Saturday, August 3, 2019

Avoid duplication of ModelState.IsValid in ASP.NET Core

Generally, whenever something is to be saved to the database or to any other place, as a best practice almost everyone use to validate the state of the model. So, if state of model is valid, we proceed and if model state is invalid, we handle it as a bad request. This looks something like this:
If(!ModelState.IsValid)

{

    // create bad request object

}       
 
So, all these were done by using the IsValid property.

Problem

Now what if we have to perform the same validation for all the models. Are we going to write the same validation in each and every controller?

Of course, No.

Solution

Rather than duplicating the same code in each and every controller, we can create a global filter. This global filter has few methods, but for our purpose we can go with OnActionExecuting.
public class ValidateModelStateFilter : ActionFilterAttribute

{
    
   public override void OnActionExecuting(ActionExecutingContext context)

    {

        if (!context.ModelState.IsValid)

        {

           context.Result = new BadRequestObjectResult(context.ModelState);

        }

    }

}
       
 
Next is to update ConfigureServices method under Startup class:
services.AddMvcCore(options =>

{

     options.Filters.Add(typeof(ValidateModelFilter));

})
Once above changes are done, we need not to repeat the same ModelState validation check in each and every controller.

Hope this tip would be useful.

Thursday, July 11, 2019

Received MVP Award for the 3rd time


Another amazing news received this week. MVP award is in my hand for the 3rd time.


Tuesday, July 9, 2019

Sunday, July 7, 2019

Build errors dialog in Visual Studio

Background
When you are in between of writing your logic and by mistake you pressed F5, what will happen? Boom… you will lend up with below dialog due to compilation errors:










Now think about it. If we are writing a code it means we need that to be executed whenever we are running the application. Isn’t it? It’s very-very rare case when someone still would like to execute previous logic. At least for me, I never ever want this to happen.

Solution

So, how to get rid of this rarely used prompt. There are two ways:

First, Simply check the checkbox ‘Do not show this dialog again’. But for me, on one of my machines this checkbox has not even appeared. Hence, I opted for second option.

Second, go to Tools >> Options… >> Projects and Solutions >> Build and Run. On right side panel, just change the value in dropdown displayed under ‘On Run, when build or deployment errors occur:’ to Do not Launch and we are done.















Now going forward, you will never see that dialog until and unless build is successful. Hope you like this small trick.

Monday, June 3, 2019

Creating ASP.NET Core 2.2 Application Step-by-Step

This article will walk you through the creation of ASP.NET Core application using ASP.NET Core 2.2 from scratch, by utilizing the capabilities of package manager, EF Core, Identity API, Razor Class Library, etc. So, rather than being more theoretical, this article will focus mainly on the implementation part. Wherever required, I’ll throw some light on the conceptual part too. To know more, you can either go here or here.

Monday, April 8, 2019

Why OpenID Connect came?

After publishing my previous article on Understanding concepts - OpenId, OAuth and SAML, I received a general question from a few of my colleagues and that is ‘Why OpenID arrived? What is the need of it’?

By now, most of us are already aware that OAuth 2.0 is an authorization protocol and it really did a great job by providing information, which facilitated its user to take some prodigious authorization decisions.

But what about exchanging this information? How to do that? Is that exchange done in a secure manner? Bla bla bla…

All such sorts of questions are dealt in different- different manner as every authentication provider have their own mean of exchanging this OAuth information. As not all the providers have provided an equivalent level of security, led to some buzzes.

Here OpenID Connect came for rescue. It fixes all the common problems by providing an authentication protocol with a standardized way of exchanging messages between a provider and subscribers, which is nothing but a combination of OAuth and OpenID

We will witness this by taking a coding example, in one of my upcoming articles. Till then stay tuned.

Wednesday, April 3, 2019

What's new in Visual Studio 2019

Microsoft has released Visual Studio 2019, two days back. This release has many awesome features targeting productivity and collaboration improvement. I’ve collected certain features as part of the launch event by Kendra Havens and Scott. Here are those:
  • Side-by-side installation of Visual Studio versions
  • New look of Start Page
  • New look of Create Project window
  • Redesigned user experience and theme
  • Search is more intuitive
  • Live share option for collaboration with fellow developers
  • Debugger improvements – Search is available for Watch, Locals and Autos window
  • Extracting only few projects from a solution – Solution filter
  • Monitor awareness – VS resized as per the monitor size
  • Fonts are colors based on classification of words
  • Opening csproj file directly on double click of SDK projects
  • New column Kind has added to Find All References option with Read/Write
  • Code cleanup with just one click with rules configuration capability
  • Facility to export code style as. editorconfig
  • Synching up namespace with folder name if file is moved to another folder
  • ForEach to LINQ
  • Inversion of conditional expressions
  • Regex support
  • Extracting interface in the same class
  • Conversion of anonymous types to Tuple or class

.Net Core 3 Preview:
  • Desktop Improvements:
  • XAML Islands – WinForms and WPF can host UWP
  • XAML Controls – WinForms and WPF browser and media UWP controls
  • High DPI fixes for WinForms
  • Access to all Win 10 APIs
  • Deployment Improvements:
  • Side by side support
  • Machine global or app local framework
  • Self-contained EXEs – if .Net Fx is not available on end user’s machine, it can be shipped as an EXE along without the need of .Net installation
  • C# 8.0
    • Ranges
    • Nullable reference types - foreach(Student? Student in Students) {…}
    • Async Streams – Now async is capable to return a collection
    • Switch Expressions
    • Recursive patterns
One can try out .Net Core 3 with VS 2019. Apart from this list, there are lot much to know in other others. Stay tuned.

Monday, March 18, 2019

Understanding concepts - OpenId, OAuth and SAML

I was going through some of the forums related to security concepts and found one topic which is very much communal, and many people posted questions about their confusion on the terms related to Authorization, Authentication and Security protocols. 

So, I thought to write something about these terms in layman, which is more towards the concept and less towards technical aspects. 

Before we start, let's have a look at the question, which really lighten the spark in me - stackoverflow.com - What's the difference between OpenID and OAuth? Hope you are with me to get started.

Well, one of the major aims of any application is to make it secure and easy to use without imposing much work on the end user. Now, in order to fulfill this aim, we have to look into a few of the major security aspects in terms of protocols, usage and scenarios. And that's why this article is.

What is Authentication and Authorization?
In simple terms, authentication is the process to verify whether the user is the intended user rather than any fake identity. In fact, it is the same who it claims to be. Whereas authorization deals with accessing resources. Authorization tells which resources user can access and till how much extent. So, in most of the applications these both terms run hand-in-hand.

Single-Sign-On
SSO is an authentication mechanism in which user can log in to one application using some sort of credentials and accesses another application without re-entering the credentials. In this scenario, same credentials can be used to log in to another application. 

Best real-world example can be – our internal corporate portal in which we can find links of many other applications. So, once we are logged in to the portal, we need not to authenticate our self again and again to use other applications (apart from few more secure apps).

Benefits of going with SSO are quite pleasant as:
  • User needs to remember only one set of credentials and the same can be used with other related applications
  • Maintaining credentials in one place saves space as well as reducing cost.
How to implement this SSO?
Here come the security protocols, or say jargons like SAML, OAuth, OpenID, etc. Confused? Scratching your head? 
No need to worry. Sit back and relax. We do have ready made APIs to rescue us. 😊

Now before jumping straight into coding, let’s first get the gist of these jargons.

OpenID
OpenID is used for authentication purpose and allows us to use an existing account to log in to numerous sites. It was founded by a non-profit organization named as OpenID Foundation. Today this open standard is accepted by many giants like Microsoft, Google, Facebook, AOL, and many more.

How to get an OpenID account?
Getting an OpenID account is very simple as it can be obtained through any of the OpenId providers (as listed above). Once the account is obtained, the user can log in to any web site which supports OpenID authentication. 

As an example, you can imagine your blogger.com account accepting a google email id for authentication. In this example, Google is the Identity Provider and Blogger.com is the Relying Party. Below figure will you clear idea on what we just understood.


















Please note that all this communication is happening because of the common trust factor between an identity provider and relying party, which is OpenID.

How Authentication is taking place?
Continuing with the same example of the blogger web site, the user hits the URL of Blogger.com and lands on the login page. There he enters his google credentials. Post that, request went to google for account verification. On successful verification by Google, the user is redirected back to the Blogger along with a token (we will discuss about the token shortly. But at this point, you can imagine it as a label which tells the blogger that this user is verified by google and blogger can rely on him). Hereon, Blogger trusts this token and initiates the session for the user.

OAuth2
OAuth is short for Open Authorization and is mainly used for access delegation via token-based authentication. Using this access delegation, application can access resources on the resource server on behalf of the user without the need of re-entering the credentials. This is achieved by using the tokens issued by an identity provider, with the user’s consent. 

Let’s understand this with an example, say you are going out of town and you want your friend Alen to stay and take care of your home. Of course, you have handover the keys to Alen. 

Which means Alen can enter the house and access the resources inside the house. In this analogy, home is the resource server, Alen is the client, door lock is the identity provider and I/house owner is the user. Makes sense?

Let’s change the thought process a bit. At present, until I’m back,  Alen is occupying home in my absence. Which means Alen is the owner of the house. Although it is for the time being but still Alen can be considered as an owner of the home. Such fable is termed as pseudo-authentication.

OpenID Connect
In order to implement a complete security solution, both OpenID and OAuth should go together. This togetherness is termed as OpenID Connect, wherein authentication is supported by OpenID and authorization is supported by OAuth2.

SAML
SAML is short for Security Markup Assertion Language and is an open standard for both authentication and authorization. It uses XML for all its transactions with a purpose of allowing identity providers to pass credentials to service providers. In most of the real-world scenarios, identity providers and service providers are totally separate entities. 

Now, for both to work on SSO mechanism, some sort of centralized user management is required and here comes in SAML assertions. There are three types of assertions:
  • Authentication: Tells that user is authenticated at what time and by using what method
  • Attribute: This is a piece of data which provides information about the user with some specific attributes
  • Authorization: Tells that user is granted or denied the access of any resource

Summary
Here is the summarized view taken from Jaime's blog about what each one of these does.
Description

OAuth2
OpenId
SAML
Token (or assertion) format
JSON or SAML2
JSON
XML
Authorization?
Yes
No
Yes
Authentication?
Pseudo-authentication
Yes
Yes
Year created
2005
2006
2001
Current version
OAuth2
OpenID Connect
SAML 2.0
Transport
HTTP
HTTP GET and HTTP POST
HTTP Redirect (GET) binding, SAML SOAP binding, HTTP POST binding, and others
Security Risks
Phishing
OAuth 2.0 does not support signature, encryption, channel binding, or client verification.  Instead, it relies completely on TLS for confidentiality.
Phishing
Identity providers have a log of OpenID logins, making a compromised account a bigger privacy breach
XML Signature Wrapping to impersonate any user
Best suited for
API authorization
Single sign-on for consumer apps
Single sign-on for enterprise
Note:  not well suited for mobile
Hope you enjoyed reading!

Wednesday, March 6, 2019

Traditional file helper won't work in .Net core

Prior to .Net Core, we use to handle file by passing various sort of parameters, like -in memory bytes, FileStream or file path and that use to work perfectly. 

But when it comes to .Net Core, passing a file path will not work exactly as ASP.Net MVC. In earlier versions, the path we supplied was considered as a physical path whereas in Core, same API is used to denote the virtual path. In other words, whatever path is provided will be appended with site URL. 

Now how to give physical path in .Net Core? 
No worries! Here comes the PhysicalFile helper for our rescue. To know more about it, here you go.

Keep learning!

Sunday, February 24, 2019

Confused with term Active Directory

Is On-premise Active Directory (Windows Active Directory) same as Azure Active Directory? In continuation to my previous blog post, this was one of another question asked to me.     

Well, although these both are active directories but there are few differences though. Let’s have a look at those:

  • Location - The most basic difference is, Windows AD is on-premise whereas Azure AD is cloud based.
  • Initial moto – As Azure AD is a cloud based, some web service support is associated, unlike unadorned AD
  • Protocols Used – Both the active directories use different protocols. As Azure AD uses SAML and oAuth whereas unadorned AD relies on NTLM and Kerberos for authentication and LDAP to query/modify
  • Platform support – When it comes to provide support on other platforms apart from Windows, it is nightmare with Windows AD and requires more time and effort. But the same thing can be executed very smoothly with Azure AD as it just needs a registration with any one of your Microsoft cloud application, i.e. o365, Microsoft Intune, Microsoft Azure, etc.
One can visit here to know more on Azure AD. Happy learning.

Monday, February 11, 2019

Windows Authentication & Forms-based Authentication


During my recent interaction with one of the development teams, I came across few queries. Hence, I decided to cover those general questions as part of my few upcoming blogs.
The very first question I received is, when should one go for Windows authentication and when one should go for Form-based authentication?
Now here one of the common response one can receive is – use Forms authentication whenever the user can supply username/password and go for Windows authentication whenever the user can use Windows Login System.
No doubt, this response is correct. But there are few more points which can elaborate it. Let’ have a look at those:
  • If user accounts are created in AD – go for Windows authentication using ActiveDirectoryMembershipProvider
  • If user accounts are created in database, i.e. SQL Server – go for Forms-based authentication using respective membership providers, i.e. SqlMembershipProvider
  • If user accounts are created in database whose direct member ship providers are not available – go for Forms-based authentication by writing custom provider
  • If Windows authentication can not be used with AD for any reason – go for Forms-based authentication
  • If you need more secure policies for password management - go for Windows authentication
  • If you want to use existing account management tools - go for Windows authentication        
I hope these few points will add some more to your knowledge. Happy learning.