.NET: Using dotnet user-jwts to Create Development Time JWT Tokens

Hope you are enjoying .NET Conf 2022. It's such great content and another 2 more days to go. Don't miss it.

In this post, let's see how we can easily create JWT tokens for Development purposes using dotnet user-jwts. 

Consider the following code.

using System.Security.Claims;
 
WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
 
// Add services to the container.
builder.Services.AddAuthentication()
    .AddJwtBearer();
 
builder.Services.AddAuthorization();
 
WebApplication app = builder.Build();
 
// Configure the HTTP request pipeline.
app.UseAuthorization();
 
app.UseHttpsRedirection();
 
app.MapGet("/", () => "Hello .NET");
 
app.MapGet("/me", (ClaimsPrincipal user) =>
    {
        return user?.Claims
            .Select(c => new { c.Type, c.Value })
            .ToList();
    })
    .RequireAuthorization();
 
app.Run();

So here, I have added the required services for Authentication/Authorization and have an endpoint that requires an authorized request. On a side note, here you can see I haven't specified the default authentication scheme when registering Authentication. We don't have to specify the default Authentication scheme anymore, if there is only one, it's automatically taken as the default and that's new with ASP.NET Core 7.0. 

Now back to the topic, how do we get a valid token for development purposes here easily?

We can use dotnet user-jwts to create JWT tokens and if we want, we can customize the token, like by adding different different scopes, claims, and so on, so we can dev test our authorization policies.

To get a valid token, we just need to run the following command from the Project directory.

dotnet user-jwts create

And this will give you an output like below.

dotnet user-jwts create

And at the same time, the command will update appsettings.Development.json, with few settings to validate the token in the Development environment.

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning"
    }
  },
  "Authentication": {
    "Schemes": {
      "Bearer": {
        "ValidAudiences": [
          "http://localhost:35983",
          "https://localhost:44310",
          "http://localhost:5000",
          "https://localhost:7028"
        ],
        "ValidIssuer": "dotnet-user-jwts"
      }
    }
  }
}

And now we can test the secured endpoint using a tool of our choice, passing the token that got generated under the Bearer scheme in the request's Authorization Header. If I use cURL, I can see I am getting authorized successfully.

Test the secured endpoint

That's pretty neat.

Read more about dotnet user-jwts command options to learn how you can customize the token.

   dotnet user-jwts create [options]

Happy Coding.

Regards,

Jaliya

Visual Studio 2022: Enable Quick Add for Add New Items

In this post, let's go through a nice extension for Visual Studio 2022 that is soon going to be available within Visual Studio 2022 itself within Preview features.

The extension is Add New File (64-bit) and it's quite nice. 

Note: as of today, the latest preview of Visual Studio 2022 is 17.4.0 Preview 6.0, and this extension is still not available out of the box within Visual Studio, so you will have to download the extension and install it.

Once installed, you can do Shift + F2. When this is shipped with Visual Studio, the shortcut would be Ctrl + Shift + A.

And it's going to bring up this nice little dialog.

Add New Item

You can click on Show All Templates and still go back to the default dialog, or you can just add new items using this tiny dialog.

Say I want to add a new file at the root of the project, I can do something like below.

Add New Item

This will create the MyClass.cs file as a C# class file based on the extension.

A really nice thing is, I can do something like below.

Add Multiple Items

This will create a Services folder, and there it will create IMyService.cs and MyService.cs. And not only that, based on the naming convention of IMyService.cs, it will create an interface and not a class.

Files Created

That's pretty neat, isn't it? Do try this extension out. You can create folders, nested folders, and so on.

Can't wait to see this extension to be baked into Visual Studio 2022. Hopefully within this week (so much going on this week with .NET Conf 2022 coming up in just a couple of hours 😍) or in the next couple of weeks.

And watch the following video by Mads Kristensen to learn some cool features in Visual Studio 2022.
   Cool features in Visual Studio 2022

Happy Coding.

Regards,

Jaliya

Azure Logic App: HTTP Authentication with Azure AD

In this post let's see how easy it is to call REST API secured with Azure AD (or Azure AD B2C).

First, we need to select the Authentication type as Active Directory OAuth.

Then it's just a matter of entering the required information. 

Active Directory OAuth

Now, what are the values?

• Authority: We can leave the Authority empty.Tenant: 
• Tenant: TenaneId of the Azure Directory
• Audience: We need to do an App Registration in the Azure AD, which you might have already done when setting up the REST API. If you haven't, you can follow the following guide, it's pretty in detail: Quickstart: Register an application with the Microsoft identity platform
• Client ID: The Application (client) ID of the App Registration
• Credential Type: Secret or Certificate (I have selected Secret for simplicity)
• Secret: A secret you have generated under App Registration

Hope this helps.

Happy Coding.

Regards,

Jaliya

.NET 7.0: ArgumentNullException.ThrowIfNullOrEmpty()

In this post, let's have a look at this nice little feature that's available with .NET 7 and C# 11.0.

With .NET 6 and C# 10.0, we have got a simplified method to check an Argument for null (I have written a post a few months ago: C# 10.0: Nice Little Features).

ArgumentNullException.ThrowIfNull(argument);

But if the argument type is a string, and you need to check it for Empty, we had to fall back to the old approach, which is something like below.

string @string = "";

if (string.IsNullOrEmpty(@string))
{
    throw new ArgumentNullException(nameof(@string));
};

And with .NET 7 and C# 11.0, we don't have to do that anymore. We now have: ArgumentException.ThrowIfNullOrEmpty()

string @string = "";

ArgumentNullException.ThrowIfNullOrEmpty(@string);

I really like this, It's a small thing, but of course, small things matter.

Hope this helps.

Happy Coding.

Regards,

Jaliya

Microsoft Ignite After Party: Auckland, New Zealand

Today we had our Microsoft Ignite After Party in Auckland, New Zealand and it was great to be part of it with fellow MVPs in New Zealand.

There I was in a Panel Discussion discussing a lot of nice things coming with .NET 7.

Microsoft Ignite After Party: Auckland, New Zealand

Special thanks to Rory Braybrook and Marcus Bristol for running the party.

Happy Coding.

Regards,
Jaliya

ASP.NET Core: HTTP Logging

In this post let's see how easy it is to set up HTTP Logging in an ASP.NET Core application.

You just need to add the HTTP Logging middleware to the HTTP pipeline.

WebApplication app = builder.Build();
 
// Enable HTTP Logging
app.UseHttpLogging();

The default logging configuration for Microsoft.AspNetCore is Warning. You might need to update appsettings.json as follows.

{
  "Logging": {
    "LogLevel": {
      "Default": "Information",
      "Microsoft.AspNetCore": "Warning",
      "Microsoft.AspNetCore.HttpLogging.HttpLoggingMiddleware": "Information"
    }
  }
}

And now we can see basic HTTP logging.

Default Logging

You can customize the HTTP logging options using HttpLoggingOptions. For example, the below specifies what fields to be logged.

WebApplicationBuilder builder = WebApplication.CreateBuilder(args);
 
// Customize HTTP Logging options
builder.Services.AddHttpLogging(logging =>
{
    logging.LoggingFields = HttpLoggingFields.RequestPath
        | HttpLoggingFields.RequestMethod
        | HttpLoggingFields.RequestScheme
        | HttpLoggingFields.ResponseStatusCode
        | HttpLoggingFields.Response;
    
    // TODO: Customize more options
});

And the output would be something like below.

Customized Logging

A couple of important things to note,

• This feature is only available from ASP.NET Core 6.0 onwards.
• By default, pre-defined sensitive fields will be Redacted (ex: Authorization header). Still, you might log sensitive information if you are logging request/response bodies. So look out for what you are logging.
• HTTP Logging can reduce performance. For example, you might not want to log huge request/response bodies. Not only that, you can get a huge bill for your Log Analytics Workspace as well (if you are using Application Insights of course).

That's pretty straightforward, isn't it?

More read:
   HTTP Logging in ASP.NET Core

Happy Coding.

Regards,

Jaliya

EF Core 7.0: Save and Query JSON in Relational Databases

In this post, let's have a look at a new feature that's going to be available with EF Core 7.0 and that's the support for saving and querying JSON columns in Relational Databases. 

You can try this feature with the latest RC builds or using daily builds.

Tip: How to get .NET Daily Builds

Add a NuGet.config file to your project with the following content.

<?xml version="1.0" encoding="utf-8"?>
<configuration>
  <packageSources>
    <clear />
    <add key="dotnet7" value="https://pkgs.dev.azure.com/dnceng/public/_packaging/dotnet7/nuget/v3/index.json" />
    <add key="NuGet.org" value="https://api.nuget.org/v3/index.json" />
  </packageSources>
</configuration>

For the purpose of this post, I am targeting Microsoft SQL Server as the relational database provider.

Consider the following scenario. Say we have a Customer entity, and a Customer has a Contact record that contains his/her Address and List of PhoneNumbers. 

public class Customer
{
    public int Id { get; init; }
 
    public string Name { get; init; }
 
    public Contact Contact { get; set; } = null!;
 
    public Customer(string name)
    {
        Name = name;
    }
}
 
public class Contact
{
    public required Address Address { get; set; }
 
    public List<PhoneNumber> PhoneNumbers { get; set; } = new();
}
 
public class Address
{
    public required string Street { get; set; }
 
    public required string City { get; set; }
 
    public required string State { get; set; }
 
    public required string PostalCode { get; set; }
}
 
public class PhoneNumber
{
    public PhoneNumberType Type { get; set; }
 
    public string Number { get; set; }
 
    public PhoneNumber(PhoneNumberType type, string number)
    {
        Type = type;
        Number = number;
    }
}
 
public enum PhoneNumberType
{
    Mobile,
    Home
}

And whenever we load a Customer, we want his/hers Contact details to be loaded automatically because we don't want to do explicit Includes. 

In order to achieve this, we can configure the Customer entity as follows.

public class MyDbContext : DbContext
{
    public DbSet<Customer> Customers { get; set; }
 
    protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
    {
        // Configure
    }
 
    protected override void OnModelCreating(ModelBuilder modelBuilder)
    {
        modelBuilder.Entity<Customer>()
            .OwnsOne(x => x.Contact, contactOptions =>
            {
                contactOptions.OwnsOne(x => x.Address);
                
                // Since PhoneNumbers is a Collection, it needs to be a separate table
                // Here we are just customizing the table
                contactOptions.OwnsMany(x => x.PhoneNumbers, phoneNumberOptions =>
                {
                    phoneNumberOptions
                        .Property(x => x.Type)
                        .HasConversion<string>();
 
                    phoneNumberOptions.ToTable("CustomerPhoneNumbers");
                });
            });
    }
}

And above model configuration will create a table structure as follows.

Table Structure

Since PhoneNumbers is a Collection, it needs to be in a separate table. With the JSON column support, we can store the Contact as JSON and avoid data being split across multiple tables.

protected override void OnModelCreating(ModelBuilder modelBuilder)
{
    modelBuilder.Entity<Customer>()
        .OwnsOne(x => x.Contact, contactOptions =>
        {
            contactOptions.ToJson();
 
            contactOptions.OwnsOne(x => x.Address);
 
            contactOptions.OwnsMany(x => x.PhoneNumbers);
        });
}

And this will produce a single table as follows.

Table Structure

When we store the data, it will be as follows.

JSON Column

Contact is basically stored as a JSON.

{
  "Address": {
    "City": "Seattle",
    "PostalCode": "98052",
    "State": "WA",
    "Street": "123 Main St"
  },
  "PhoneNumbers": [
    {
      "Number": "111-123-4567",
      "Type": "Mobile"
    },
    {
      "Number": "222-123-4568",
      "Type": "Home"
    }
  ]
}

Querying

We can do queries on JSON data, for example, consider the following.

List<Customer> customersInWA = await context.Customers
    .Where(x => x.Contact.Address.State == "WA")
    .ToListAsync();

The generated SQL statements will be as follows. The nice thing is EF uses JSON capabilities of SQL Server. 

SELECT [c].[Id], [c].[Name], JSON_QUERY([c].[Contact],'$')
FROM [Customers] AS [c]
WHERE CAST(JSON_VALUE([c].[Contact],'$.Address.State') AS nvarchar(max)) = N'WA'

Projection

List<string> distinctStates = await context.Customers
    .Select(x => x.Contact.Address.State)
    .Distinct()
    .ToListAsync();

The generated SQL statement:

SELECT DISTINCT CAST(JSON_VALUE([c].[Contact],'$.Address.State') AS nvarchar(max))
FROM [Customers] AS [c]

Update

Customer janeDoe = await context.Customers.SingleAsync(x => x.Name == "Jane Doe");
janeDoe.Contact.Address.PostalCode = "20877";
await context.SaveChangesAsync();

The generated SQL statement:

[Parameters=[@p0='["20877"]' (Nullable = false) (Size = 9), @p1='2'], CommandType='Text', CommandTimeout='30']

SET IMPLICIT_TRANSACTIONS OFF;
SET NOCOUNT ON;
UPDATE [Customers] SET [Contact] = JSON_MODIFY([Contact], 'strict $.Address.PostalCode', JSON_VALUE(@p0, '$[0]'))
OUTPUT 1
WHERE [Id] = @p1;

Current Limitations (to my knowledge):

• Complex queries that query through JSON arrays, still can't be translated into SQL. As far as I know, it's going to be available in EF Core 8.0. Basically, something like below won't work.

// Following query will be failed to translate into SQL
List<Customer> customersHavingHomePhoneNumbers = await context.Customers
    .Where(x => x.Contact.PhoneNumbers.Any(x => x.Type == PhoneNumberType.Home))
    .ToListAsync();

More Read:
   JSON Columns

Hope this helps.

Happy Coding.

Regards,
Jaliya

OAuth 2.0: Authorization Code with PKCE

In this post, let's have a look at Authorization Code with PKCE (Short for Proof Key for Code Exchange, pronounced: pixy) Flow in OAuth 2.0.

In a previous post (OAuth 2.0: Authorization Code Vs Implicit Flow), I wrote about Authorization Code flow in OAuth 2.0, I'd highly suggest reading that post first before this, as I am not going to explain Authorization Code flow here in this post.

Authorization Code Flow

In the Authorization Code flow, in order to exchange authorization code to an access_token, when the Client makes to call to /token endpoint, the client needs to send the client_secret and that introduces a security risk because it has to be stored somewhere.

With the Authorization Code with PKCE, before starting the Authorization Code Flow, the Client generates a random value called code_verifier. The client then hashes this code_verifier and the result is called the code_challenge. Now the authorization code flow starts the same way, except /authorize request includes code_challenge in the query string.

GET: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?
&client_id=myapplication-client
&response_type=code
&redirect_uri=https://myapplication.com/callback
&scope=Calendars.Read
&state=some-state
&code_challenge=fwfLrb--atJiWz5SBUa1-OkzAQIP1w6uuDAA2fAp-Yg

The Authorization Server stores the code_challenge for later verification and after the user authenticates, redirects back to the client with an authorization code, just like in the Authorization Code flow. Now when the client makes the request to exchange the authorization code for an access_token, it sends the code_verifier instead of the client_secret.

POST: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
content type application/x-www-form-urlencoded
 
grant_type=authorization_code
client_id=myapplication-client
code=<code_received_from_authorize_endpoint>
code_verifier=y5jMOEF7Nk2sHLZcdZ-eR19hLd4xZL32f-79qljcJNotYRD_FQGzF5v5ouMpABFkvp0zH7JNxHe57JpV

Now the Authorization Server hashes the code_verifier and compares it to the code_challenge it stored earlier. if the hashed value matches, then only the Authorization Server will return the access_token.

Note: 

Microsoft identity platform and OAuth 2.0 authorization code flow requires code_challenge_method to be included in the authorization code request ( request to /authorize endpoint). That's basically the method used to generate the code_challenge. This SHOULD be S256, but the spec allows the use of plain if the client can't support SHA256.

And when exchanging authorization code for an access_token (via /token endpoint), client_secret is required for web apps and web APIs as those can store the client_secret securely on the server side. But if the client_secret is sent from a native app, /token endpoint is going to respond with a Bad Request with a message "Public clients should not send a client_secret  when redeeming a publicly acquired grant".

Hope this helps.

Happy Coding.

Regards,

Jaliya

OAuth 2.0: Authorization Code Vs Implicit Flow

OAuth 2.0 is something I believe most of us can get confused with (I still do at times). 

Sometimes people get confused with OAuth 2.0 and OIDC (OpenID Connect) as well.

OAuth 2.0 is a standard protocol for Authorization. But in the past, different major companies have started using OAuth 2.0 for Authentication by extending it in their own ways.  Then some genius set of people thought to make it a standard, thus they came up with  OIDC (OpenID Connect) specification which is to be used for Authentication.

So the key concept is that OIDC is an additional identity layer built on top of the OAuth 2.0 protocol. 

• OAuth 2.0 is for Authorization 
• OIDC is for Authentication

Anyway, in this post, thought of writing a post about the most widely used OAuth flow: Authorization Code, and have it compared with the Implicit flow. (Implicit flow is considered legacy now and its use is recommended to replace with Authorization Code with PKCE which is a slight variation of Authorization Code)

For this post, I am considering Microsoft Identity Platform as the Identity Provider, this can be Auth0, Okta, Google, or even your own Identity Server implementation. The URLs and scopes are simplified for brevity.

Authorization Code Flow

The Authorization Code grant type is used by confidential and public clients that use server-side technologies.

Authorization Code Flow

#1: The authorization code flow begins with the client directing the user (Resource Owner) to the /authorize endpoint. It's an HTTP GET request, something like follows.

GET: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/authorize?
&client_id=myapplication-client
&response_type=code
&redirect_uri=https://myapplication.com/callback
&scope=Calendars.Read
&state=some-state

One of the most important thing here is the response_type=code, we are basically asking for an Authorization code. Now the user will be redirected to the Identity provider login page, in this case it's Microsoft.

#2: After the user has entered their Email and Password, upon successful login, the user will be presented with a consent screen. There the scopes requested will be visible.

#3: Upon accepting the consent, the user will be redirected to the redirect_uri with an authorization code.

https://myapplication.com/callback?state=some-state&code=eyJraWQiOiIzcG...

#4: Client now makes a Back channel request to /token endpoint to exchange the authorization code received to an access_token. 

POST: https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token
content type application/x-www-form-urlencoded
 
grant_type=authorization_code
client_id=myapplication-client
client_secret=<client_secret>
code=<code_received_from_authorize_endpoint>

#5: For above request, the client will receive a response, something like below.

{
    "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI...",
    "token_type": "Bearer",
    "not_before": 1664733775,
    "expires_in": 3600,
    "expires_on": 1664737375,
    "scope": "Calendars.Read"
}

#6: Now the client has the access_token in the form of a JWT token, the client can call the Resource Server using that.

A couple of important things to note here. In the picture above, note that the steps from #1 to #3 is happening on the Front channel, while the steps from #4 to #6 happen on the Back channel. The reason is, in step #3, a client_secret is involved and we shouldn't be exposing that to the outside.

Note: It is now recommended to use the Authorization Code with PKCE flow to provide better security even though a client is using a client_secret.

Implicit Flow (Legacy)

Implicit Flow

This flow was a simplified OAuth flow previously recommended for native apps and JavaScript apps (SPA). Here we are directly asking for the access_token in the first place by setting response_type=code, so the authorization code exchange step is skipped. That introduces a security risk when returning access tokens in an HTTP redirect without any confirmation that it has been received by the client. Because of that reason, Implicit flow is now deprecated and public clients such as native apps and JavaScript apps should now use the Authorization Code with PKCE flow instead.

Next: OAuth 2.0: Authorization Code with PKCE

Hope this helps.

Happy Coding.

Regards,

Jaliya

C# 11.0: Required Members

Just a couple of months to go for .NET 7 final release, as you might already know, some of the C# 11.0 features are already available. 

In this post, let's go through a new feature that is ready to use from Visual Studio 2022 version 17.3, and that is the feature to specify required members in a class, struct or record (including record struct). And that's by using the brand new modifier: required.

Let's go by an example. I will be using a class for simplicity. Consider the following Person class.

public class Person
{
    public string FirstName { get; set; }
 
    public string LastName { get; set; }
 
    public DateOnly? DateOfBirth { get; set; }
}

Generally, it considers a bad practice if you are letting someone to create an object without satisfying the minimum requirements of that particular object. For example here in our scenario, we shouldn't let someone create a Person without specifying FirstName and LastName. Those are kind of mandatory for every person.

So here usually what we do is introduce a constructor and specify the parameters that are needed to create a valid object.

public class Person
{
    public string FirstName { get; set; }
 
    public string LastName { get; set; }
 
    public DateOnly? DateOfBirth { get; set; }
 
    public Person(string firstName, string lastName)
    {
        FirstName = firstName;
        LastName = lastName;
    }
}

Now, this is looking good. But what if we remove the constructor. The caller has no idea what basic properties are needed to be set when creating a Person object. So we need to have some other way to declare which properties are required.

So C# 11.0 introduced this brand new modifier: required which can be used as follows.

public class Person
{
    public required string FirstName { get; set; }
 
    public required string LastName { get; set; }
 
    public DateOnly? DateOfBirth { get; set; }
}

Now the caller can create a Person object like below using object initialization.

Person person = new()
{
    FirstName = "John",
    LastName = "Doe"
};

And this is nice, isn't it? Now we don't even need to declare a constructor to accept the required parameters. I personally prefer object initialization instead of using a constructor, because say you have a lot of required properties, then in your constructor, you are going to have a lengthy parameters list.

And if you attempted to create a Person without specifying the required parameters, the compiler will emit an error.

Person person = new();
// Required member 'Person.FirstName' must be set in the object initializer or attribute constructor.
// Required member 'Person.LastName' must be set in the object initializer or attribute constructor.

Now say, you have some already written code where you are using a constructor to set required properties and you have updated your required properties with required modifier.

public class Person
{
    public required string FirstName { get; set; }
 
    public required string LastName { get; set; }
 
    public DateOnly? DateOfBirth { get; set; }
 
    public Person(string firstName, string lastName)
    {
        FirstName = firstName;
        LastName = lastName;
    }
}

And the existing callers would be creating an object like below.

Person person = new("John", "Doe");
// Above will throw a compile error

Now here you are going to get a compile error because the compiler doesn't know that from your constructor you are setting values to required properties.  In this case, you need to attribute the constructor with [SetsRequiredMembers] attribute like below.

[SetsRequiredMembers]
public Person(string firstName, string lastName)
{
    FirstName = firstName;
    LastName = lastName;
}

Note: This [SetsRequiredMembers] attribute needs to be used with care.

Let's say for some reason, later you have decided DateOfBirth is going to be a required property. Basically something like below.

Person person = new("John", "Doe");
// Person is getting created using the constructor, but required DateOfBirth isn't being set
// No compile errors here because [SetsRequiredMembers] is masking the error
 
public class Person
{
    public required string FirstName { get; set; }
 
    public required string LastName { get; set; }
 
    public required DateOnly DateOfBirth { get; set; }
 
    [SetsRequiredMembers]
    public Person(string firstName, string lastName)
    {
        FirstName = firstName;
        LastName = lastName;
    }
}

This code will get compiled just fine, but logically it isn't correct. [SetsRequiredMembers] attribute is masking the expected error which is DateOfBirth isn't set. So that's something to keep in mind.

Most of the time, required properties shouldn't be allowed to be mutated later, so we can write a more complete code something like below. Here for the FirstName and LastName properties, I have used init keyword (introduced with C# 9.0) to specify that the required parameters should get set only upon the object construction.

Person person = new()
{
    FirstName = "John",
    LastName = "Doe"
};
 
public class Person
{
    public required string FirstName { get; init; }
 
    public required string LastName { get; init; }
 
    public DateOnly? DateOfBirth { get; set; }
}

Hope this helps.

Happy Coding.

Regards,
Jaliya