the token, because its only utility in life is to be a trust provider. I have no use for the token and I'd rather if i was going to pass a token around, generate my own. I use Token Based OAuth, only to the point of obtaining a valid access token from a provider. And I pass that token to my API, where I perform validation of the token. If the token is valid, then I take the user's email - and I never care about Oauth again. The token has served its purpose at this point for me.
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
I know for sure I can make it work with Access Tokens, but I dont think they're inherently required to acheive the outcome here i guess is where I'm at. I'll fiddle with it some more i guess or wait for some more feedback - but adding tokens just because I dont understand whats going on isn't something I want to do as I'm really trying to understand whats fundamentally wrong with this approach.
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
Well, I guess where Im lost is that I dont want to use the original token for anything other than trusting my frontend has completed OAuth. I dont reallly want to generate a new access token just for the sake of it, because isnt the whole thing that httponly cookies are a valid auth mechanism in and of themselves - AccessTokens aren't a requirement of authentication, they're an alternative solution
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
Well thats the question isn't it, its a method on SignInManager<IdentityUser> And my understanding was that it abstracted away the bits and pieces for me and just set the HttpContext.Response headers with everything it needed for Authroization.
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
I'll read through that, and see whether its worth the effort to rip out what I've done or not and take that approach - but I dont see why my current approach would be outside the realm of feasible.
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
I currently receive an access token from my React App, which I verify as having come from my Auth provider. If i verify it succesfully, I pass the user email to userManager and create them, or retrieve their existing account. With that account, I call signinmanager.SignInAsync(user, isPersistent: true); Then I have a route setup with [Authorize] and i guess unintuitively to me, theres an additional auth step I need?
32 replies
CC#
Created by Espionage on 1/22/2025 in #help
✅ Identity Help
Im with you, but theres no reason for me to do a JWT as I don't forsee anyone interacting with my API at that level. It's purely going to be my React App that talks to it - so Im going to aim for a session based auth. What I thought though, was that Identity would handle not only a session, but the authorisation - and that passing the cookie back and forth served as a client token for the session. Otherwise whats the utility of the SignInManager, why would it then delegate responsibility of session management back to me, isn't its purpose to resolve this part of the journey?
32 replies
CC#
Created by KooriByte on 2/4/2023 in #help
✅ How would you search this?
I don't see anyone really giving you a direct answer.... I would be searching two separate things, assuming you want to persist it: How to change link color when clicked? (IMO the answer is just CSS based on a DB entry) 'How to use conditional logic to change text color C# MVC ' 'How to add/retrieve a record in a database C# MVC?' If you don't understand relational databases it might not be obvious to you, but regarding adding to a users favorited list, displaying the favorited by and changing the color, this can all be achieved by one database entry which would link two separate tables. Then using conditional logic, modifying how it is output to the page either by directly applying a style to the html output, or using a class to achieve the same.
38 replies