 Hey, what's happening YouTube? My name is Lee Brant. I'm a developer advocate at Okta Today we're going to look at using the built-in OIDC middleware and ASP net core 3.0 to connect to Okta for identity management Let's get to it. Okay, so the first thing you don't want to do is scaffold your dotnet application Assuming you have the dotnet core 3.0 or 3.1 SDK installed. We'll just use the dotnet command line Dotnet new MVC and we'll give it a name OIDC ASP net core Now all these commands. I'm running. I'm running on Linux doesn't make any difference all the commands are the same no matter What platform you're running on? Also, I'll be using Visual Studio code again. It doesn't matter if you're using Visual Studio proper Visual Studio 2019 or Visual Studio 2019 Community edition something like that. There are some things you won't have to do like Setting up the BS code folder, but everything else should be exactly the same So let's go ahead and scaffold the application and you'll see it scaffold the application and then run a restore To get all the new get packages that it needs Now all I need to do is just Change directories into that directory where I just created that new application and for me since I'm using Visual Studio code I can just run code and dot So the first time you run this app in Visual Studio code And this is something that you people using Visual Studio proper Visual Studio 2019 won't need to do But for Visual Studio code users You probably get something like this in the bottom right hand corner that says they're required assets to build and debug this And they're missing do you want to install them just go ahead and say yes And it'll create this VS code folder and that's basically just a launch JSON and a tasks JSON that helps you with Starting up the application and attaching a debugger and all that good stuff. So That being said, let's go ahead and run F5 and see what this hit the F5 button And we'll see what this does when it all runs Okay, so when you run your app, you'll see that it's a pretty simple app There's just a home page and a privacy page nothing super new to see here If you haven't done anything with that net core say a pass like 2.1 The base app may look a little different a whole lot simpler, which is better for us Let's go ahead and add our application Okay to use octa as your identity provider You'll need a developer account developer accounts are free They'll always be free. Just go to developer dot octa.com click on sign up and fill in the information It's fairly simple. Just email first name last name once you've created an account logged in You'll be taken to this dashboard here. You'll want to click on applications at the top And we're going to want to click on add a new application Choose web We've got native apps or single-page apps or APIs You're going to want to choose the web app and you'll actually see it says here dot net for dot net and Java apps Your basic server-side web apps So we'll call it something simple like OIDC example You'll notice our application was running on port 5001. So let's go ahead and put it on for port 5001 We'll also change this to port 5001 and the actually the URL is Actually sign in OIDC. So it's sign in dash OIDC So it's our local host and actually these are always all going to be running on HTTPS locally So make these Asian to PS Everything else can remain the same. We're going to be using the authorization code flow So when you click done You'll be taken to a page where You've got the general settings everything we just said and you'll have a client ID and a client secret The other thing you're going to want to set up is you're going to want to add groups to your outgoing token So if you come over here to authorization servers, you'll notice that there's a default one that's been created for you So we're just going to go ahead and use that one. We're going to add claims and You'll see I've already had groups added from previous applications that are using the same authorization server But let's assume that they're not So we'll go ahead and add a claim and we'll call it groups We're going to want to add it to the ID token always We're going to use the value type of groups So basically it's just going to pull up the groups and then you can save what groups you want added to the ID token Ones that start with something ones that equals something We're going to do matches regex and do a dot star that's so that all groups actually get Get added to it and we want it for any scope that's asked for so Now we've got our groups added to the ID token going out And now we just need to go back and configure our ASP net application to use them Now that your octa application is set up. You need to configure the ASP net application to use octa So the first thing you need to do is set some configuration So you go into app settings dot development dot json that file in your ASP net core application Which can add some values to this json file Octa is the section that we're talking about we need a client ID a client secret the octa domain for the octa domain and The post logout redirect URL, which is already set. It's going to be localhost five thousand one okay so now we need to go back to octa and Your octa org will actually be the org URL will be right here in your dashboard the very top right hand corner So we'll just cut and paste that over here into the octa domain Then we'll go into applications and we'll find that OIDC example application We'll go to the general settings and we'll scroll down to the bottom And we'll get the client ID and client secret from there client ID client secret save that Now that we've got your octa configuration into your ASP net application Let's show your ASP net application how to use it with the OIDC middleware To configure your application to now talk to octa with those configuration values that we just set up We'll go into startup.cs And actually one of the first things we need to do is come back over here to the command line We're going to need to add a package we're going to run .net add package and the package we're going to add is the microsoft.asp.net core ASP net core dot authentication dot open ID connect application or the package The version we're going to use is 3.0 So let's just go ahead and add that package to the application Then we'll come back to the application and in the configure services method of your startup.cs We're going to add some values This nice big chunk of code here So you don't have to watch me type it I'm just going to cut and paste it on in there So We're going to basically what we're doing is we're adding authentication. We're adding cookies We're adding open ID connect and we're adding authorization Now there's some Some using directives that you'll need to add as well You can either use Control dot and find it. It's Microsoft ASP net core authentication cookies that goes from that package that we just installed Or we'll just go ahead and put them up here so I can show you all four of them You're going to need that's authentication cookies authentication open ID connect You also need the identity models protocols open ID connect and the identity models for tokens Okay, so the options that are going to go into the add authentication call Are the default scheme in the default challenge scheme? now the default scheme is going to be our cookie authentication defaults authentication scheme and The default challenge scheme is going to be open ID connect defaults Authentication scheme because we want to use open ID connect as our authentication scheme and we want to save a cookie a session could be So we add cookies so that we can do that and then we're going to add open ID connect And it needs some options as well, and this is where we're going to read up those configuration values So you're going to set the sign-in scheme to the cookie authentication scheme we're going to set the authority or the authorization server that we're going to be using To octa domain slash OAuth to default now We get that from looking at octa, and if I go into my API authorization servers remember, this is where we set up the groups the default authorization server that was set up for us actually has that URL as its URL which is Whatever your domain is slash OAuth to slash default So that's why the OAuth to default is there on the end We want to be able to talk over HTTPS. So we set that to true We said in the client ID in the client secret We set the response type to code because we're going to be using the authorization code grant type We want to get the claims from the user info endpoint, which means that once the authentication has actually happened It'll get the claims from the user info info endpoint and create the token with it The scopes that we want to add our open ID and Profile scopes so that it gets name and email address and that sort of thing We want to save the tokens once we get them and we're going to set some token validation parameters The last one is where we validate the issuer So once we've got a token back we want to validate that the issuer is who we thought it was going to be These two are super helpful in the fact that in the ID token coming from back from Okta the name of the user is actually in a thing called in a JSON document the JSON web token is keyed with name lowercase n and Same thing with the the roles. We want to map groups to roles So we just tell it that the role claim type comes from this key in this JSON document called groups So when it goes and gets the claims, it's going to say oh, here's groups that goes in roles Okay, and then the last thing we're going to do is we're going to add the authorization service The last thing we need to do is come down here to where it says use authorization and right above that We're just going to add an app use authentication So that way it'll use the so we set up add authorization here and use authorization was already there We've set up add authentication up here And then we want to tell the application that we actually want to use the authentication that we just configured Now that we configured all this now we got to set up a little bit more to make this actually To kick off and a login Okay, so Now that we've got this set up. There's really only two pieces. We need left Because basically our application is set up to use OIDC for authentication and it set up to use octaves our didn't identity provider for OIDC But we haven't actually put any UI elements in there or told the application how to kind of kick off a Login right so let's create a controller here and we'll call this controller account controller Now I'm just going to cut and paste a couple of chunks of code in here Just to keep you from having a watch me type it the first one being the body of The actual controller Now I'm going to need a couple of using statements in here for me. I can just do control dot I think it works the same way in Visual Studio proper and And Yep, open ID connect is the one we want and then this one should be the cookies authentication cookies Yeah, so we brought in ASP net core authentication cookies authentication open ID connect and ASP net core MVC for the controller so Now we've got this all set up. We've got a log in and a log out action Now the login action just checks to see if there's somebody already logged in if there is it just redirects I'm back to the home page if there isn't Then it returns a challenge and this challenge is actually an open ID connected default authentication scheme challenge Same with the log out Once they click to log out. It's just going to return a sign out result That passes the authentication scheme the open ID connect default authentication scheme and the cookie default authentication scheme so Even though we've now got an account controller We just need a piece couple of pieces of UI to be able to actually call this account controller So we'll come over here into the shared folder We create a new file here. We'll call it underscore login partial That CSHTML now this chunk of code is just a CSHTML partial and Just check to see if there is a Identity if there is an authenticated user logged in If there is and it's just going to head and show hello, whatever your name is and remember We're this identity dot name with an uppercase in we actually got from the claim type of lowercase and from the from the ID token Then we're also going to show them a log out button if they're logged in This is just a form that's kicked off because that's how log out needs to happen is with a form submission so we just create like this empty form and a Submit button for that form Okay And this is just an easy way to make it Like a link instead of being like a fancy square html button Now if they aren't logged in if there isn't anybody logged in that we just want to show a login link, okay So go ahead and save that and now we just need to put it in our layout So if we come over here to our layout CSHTML And we'll see we've got this nav bar collapse inside here And we'll just replace that whole section and I'll show you why because really we're only adding one one thing but We're just adding the partial, but there are a couple of things that changed here, right? So we actually change this to justify content between This will give us the same menu that we normally have on that left-hand side with the home and the Privacy doc, but on the right-hand side, we'll have our login thing So this justified content between just pushes those two those two apart so that that login partial Leads from this from the right-hand side and the regular menu leads from the left-hand side. Just makes it a little bit prettier now if we've Done everything correct fingers crossed. We should be able to f5 and run this application and see it in action Now there is one other thing we need to set up before this will work completely And so if we go back to our application again, we just click on applications from our dashboard And we'll find the application here oidc example Go to the general tab one of the things we didn't set was a log out redirect your ri Where we want the application redirecting back to once they log out And in this case, it's going to be hps localhost 5001 sign out dash callback dash oidc This is a standard thing again this sent sign in oidc And sign out callback oidc are part of the oidc middleware. They handle those routes for you So you just need to know that that's what the that's what the routes are that it's looking for So we go ahead and save that And now when we go back if we go back to our application, we should be able to fire this guy up and get him running So if we hit f5 run the application Then when we go to click login You'll see that it actually didn't take us to a login page It's kind of weird, but really what what happened was you were already logged in since you're logged in over If you're like me you're logged in in another tab so Since they're both in the octa domain and your your domain here Then it's get it gets shared So one of the things that you can do is you can come over here and just click log out That way at least you can check that functionality So the log out is actually working because now we see login And if I actually come over here and try and do something like go to the applications list It'll make me log in again because I logged out of my session With octa because I just happened to be logging in with with this particular user So if I open up my application now and click login It'll take me to a login page. It's just like this And I'll log in with my base credentials for that app for that one user If you didn't create a user it created one for you when you signed up And that just happens to be the email that I signed up with and that admin username and password So that's a good way to to test things. So now I've got my login and my log out working Let's go see how we can use those groups to do some authorization Okay, so now we have authentication working Um, let's go ahead and make sure that authorization is working We have it set up at least we have the groups mapped to roles Right because in our startup cs we said that our role claim type is actually called groups So those groups are going to get mapped to roles for us So I now should be able to come into the home controller for instance And I can just create a couple of Actions But I can test out to see if I can get to those things So I'm going to create an everyone action because I know I'm in the everyone group By default when you create an app Everyone that's in the everyone group gets added to the application So I know I'm in the everyone group There should be a group that I'm not part of though um And it really doesn't matter what this one's called But if you know me, you know, I'm not in the dancers group So let's create a dancers route That only dancers people in the role of dancers can actually get to that route now We're let's go ahead and create a couple of UI pieces too So if I go over here to home shared and layout I can actually create a couple of nav items To be able to make it a little easier to get to these things So here's our nav item for The everyone action And we'll create one more For the dancers action dancers And we know that our home controllers saying just return the views for those So let's go over to our home view And we'll add a new file that is everyone Okay, and it says this is the everyone page And we'll create another one for the dancers as well. This is The dancers page Now remember I shouldn't be able to get to this one. So If I go ahead and fire this guy up Should be able to see that I can get to the everyone page and I can't get to the dancers page So I fired up my application And I'm in I'm logged into the application And I have my everyone in my dancers menu items here at the top Now when I go to everyone I should be automatically taken that this is the everyone page because I'm in that group But when I click on dancers, I should be taken to a an account Access denied and a return to the home dancers So What I can do Is create this account access denied route And redirect it to do a challenge for login For access denied routes on the account controller Or can handle it in some other way Maybe I don't want them to log in Maybe I just want to take them to a page that says you're not allowed to access this page Something's a little bit prettier than this, right? So now we've seen that With just a little bit of code We can get oidc hooked up use author octa for authentication and authorization Mapping those groups over to the roles And you're all set to go now. You can just continue building your app and adding features that get you more customers Thanks for joining me today Check out our other great content here on youtube Make sure you hit that subscribe button and the little bell next to it So you get notified when we get new cool content coming out and we'll see you next time