The Modern .NET Show

S06E20 - .NET Unwrapped: From Workflow Engines to Identity, A Developer's Journey with Dustin Metzgar

Sponsors

Support for this episode of The Modern .NET Show comes from the following sponsors. Please take a moment to learn more about their products and services:

Please also see the full sponsor message(s) in the episode transcription for more details of their products and services, and offers exclusive to listeners of The Modern .NET Show.

Thank you to the sponsors for supporting the show.

Embedded Player

S06E20 - .NET Unwrapped: From Workflow Engines to Identity, A Developer’s Journey with Dustin Metzgar
The .NET Core Podcast

S06E20 - .NET Unwrapped: From Workflow Engines to Identity, A Developer's Journey with Dustin Metzgar

Supporting The Show

If this episode was interesting or useful to you, please consider supporting the show with one of the above options.

Episode Summary

In this episode of The Modern .NET Show, host Jamie Taylor sat down with Dustin Metzgar, a seasoned .NET developer with a wealth of experience in the industry. Throughout the episode, Metzgar shares valuable insights into the world of .NET development, discussing everything from design patterns and object-oriented programming to more advanced topics like container-based web APIs and authentication.

One of the key highlights of this episode was Metzgar’s discussion about his latest project - a new edition of the book " .NET in Action" updated for .NET 8. This comprehensive resource aims to help developers build real-world applications with .NET that are secure, fast, well-tested, and containerized for Kubernetes. Metzgar emphasized the practicality and usability of the book, designed to be a valuable reference for developers at all stages of their careers.

The conversation also delved into the challenges faced by .NET developers in transitioning to modern technologies, such as the confusion around different versions and the difficulty in finding relevant resources. Metzgar stressed the importance of staying informed about the latest developments in .NET and the benefits of migrating to modern .NET for performance improvements.

One of the key takeaways from the episode was the importance of supporting open source developers financially for their contributions. Metzgar discussed the decision by Duende to offer a commercial version of their product, highlighting the need for developers to be compensated for their hard work.

Overall, the episode provided a wealth of knowledge for developers looking to enhance their skills in the world of .NET development. From basic concepts to advanced topics, Metzgar’s insights offered valuable guidance for those looking to navigate the ever-evolving landscape of .NET development. The episode served as a reminder of the importance of continuous learning and adaptation in the fast-paced world of technology.

Episode Transcription

I want it to be like one of those books that you can pick up and you can, like, you don’t have to have .NET experience. You might, you know, maybe, you know, Java or maybe, you know, Python or something like that. You should be able to pick this book up and get to a point where you can actually build real world applications with .NET that are secure, they’re fast, they’re well tested. They have localization built in. They’re put into containers that you can throw into like a Kubernetes. I wanted to get to that point where it’s like, you could build applications that I’ve built like, say, with UiPath.

- Dustin Metzgar

Welcome to The Modern .NET Show! Formerly known as The .NET Core Podcast, we are the go-to podcast for all .NET developers worldwide and I am your host Jamie “GaProgMan” Taylor.

In this episode, Dustin Metzgar joined us to talk about his new book “.NET in Action Second Edition.” This book takes the first edition, written back in 2018, which targetted .NET Core 2 and upgrades and expands it to both cover a lot more content and to focus on .NET 8.

Along the way, we also discussed the basics of identity and the common pitfalls that developers fall into when they work with one of the current identity standards.

So certificates are still involved too because it’s because you need that certificate to sign the tokens. And I think what’s interesting about certificates is like you have that, you know, this kind of asymmetric encryption where, you know, you have a private key and then you publish a public key that everybody can see to use to kind of decrypt your, what you sign, what you encrypt. And that’s a kind of a feature of like these identity providers.

- Dustin Metzgar

So let’s sit back, open up a terminal, type in dotnet new podcast and we’ll dive into the core of Modern .NET.

Jamie : So, Dustin, thank you very much for being on the show again. It’s. It’s been a very long time since we last talked. I think I looked at it before we connected, and it was like your episode. You were on. You were on the episode before, on episode three. And this. That went out on, what did we say? September 2018. You know, that’s a long time.

Dustin : Yeah, it has been a long time. It’s. I’m glad to be back because, I mean, I don’t know, just looking at, like, the. The people that you’ve had on the show, like Scott Hunter and Mads, and I think Oren's been there so many times, he should get a free sub at some point.

So, I mean, so, yeah, it’s like, it’s. It’s really good company. I wouldn’t say I’m anywhere near, like, as impactful as these people, but I will try my best to talk about something that I think most developers can relate to when building ASP .NET Core, like web apps and things like that.

Jamie : Awesome. Awesome.

So I guess before we get started, for the folks who haven’t been listening to the show as long as I’ve been listening—because obviously I’ve been making it—and may have missed your first appearance on the show, I was wondering, would you mind giving us a bit of an introduction to yourself? Like the kind of work you do or maybe your history with.net, that kind of thing?

Dustin : Yeah, yeah. Let’s see. I mean, let’s start from the beginning.

I first started with .NET in 1.0, and only because we had, like, I was part of a consulting group and we had a Java application for doing kind of a supplier collaboration. And one of our salesmen went into a company and sold our supplier collaboration, but they said that it had to be in .NET. And he just said, "yeah, yeah, we can do that. We got a .NET version."

And it was like this huge scramble, like, take what we had in Java. It was like a J2EE app, like the, like the enterprise Java beans, things like that, and convert that over to what was ASP .NET Core or ASP .NET 1. This was even before, like, generics. Like, this is like, way a long time ago. So, yeah, and that was kind of my introduction to it.

And it’s. So I worked on that for on .NET for quite a while. And then eventually in late 2008, I joined Microsoft. It was a huge deal for me to finally get into Microsoft. I was working on the .NET Framework that was around the time of just around the 4.0 release at that point. And I worked on the - so it was like a group all put together. So Windows Communication Foundation, Windows Workflow, Windows Identity foundation, the Transactions library, the System.transactions. And that was kind of like all owned by one group.

And I did work on performance and things like that and spent 10 years at Microsoft. Kind of went through the whole .NET Core thing. I did some conversions for .NET Core, and later on I went to work for Uber for a while. That was about like a year and a half, and that was completely not .NET. They were go, Java, like Python, that kind of thing.

And for the past four years I’ve been working for a company called UiPath. They do what they call "Robotic Process Automation." Basically, it’s like if you interact with multiple applications on your desktop at work, some of those applications might be like legacy, like they’re old, they’re hard to replace. There’s no connection in between, say, that application and some new application that you have. So you’re copying and pasting in between them all the time.

And it’s a lot of very rote manual work. And what UiPath does is we have say like a recorder, we can record you doing your work, turn it into a workflow, and then automate it so that it would actually redo all those things like you would do. Like it would, you know, click on a text box, extract data, click on a button, things like that. So it’s able to kind of automate some of that work and it’s turning it into basically like a Windows Workflow, workflow, like underneath.

And then there’s a whole bunch of stuff built around that. So like you can put in AI for decision points, you can have like optical character recognition, and you can have, you know, kind of like a document understanding, which is like an ML model built on top of what it’s able to read from the document. So some really cool things that get mixed into there. It’s… we’re, the part that I work on with UiPath is the cloud platform that we have and our authentication and authorization that we have for that platform. And then also some of the workflow stuff like here and there.

That should be. I think that covers me in a nutshell. Right.

Jamie : Right.

Dustin : Just my job experience.

Jamie : Yeah. That’s interesting to me because I know that like we, when we previously talked, we talked about the Windows Workflow stuff because I remember you were, I think you, you were part of a team that was open sourcing it. Is that right?

Dustin : Yeah, yeah.

So it’s like they weren’t going to port it to .NET Core, that workflow engine. So it’s. Which was for good reason, but it’s like a lot of things get cut out when you move it from .NET Framework to .NET Core because a lot of that stuff is just not there in Core. I ported it over with some people from my team. We just made it open source because it was kind of an option to us. It’s like, "it doesn’t get support from Microsoft. It’s kind of like a side project," but eventually, because UiPath is a big user of that, UiPath now owns the project that repo is now owned by UiPath. We actually did talk with Scott Hunter to make sure that that was okay.

Jamie : Cool.

So as a user of the workflow path stuff, I then know that obviously it’s being supported not just by people who are working in their evenings and weekends. Right?

Dustin : Yes, I would say it’s the thing, kind of like the thing that happens with open source repos that a company owns. It’s like there’s more direction and kind of influence from the company itself, and then the community is kind of able to provide some feedback, but it’s like, it’s not quite as important. And it’s, I mean, it’s just the reality of it as far as like how the system’s built. We’re just trying to basically preserve it like the way it is and try to make little enhancements but not make any huge changes.

Jamie : Sure, sure. That makes sense, right.

Yeah. And that kind of, I feel like we can come back to this kind of idea in a moment when we talk because we’re going to be talking a little bit about identity, and we were talking off air about the folks at Duende and, you know, what they’re, what they’re doing and stuff. And that’s, I genuinely think it’s great for them because, you know, they weren’t making a great deal of money beforehand, and now they can make some money.

Dustin : Yeah, absolutely.

Jamie : So I’m all for it.

But I guess before we do that, I know that you’ve got a new edition of the book .NET in Action coming out. I was wondering if you could talk us through a little bit of that because I know that there was, the first edition was back in, I think, 2018 when it was .NET Core in action, and now there’s a new version. So I guess what’s new about it? Without wanting to sound horrid, hopefully I don’t come across as horrid.

Dustin : Yeah.

So, like, first edition, like, after I finished the last book, I mean, books are hard to write. It’s a lot of time. It’s not just like writing a blog post. It’s really in depth. There’s quite a process that goes into it. And I have a copy, say, like, of my first edition book, and it sits on my desk. And then while I’m doing work, I might, you know, crack it open and I’ll look at it and they’ll say, like, "oh, how do they do this thing with like, EF Core?" or "how to do this thing with Dapper?" or "how do I do, like, localization?"

But more and more like, like, I’m opening it up and I’m finding, like, "I didn’t like the way I did this," or "this is too old now," or, you know, that, "like, I wish I had made this, organize this a little bit better so I could, it would be easier to find." And eventually it got annoying enough that it overcame my resistance to want to do it again, to write another book. So I did talk with the publisher, Manning, and we decided to go for a new edition of it, updated for .NET eight. And that’s like a, it’s a complete rewrite. There’s like, there’s some parts that I’ve copied from one place to another, but almost the entire book is new. It’s like twice the length, and it’s got lots more stuff packed into it. I’ve reorganized things so it’s…

Yeah, I want it to be like one of those books that you can pick up and you can, like, you don’t have to have .NET experience. You might, you know, maybe, you know, Java or maybe, you know, Python or something like that. You should be able to pick this book up and get to a point where you can actually build real world applications with .NET that are secure. They’re, they’re fast, they’re well tested. They have localization built in. They’re put into containers that you can throw into like a Kubernetes. I wanted to get to that point where it’s like, you could build applications that I’ve built like, say, with UiPath. And that’s kind of what drove the whole, the layout of the book, how much time I spend on certain things, what gets cut. And I think it’s a much better book for it.

And then the other thing, too, is once you’re done reading through it, you should be able to keep it on your desk. And when you forget something, you just kind of open it up and say, "oh, this is how I can set like HSTS and this is what it is for." Or, "this is, this is how I get a benchmark done for performance," or certain things like that. So things that you like, you know, that you can do in your mind, but you don’t necessarily have it all, the, you know, the syntax for it all in your head. You can just have like a little handy book there for you.

So, yeah, I’m real proud of it and it’s been a long experience, but at least I’m very happy to get it done and get it out there into people’s hands.

Jamie : Okay, so you said that it would be good for maybe someone hasn’t got a great deal of experience with .NET. Is it… what I’m getting at is could someone who has absolutely no experience with .NET pick it up and go, "right, okay, let’s start something and I can follow it through to the end and build some stuff?" Or is it more a case of maybe you’re a junior on the team, you have a little bit of experience and you’re like, "wait, how do I do containers?" How do I do, I don’t know, I’m just going to pick something out of the air like, "how do I read an appSettings.json?" that kind of thing.

Dustin : I think it kind of goes the gamut.

So, like, if you knew nothing about .NET, but at least you understood things like design patterns, or like, if you understand like object oriented programming interfaces, abstract classes, there’s some of that like kind of lower level stuff that I don’t cover. But if you know at least that much, then you should be able to read the book and learn .NET from there, and go from basically from "Hello, World!" all the way up to like a container based web API with localization and OpenID Connect authentication, that kind of thing. So you should be able to kind of walk through the whole book and get everything set up, talking to databases and having full testing that goes not just unit, but integration, security and things like that.

But also, it’s like for people that say we’re on the .NET Framework or they’re familiar with .NET but not up to where .NET 8 is, I think it’s still a very useful text. There’s a lot of things in there that are kind of asides and things like that that are in depth discussions, kind of break out of the regular flow that can kind of provide a lot more detail.

Jamie : Sure. And that makes sense, right.

Because I was talking to someone just the other day actually about how those of us who get to use the modern .NET stuff, so .NET 5. .NET 6, .NET 7, .NET 8. I feel like we’re actually quite lucky and even the folks who are doing .NET Core things, right? Because where the modern like the stuff, it’s really happening there. It’s not that, I just want to say this is not that Microsoft are making .NET Framework go away at all. That’s not what’s happening. It’s just like perhaps the innovations, the new features, all that kind of stuff, the performance increases are happening with the more modern .NET.

And a lot of folks outside of the circles of people who get to use the modern .NET stuff they don’t like, a lot of people don’t even know that .NET now runs natively on macOS and Linuxes, right? So I feel like there’s a, there’s a large number of .NET Framework developers who through whatever reason, and I’m not placing blame on anyone here, I’m just making an observation, I feel like they’ve been left behind, right? Because the, the innovations haven’t really been shouted from the rooftops as loudly as perhaps they could have done; either by the community or by Microsoft themselves or whoever. Right?

And I feel like a resource, like a book like yours that can say, "hey, if you know .NET Framework, let me show you how to do things with the new .NET" or modern .NET or .NET 8 or whatever we want to call it. And I think perhaps that’s not helped. And there’s much, there’s a lot can be said about this, but I think that it’s not really that helped by the fact that like recruiters and people of a hiring nature have always referred to ".NET Framework" as just ".NET". And so that’s kind of made everything really difficult, right? It’s made like search engine stuff difficult and like looking for resources or looking for jobs even, has been quite difficult.

So I feel like there’s, what I’m trying to say is there’s a multifaceted set that set up to this. It’s not just, "hey, Microsoft, you should be doing better," or, "hey, community, you should be doing better." I feel like it’s, everybody involved could kind of maybe do a much better job of telling everyone, "hey .NET now runs everywhere and you can do all these things with it."

I’ve gone a bit on a bit of a tirade there. But I guess what I’m trying to get at is like a book like yours that a .NET Framework developer can pick up and go and go, "hey, I can actually use .NET on my Mac if I have one," or if I’ve got Linux on the desktop. Or, "hey, I could push a button and send an app to my phone," because I feel like a lot of .NET Framework developers don’t know that.

Dustin : Yeah. And I think what’s interesting too is there’s kind of like a lean towards Visual Studio a lot when it comes to, you know, running .NET. And that’s actually something I stay away from throughout the book. So it’s, if you have a text editor and a command prompt, it doesn’t matter what OS you’re running, you should be able to do the book like the whole thing.

There is one exception there. So there is like when there is the performance chapter, the tools that you use for it, that’s kind of dependent on the, on the operating system. So there is kind of like a Windows only tool that you use for like threat modelling in the security chapter and there’s a Windows only tool that you use for performance, like for capturing profiles, but they’re not necessary to go through the book.

And you know, because we have, we have the, the JetBrains IDE. That’s, that one’s pretty awesome. And it’s cross platform and it’s way more affordable than a Visual Studio license. And yeah, I think it’s like, you know, you want to make it as welcoming as possible to everybody on every platform, and also kind of be able to show like, you know, you get into that first chapter, you do that first, "Hello, World!" and it’s just one line and there’s no, there’s no Program.Main, you know, there’s no using… or, you know, setting namespace or anything like that. It’s, it should be like a jarring experience for a .NET Framework developer. It’s like, "hey, I just, I can have a top level statement that just works and then yeah," it kind of builds from there. I think they’ve done a good job recently with the top level statements and the kind of minimal API for ASP .NET Core that kind of make it easier to start with to get introduced to .NET.

Where it gets where I think we haven’t necessarily done a good job is the name ".NET" Terrible to search for? If you ever typed you’re in slack and you type "ASP .NET" and then it links it, it puts a hyperlink on it and it’s like, no, please don’t do that. Or you have .NET, .NET Foundation, .NET Core, .NET standard, .NET 5/6/7/8. You have ASP .NET, you have ASP .NET Core, you have EF—like Entity Framework—you have Entity Framework Core. Some of them kept the "core" some of them got rid of the "core". It can be really confusing.

And if somebody’s especially, like you mentioned, like if you’re looking for something like a job that’s talking about, "I need somebody with Entity Framework experience," or "I need somebody with .NET experience," like which version are you talking about? We, it could be anything.

Do you have a WPF application and want to take it to macOS or Linux? Avalonia XPF, a binary-compatible cross-platform fork of WPF, enables WPF apps to run on new platforms with minimal effort and maximum compatibility.

With a few tweaks to your project file, your WPF app and all its dependencies are ready for testing on new platforms.

Start your app transformation journey with a 30-day free trial.

Head over to http://avaloniaui.net/themoderndotnetshow to get started today.

Jamie : Yeah, yeah. And even then, some types of search engines, if you type in, you know, like let’s say just an example, right? You’re looking on a job board, you type in ".NET"—a period, then "NET"—some job boards, some recruiters are going to strip out that dot, right? And they’re going to assume that you meant to type "network". So they’ll look for like network engineers and infrastructure. And it’s like, well that’s not, that’s not what that is, right?

Dustin : Yeah, absolutely.

But one thing I do like though, because most of the time when you sort book titles, all the dots will come first. So like, yeah, like when you look for books and it says ".NET in Action" on the top, it’s like, yes, it’s like my book is first. Even though it’s just because it’s sorted lexicographically.

Jamie : Yeah, I get that. Yeah. Yeah.

It’s an interesting problem to solve and I feel like it’s, it’s something that is much wider—like I said—it’s much wider than, "let’s blame Microsoft" or "let’s blame the community" or l"et’s blame this one particular person." It’s not great, is what it is, but it is what it is, right? We all know what it means, kind of, and some of us aren’t being left behind, so that’s good.

But I like the idea that someone who perhaps is using Framework can pick your book up and go, "right, okay, so how do I, how do I move forward with the exciting new stuff?" Because, and that’s not me trying to say, that’s not me trying to say, "hey, you know, you developers who are only working in .NET Framework, that’s bad," because it’s not, right. I think it was Richard Campbell who once said, "working code is infinitely more valuable than some code that lives in someone’s head." And so if you’re just going to port something to the modern .NET stuff just because there is a modern .NET, well I really hope that you’ve got a lot of test cases and stuff set up because otherwise you might hit on some kind of weird undiscovered or not very well discovered platform discrepancy. Right.

And just migrating up isn’t just upgrading to the latest version. May not be a good idea. If your business is "Windows and Microsoft and the whole Windows stack, "then yeah, you’re going to get the performance upgrades.

Dustin : Yeah.

Jamie : You’re going to get access to span<T> and IAsyncEnumerable and stuff like that. But if you ain’t using them, you’re not going to get a great, you know, the cost benefit isn’t going to be there is what I’m saying. But I like the idea that your book will help—I like the idea that your book can help get people from, a state of, "as a .NET Framework developer, I don’t know that modern .NET exists. And then I read Dustin’s book and now, oh cool, modern .NET exists and I’ve actually built a whole bunch of stuff with it and now I don’t want to go back."

Dustin : Yeah, yeah, yeah. Finally. It’s really, it’s not that bad. I mean it’s actually quite fun when you kind of strip away some of the ceremony that used to be there for .NET Framework.

Like a few kind of… because when we do the book with the publisher they kind of have different stops that they’ll do full reviews; they’ll get volunteers and they’ll be kind of like a varied background. So some of them are kind of all the way .NET, some of them are kind of Framework developers, and some of them have no experience with .NET at all. And they’re basically like, they go through the entire book, and write comments all over it, and give like a feedback at the end and things like that. It’s a fantastic process. Also really humbling too. Like when somebody’s like, because you got to go through and read all these comments from like you know like ten different people.

But yeah, it’s, some of the things that I saw pointed out was like when we do something like I’ll use like the most bare bones version of say like the .NET templates. So for instance, like you have a template that will set up an entire web app and it will have razor installed, and will have identity installed, and like a full login, and record passwords and things like that. Like it’s like a full functioning site and there’s like kind of an equivalent for a web API where it’s going to have like everything set up and, you know, controller and all this stuff. I actually try to start from a simpler part where it’s just like the bare bones. "Here’s how you set up ASP .NET Core, and you can ping it with your browser and get a response back." Then I build from there to add things like Swagger and things like that.

There was some pushback on that because I feel like when you’re say, like you’re using Visual Studio and you build a new application, it’s going to have like a whole template of everything built in. But I find for like say like a new learner, it’s kind of scary when you see like, you know, there’s tons and tons of lines of code and then I put them on the book and I say, "just ignore this stuff and then just pay attention to this stuff." So I like to kind of like strip it down to just like only what’s needed and then slowly add things in so that you kind of get an understanding of like, "oh, if I really didn’t need this, then I can, I can keep that out. And this is how I would keep it out. And these are all the pieces that are needed for this part." So that you understand all the, all the construction of say like a modern, like, web API built in ASP .NET Core.

Jamie : Sure. And I guess along the way it helps to like… okay, so from a developer productivity standpoint, if I can do dotnet new some-template-name and have it all set up for me, that’s brilliant.

Dustin : Yeah.

Jamie : But if I don’t know how it’s set up or I don’t understand why it’s set up in that way, I’m not going to be able to like dig into it if the something goes wrong or if I need to add something to it, right? Like if I need to add a service and I don’t know where I add services, then, you know, using that productivity-based template that’s opinionated and gets me started, that’s not really going to help me in the long run figure out where my bits and pieces need to go.

Whereas I feel like, like you’re saying, if we start from I just have a Hello, World or the equivalent of and build in, right now we’re going to add ASP .NET Core, for instance. Now we’re going to add, we’re going to respond to a slash hello. Now that we’ve done that, we can then inject a service so we can inject a hello responder or something like that and then slowly building it up. So then folks who are following along know where those Lego bricks have been placed for them along the way, right?

Dustin : Yeah, yeah, I think you put that pretty, pretty well.

I think like one of the things I found interesting was the kind of coming back to identity and kind of the work that I’ve been involved with, with my current employers. When you build an ASP .NET web API, the template that you kind of get is there’s the web API and then there’s like a web app that has all the login stuff built in with everything supported, including like, you know, you can set up multi-factor authentication, you store passwords like in salted hash format, things like that, connect to social accounts.

But it’s like, I hate that the template is always like, "here’s everything that you need if you’re going to be a standalone application," and then you can build your web API into that and then use the authentication that’s built in with ASP .NET, with all the, it’s storing all the username and stuff and everything.

I try to stay away from that because for the most part, when you’re working within a company, you’re building a web API. Authentication is handled by something else. Logging in the user is not your job as a web API builder. Your job is to make a REST endpoint that does some work and then gets a response, and it needs to authenticate. But it can do that without holding a password or the user’s name or anything like that. I kind of like to go from the concept of least privilege. Like, I only need certain things to be able to perform my function. Everything else, I don’t care about the user’s name, I don’t want their phone number in my database, things like that. I want somebody else to handle that and then focus on that. And then give me a token that says who they are and what they have access to, and then I can kind of focus on what my service does.

I think that how that whole thing works, like the OpenAuth and OpenID Connect, is something that I think is important for developers to understand and it’s something that we can kind of walk through and kind of fill in some of the gaps for that because it was definitely something a big learning experience for me when I started.

Jamie : Sure. So I mean, how about we pivot a little bit and talk about identity then, because I feel like that’s, it’s the subject of the episode and we’ve kind of segued nicely into it.

So like, so here’s my initial thoughts. As someone who has never had to roll that code, I’ve always, you know, in previous years of .NET Framework, it’s been "File>New, tick a box and go." And with modern .NET, with ASP .NET Core it’s dotnet new and passing a flag that says, "yeah, use identity" or use whatever. I forgot what Microsoft are calling their stuff now. Is it Entra, something like that?

Dustin : Oh, Entra, yeah, I can’t remember.

Jamie : Yeah. Entra. That’s right. Yeah. So there’s like, it’s a Boolean flag you provide and then everything’s set up for you. Right. So like is that, is that something that you have experience with that you can talk to where you can be like, right, "okay, here’s how it all works." Or like, what are we saying here?

Dustin : Yeah, yeah. So like, what’s interesting is up until .NET 8, like when you got the template for kind of building out an ASP .NET Core web API, the way that you would handle it was included with, it was the Identity Server as a way to authenticate users and then issue that you could use in your web API. That was the recommended templated way. "Here’s identity server and then that’s going to do your authentication, your login, and then you get that token, and then you can use that in your web API."

But obviously that changed because now Identity Server is not being updated any more, like the open source version. So now there’s a commercial version of Identity Server that we use at UiPath because it’s awesome and we’re happy to pay them for that work. But the template can’t include something like that any more. They’ve modified things a little bit with .NET 8 also to fit with with the new Blazor and kind of single page applications to kind of get away from like the kind of classic ASP cookie-based authentication and move more towards like a token-based authentication. And then they’re providing some alternatives, say to like just Identity Server.

Jamie : Yeah, that’s true.

I mean, it’s a conversation for another time. But I fully support Duende’s idea of no longer offering a completely free open source version of identity server. We were talking off air about how it is super important that developers get paid for the work that they’re doing. And you know, a lot of companies were using identity server, because it’s packed in for free and you’re like, "oh, cool, there’s this thing that will let me do that." A lot of folks were using that and no one was ever paying the identity server people a great deal of money to actually support the development of it. Right.

And you know, we saw with, not so long ago, we saw with things like Log4J just the amount of demand that there is. And this is a, this is a conversation for another day, perhaps, but we saw a great demand from businesses when Log4J happened. And they were like, "you need to fix our system for free because it’s your library." And you know, the Log4J people were like, "well, actually we kind of fixed this three years ago and you just haven’t upgraded," you know.

So I fully support, I’m not trying to conflate those two things, those two instances exactly, because they don’t exactly fit. But I’m fully in support of open source developers being supported financially by those who are making a great deal of money by using their software. Right.

Dustin : Yeah. And I kind of understand there’s say like there’s a model of, you know, you can use the GitHub sponsorship versus what Duende is doing. Like the company behind identity Server, they’re making a commercial version, there’s an enterprise version of it that we use. You’re paying for support and for this ability to redistribute; because UiPath actually has on Prem installs which will include identity server. So we need something that has a license that we can actually install identity server with our product on a customer site. And their licensing is actually really good.

But it’s like, I prefer this model, say like Duende is doing for something this important versus the sponsorship because the sponsorship almost feels like charity. It’s like, yeah, it’s like, "hey, we use this, we’ve made, you know, we’re a company that makes millions of dollars, but, you know, we’ll throw a couple hundred bucks, you know, to this repo every now and then." It’s like, you know, and it’s just because they feel like it’s not a guaranteed income or anything like that. You can’t, you can’t expect a developer to quit their day job and, you know, go completely into supporting this open source project just based on sponsorships that you can’t guarantee that you’re going to keep getting. So I do like, but that’s just me.

Jamie : Sure. And like I said, it’s a conversation for another time. I think for much more smarter people than I, at the very least, it’s not like, "how do we support open source software when all of our software is built on open source" is a very deep conversation to have.

Dustin : Yeah.

Okay, so I do want to talk a little bit about how authentication works kind of in the modern web services. And it kind of comes into Oauth and OpenID Connect. OAuth is a standard, it’s used for authorization. And part of it is to issue something called a JSON web token. And that’s got claims in it that you can use for authorization. But then there’s OpenID Connect which is built on top of it that’s used for authentication, which like, authentication is like verifying who you are and authorization is verifying what you can do.

So OpenID Connect is kind of like built on top of OAuth to facilitate this authentication to figure out an identity for a user. It’s not a standard, it’s as close as you can be to a standard. And it’s adopted by a lot of, a lot of big industry players. So you don’t have to necessarily stick with Microsoft or stick with Google. They do OpenID Connect and same thing with something like Okta or Auth0. There’s like a number of OpenID Connect identity providers that you can pull in. Identity server is a means that you can control everything about that. It’s still an OpenID Connect server at the end of the day, you’re still going to be able to get tokens out of it, but it’s like you own that whole service.

There are alternatives. There’s one called OpenIddict. I think it’s OpenIddict. I think that’s the name of it. That is an open source, like a fully open source alternative to identity server. There is a, you know, there are some other things available, like even like outside of the .NET space. Like you can have, you know, it doesn’t have to be .NET for that particular server. It’s just something that issues tokens at the end of the day.

So there’s, once we kind of get the token, then we can authenticate within our application. But yeah, I did want to kind of dig back into understanding like what these tokens are and how they work and have you ever played the game Papers Please?

Jamie : I have, yeah.

Dustin : Yeah. So this, this is um, I love this game. So like, so for anybody, like, I don’t know, do you think you could describe it? Like, do you know, like from your, in your words, like, like what’s, what is the game about?

Jamie : Oh man, let’s see it’s been a very long time, but it’s like, so I remember. I remember not getting very far with it. I remember that. I remember, like, because you have to. I mean, it’s called papers, please, because you have to provide your identity. Identity papers to get through a checkpoint. Right. But then there’s always, like, there’s something wrong with them, and you’ve got to go, like, you got to go to another person to, like, identify. What was it? It was like. It was like you’re authenticating that your authentication was correct or something like that. Maybe I’m conflating it with something else.

Dustin : But no, it’s actually like, if you’re into. If you like papers, please, you might like a career and identity. So. But I like the way it builds. And I always kind of wanted to do like a, almost like a tutorial or like a class where it was like you were kind of building up in the same way. Because the game starts out, and it’s like you are a border guard for the country of Arstotzka, and there are neighbouring countries, and they are coming in through the border and they’re presenting identification because they want to get in. And then it’s your job to figure out, like, are they allowed in or not? And you’re kind of graded on how accurate you are. And it sounds, like, super boring, but it’s like, it’s engrossing. I love it. I thought it was really fun.

But the way the game starts out is very simple. It’s like, first you’re just, you know, you’re just kind of letting people through, and then you need, oh, okay. They need to present a passport, and it needs to be a valid passport, and then there’s. They need to have this extra paper, and then they need to have this extra paper, and then it gets more and more complicated as you go on. And then pretty soon it’s like you’re doing searches and you’re comparing documents and checking their weight and their height and all this stuff to try to find people that are trying to slip through with counterfeits.

There’s an analogy here to say how authentication works: say you’re trying to cross this border, which, you know, this, to get into this application, this web API, and as the, you know, authentication part of portion of the, of the application, you’re, you’re trying to figure out, like, "who this person is and do they have access to this service?" So, like, say I walk up to the border guard and I have nothing. I have no passport. I have no visa, I have no papers, and a border guard tells me, "you should go over to your embassy or whatever and get a passport and get this visa paper and then come back." And that’s kind of similar to the way like you would visit like a web API.

Like you go to the web API, you try to, like, you try to call a certain action on that and you don’t have any authentication, it’s going to tell you, "hey, you’re not allowed to, but you can go here to this address and get a token and then take that token and come back." And then that’s the token that you get. And how we verify that that token is valid is all kind of stuff that you can kind of use analogies in the game for. So it’s something I always wanted to kind of build as a course.

But so like when you like present like a passport, that’s who you are, you know, that’s equivalent to an id token. And that’s say like from OpenID Connect perspective, that is the value that it’s adding. You’ve had to log into some identity provider with a password or something like that or maybe it’s connected to some social account that you have like GitHub or Microsoft or Google or whatever you’ve authenticated with them and you’ve proved that you are this person. And then you will get an ID token to represent that. And the ID token is it has an ID for you, it has maybe a name and just some other things about you in particular.

Then there’s another kind of token called an access token that is part of what OpenAuth does, which is kind of underneath OpenID Connect. So OpenAuth is about authorization. And you would say, "I’m trying to get access to say this, I’m trying to get access to this service. And these are the capabilities I need, these are the scopes I need. And here’s my authentication, here’s my, I’m logging in at this time and I’m getting this ID token and I’m getting the access token at the same time." That access token is what that web API is interested in. It’s targeted at a particular service. Like it will have something called an audience in it that says like, "this was meant for this service." It’ll have your user id, some claims that you have access to. It’ll have some proof that it was, that it came from an authority. It’ll be signed. So you can’t change the contents of that token without breaking the signing enough so that you can actually go to a web API and you can present this access token and you can get access to actually run some actions on that rest API. So does that all make sense so far?

A Request To You All

If you're enjoying this show, would you mind sharing it with a colleague? Check your podcatcher for a link to show notes, which has an embedded player within it and a transcription and all that stuff, and share that link with them. I'd really appreciate it if you could indeed share the show.

But if you'd like other ways to support it, you could:

I would love it if you would share the show with a friend or colleague or leave a rating or review. The other options are completely up to you, and are not required at all to continue enjoying the show.

Anyway, let's get back to it.

Jamie : Yeah, no, that makes sense.

It’s kind of a little bit like, but not exactly the same as my understanding of how certificates for TLS work. Right. It’s like, "I’m going to present you with a token and you’re going to, and I’m going to verify it and then you’re going to let me," in but in the opposite direction. Instead of, instead of me as the server saying, "here is my token, here is my certificate, go verify it elsewhere to make sure it’s right, then you can access it and we’ll set up a secure connection." It’s more, "I am a client, I want to get this thing, here are, here’s my identification and that I’ve gotten from somewhere else. And here’s the thing that says I should be allowed to access this resource," right?

Dustin : Yeah. And I would say like, so certificates are still involved too because it’s because you need that certificate to sign the tokens. And I think what’s interesting about certificates is like you have that, you know, this kind of asymmetric encryption where, you know, you have a private key and then you publish a public key that everybody can see to use to kind of decrypt your, what you sign, what you encrypt. And that’s a kind of a feature of like these identity providers. Like identity server is like they use certificates to sign these tokens and they publish what they call well-known documents. It’s a part of the protocol for OpenID Connect that says, "this is the token that I’m going to use. Like the public key that I’m using. And here’s something that you’re going to expect to see inside that token. It’s going to be like this issuer and it’s, it’s going to have timestamps on it." Like when it’s good, when does it expire enough information so that when you look at that token you should be confident that it’s been issued by an authority and it’s valid. Like it hasn’t been changed. And then you can kind of trust where it came from that, you know, based on like you can go to those well known documents on that server and then get that, that certificate and you can verify, "yes, this was signed with that certificate."

Because it’s like a lot of, you know, trust building. Like how do you trust somebody that’s just calling your API and they’re presenting you a token that says that they have access to it. It’s like certificates are a really good way of verifying that it came from the right place.

Jamie : Sure.

Dustin : So cool.

There’s generally say with identity server the way that we’re using this is you login with a variety of means, but eventually you get to the point where you’re issued three tokens: an identity token, an access token which has the authorization in it, which is claims like the authorization is not like a real strong authorization. It’s like, "here’s the web app that you should have access to, or the API, and here’s some scopes that you’ve requested that we’ve given you." Scope-based authorization is not super good to rely on. It’s not really fine grained or anything like that. So you kind of have to authorize in different ways after they’ve presented this access token. And then there’s the refresh token. So that access token say, let’s say it’s good for an hour. At the end of the hour you need to get a new access token. So you use the refresh token and you should be able to get a new access token using that refresh token.

And that gets into a lot of interesting things, I think with identity server because that refresh token, it’s got to be stored somewhere underneath. So identity server needs a database and needs to be able to hold, every time somebody logs in they get a new refresh token. We have to hold that in the database so that we can compare the refresh token that was presented. And we’ll also do things like say a refresh token. It seems kind of dangerous if I give you these three tokens and you have your refresh token and it’s stored in local storage in the browser or it’s written to disks somewhere, then if somebody were to grab it, they could go and get their own tokens.

And those refresh tokens end up having like they can have long lifetimes, they can have like, you know, like 30 days, 100 days, something like that. Like, so it’s kind of an attack vector. That kind of the best practice for that is to turn it into a one time use refresh token. So like you get the refresh token on say your first call, so you have ID, access, refresh and then your access token expires and you call it the identity server with your refresh token and it issues you a new access token and a new refresh token. So that your refresh token is constantly rotating to kind of minimize the kind of like the ability for somebody to kind of get an old refresh token and use it to impersonate you and get access to things that they shouldn’t have access to.

And yeah, and there’s also kind of a concept of "forgiveness," too That this is something that we’ve had to struggle with as well, is identity server has say like a built in ability that you can override. So like say like you used a refresh token twice. When it’s only one time user, it will just reject it automatically. But if you allow some forgiveness, like you can change that code and provide your own implementation, you could say like, "oh, I’ll let it, you know, maybe they’ll, they can reuse it twice within five minutes." Or maybe it’s like there’s a little bit more of a window for forgiveness or something like that. Because it could be that like say I request a new access token but my service goes down or I lose network or something like that, and I don’t get the response, but it’s already issued a new access and refresh token and then it cuts you off. So basically you have to go back and log in again, which can be disruptive, especially if you’re talking about service to service communication or if you’re talking about kind of automated systems like that are using these access tokens.

Forgiveness is something that we’ve actually kind of baked into our product to kind of handle certain areas. And it’s always kind of, it always feels like this kind of, it’s never completely secure. It’s like you never, can never be like 100% secure. It’s always like, "I can make it good enough, hard enough to break that. It’s, you know, it’s not an easy target and you know, you can go after somebody else," you know?

Jamie : Sure.

Yeah. Because that’s, that’s the difficult thing with security, isn’t it? It’s like you’ve got this, this trade, this almost constant trade off of ease of use versus incredibly secure, right?

So like the example I sometimes give people is like a door, right? Just a normal door, like a push door with no kind of security, no authentication authorization, anything on that door you can just walk through, right. And you’ll be used to walking through doors because there are doors in your house, there are doors in your school, there are doors in your life you could just open and carry on. But then you get given a key, and before you can open the door, you have to check whether it’s locked. And if it’s locked, you then need to present the key and then if the key works, you can unlock the door and open the door. That slows you down as a user of the door, right. As a person who wants to get through to the next room.

And, and security is just adding layers on top of that. And especially with like specifically with identity, you have to then think about, well, if they fail the authentication check, but it’s been, you know, if we have one of these forgiveness tokens then they failed to re-authenticate again. You’re then going to, like you said, "can we issue them with a new token? No, we can’t. Or yes, we can because it’s been, you know, a number of milliseconds or whatever."

So yeah, I think, I think it’s, I can imagine that it is incredibly difficult to manage with, especially with service to service or automated, like you say, because there’s no human involved, there’s no one who’s going to go, "okay, here’s my, you know, I’ll go away and get a new, completely new session, completely new token and we’ll carry on." Right. Because I can imagine that without any kind of forgiveness or any kind of refresh token, quite literally communication stops, right, because you start getting the, the equivalents of, you know, unauthenticated, a 401, 403, something like that. If you’re using HTTP, you get that constantly, right?

Dustin : Yeah, yeah, yeah. And it’s, there’s kind of always that balance and.

Yeah, like in the, in the, in the book I actually show how to use an external openID provider to do all the authentication for your app and that’s, so I kind of pick an easy one. So like the, the one that’s in the book is, is the Microsoft one, the Azure ad, which is now Entra, they just changed the name after I’ve, the book has been released, the reduction, I can’t change the name now. It still says Azure ad. So you know, that’s whatever. Microsoft loves to make things that are, you know, that are named in such a way that they’re hard to search for and they change constantly.

So, but like what’s interesting, like for, say like for Entra or Azure ad is they support OpenID Connect, but kind of, sort of not really. So it’s like, the thing is when OpenID Connect is not a standard, you have some wiggle room to do things in it. And part of the protocol as well is it’s allowing you to say, not use the JSON web token. Google does this. Google makes, it’s a proprietary kind of token. They’re still issuing you a token. It’s not a JWT. Also with like ASP .NET Core 8, they’ve built in this kind of new token-based authentication, but they’re not JWTs, which is interesting. Like it’s an interesting choice, but it is still a token. So it’s still something that follows the protocol, like how you use it. But it is not like a JWT that you can kind of dump into like a reader that will show you what all the contents of it are.

Say, like for Azure ad, they do this as well unless you make some changes to it. And these are kind of covered in the book, they’re definitely not obvious. They are documented. So that’s not like a secret, but it’s just not something you would see on the surface of it like you would expect. "Oh, it’s giving me a token. I can use that in my OpenID Connect-based web API," when actually you kind of like, without using the Microsoft client, you kind of can’t. But with some modifications, you can change a couple of settings. You add a scope to the token and then [Azure AD] will issue like a regular JWT that would work just like any other OpenID Connect provider. And I kind of have you walk through this, this stuff in the book so that you can, it’s like one way to set it up because you could use Okta or you could use Osteo or something else to get the tokens.

And I think for a lot of people when they’re at work building services, there’s already the token provider, the authentication provider is already chosen. You know, they’re, they’re working within the company like this. You’re not going to be able to say like, "oh, you must use the kind of built in ASP .NET tokens. You just use whatever’s there."

Jamie : Absolutely. And there has to be a level of flexibility for that reason. Like you said, like you’re not going to be, somebody says, "we need to build a web API to do this thing." It’s, it’s not, "and all of the authentication to go with it and all of the authorization and identity and everything." It’s usually, "you’ll receive a request, it will have a token which looks vaguely like this, and you will be, you know, there will be an API for you to poke at if you want to authenticate, or there will, there will be a process for authenticating that that token is correct. Don’t bother with building the entirety of the backend we just want you to make sure that when someone presents a valid token, they can get a hello world, right?"

Dustin : Yeah, yeah. And that’s, it comes to another funny part of this because like there’s, there’s a thing called IdentityModel and that’s kind of your client side version of checking the token.

What’s interesting to me is IdentityModel is also built by the same guys who built identity server. It’s still open source and it has this rocky history that I still can’t follow because. There’s a thing called System.IdentityModel. There’s a thing called Microsoft.IdentityModel. There was a, I think there was a point in time where somebody at Microsoft was tasked with basically copying what identity model does and building it into ASP .NET Core, but like didn’t succeed or something like that. There was like, I’ve tried to follow this and it’s like, I don’t get it. But like at the end of the day when you use ASP .NET Core, it’s referencing identity model—one of them. And that identity model is what does a lot of the heavy lifting of getting the token and verifying it and checking the scopes and the audience and all that stuff. It does a lot of that work for you. You don’t have to build all that code.

You know, it’s really helpful. It’s like there’s, from your web API, you want to be able to kind of go and check like, "is this the right issuer? Is it signed correctly?" All that stuff, but you don’t want to like write all that code. So this is what an identity model is doing.

Jamie : And that’s obviously different from identity server. But like is that, is that just like, oh man, I’m a little confused now. So does IdentityModel just represent the process? It’s not your fault. It’s my fault for…

Dustin : It is confusing.

And it’s like, so like identity server, you can think of it, it is a server. It is like a separate thing. It’s what we call an identity provider. It allows somebody to log in and get a token. But IdentityModel is like the client side that goes into your web API that you use to validate the tokens that you receive. So somebody gives you this JWT, it’s got some content in it and it has things like, "it has that signature and it has expiration and an issuer that says it came from this place." An IdentityModel is what you would use to actually kind of look at that token and make sure it’s valid.

So you just kind of provide, like, "this is the audience I’m looking for. It’s just some string. It represents my web API and this," the rest of it is kind of handled by IdentityModel just to make sure that, that, that token is valid. So it’s like these can be kind of hard to separate at first, especially if you’ve got identity server and also with IdentityModel because you can kind of sometimes see it like it’s System.IdentityModel or it’s Microsoft.IdentityModel or, you know, it’s hard to kind of separate that part.

But I think for the most part, it’s like when you pull in ASP .NET Core identity, a version of IdentityModel will be pulled in and it will do that kind of heavy lifting on verifying tokens. So it’s definitely useful. You need to know it’s there, but you don’t necessarily need to know how it’s going to work.

Jamie : Right, right. Okay. No, I get it.

So have you got any top resources other than the book? Like, we’ll talk about the book in a minute, but have you got any top resources for folks who want to sort of take this conversation and go, "you know what? I want to take my next step in figuring out how all of this fits together."

Dustin : Yeah, I would say so. Auth0, their blog is fantastic. They even go into particulars about like say .NET 8 and what ASP .NET Core identity does. And they talk about all these, all these things in great detail. It’s very well explained, which is interesting. I mean, Auth0, I think it was started. One of the founders was a guy that came from Microsoft that had done the Windows Identity Foundation. Windows Identity foundation doesn’t exist any more. I think it’s Vittorio [Bertocci]. He’s been an identity God forever. He built Auth0. Now Auth0 is owned by Okta, but they still have kind of separate offering, offer offerings like you can, it’s not like a, like they haven’t migrated everything from Auth0 to Okta yet.

Jamie : Right. Okay.

So what I’ll do is I’ll make sure that there’s a link to the Auth0 blog in the show notes. So if folks want to go check that out, that’s a great place to start.

Okay. So as, as we come to sort of start wrapping up a little bit here, Dustin, just because, you know, I appreciate you’ve given your time to us to learn a little bit more about this. And, you know, you’re a very busy person. I was just wondering, could you remind folks about the new version of the book that’s coming out or that has come out, like, is it. Is it out now? Is it out soon? And for reference, folks, we’re recording this on February 8th, 2024. So if Dustin says "in the future," it’s probably in the past by the time you hear it.

Dustin : Yeah. So right now it’s in the release to production phase. So it takes a little while because they have to typeset and they have to get all the graphics correct and things like that and get it ready for print. The PDF version, like the online version, if you go to, like, livebook.manning.com, that should be available. It should be updated with all the latest content. And when it actually gets to print, then they will start sending it out. But I think it’s going to be, like, probably another month from now. It takes a while to get everything done.

Jamie : Okay. And that’s ".NET in Action", right?

Dustin : Yes. Yes. I think that, like, I like the "in action" series. It’s kind of. The point of it is to kind of like, the way I think about it is like, "I’m either a consultant or, you know, I’ve come into a new job, and they’re using.net, and I need to catch up, and I need to learn how to do this kind of on the job quickly." And that’s. I like the "in action" series for that. It’s just to kind of get you to the point where you’re actually able to kind of build, you know, real software with. With the content of the book.

Jamie : So what about if folks are listening along and going, "I want to. I’ve got a question for Dustin. I want to pick his brains about something," like, are you on, I’m gonna say X or Twitter? Or is it LinkedIn? Or, like, how can folks get in touch?

Dustin : I still have an account on the artist formerly known as Twitter, but I don’t really check it any more. I use mastodon. They give you search for my name on Mastodon, you should be able to find me. I’m on the fosstodon server. And where else? I mean, I try to keep my social media to a minimum, let’s say, because it’s very distracting. But I think, yeah, if you find me on Mastodon, I think that’s the. That’s the best way to kind of bug me and send questions and a little bit of hate. That’d be.

Jamie : Cool. Cool.

Well, you know, thank you for having a chat with us this evening. Well, this evening for me, I suppose this afternoon for you. Generic time of the day for the people who are listening. Nobody knows what time they’re listening. Right?

Dustin : I hope you had a good car ride.

Jamie : Yeah, I hope so, too.

It’s been a real pleasure, and it’s been, it’s been a long time since we last chatted, so maybe. Maybe we can do it again in a little bit. A little bit sooner. I don’t know.

Dustin : Yeah, it’d be nice, you know, it’d be nice to see if more people are interested in, like, identity topics or things like that. Yeah, I’d love to either follow up or at least try to get more identity people involved, because it’s a deep subject and it’s really quite interesting.

Jamie : Yeah. Awesome. Well, like I said, dustin, thank you ever so much.

Dustin : Yeah, thanks, Jamie. And, yeah, again, congratulations on the. On the podcast. You’re like, 140 some episodes in, and you’ve had great guests on, and it looks like it’s going great. I’m really happy for you.

Jamie : Thank you very much, my friend. Thank you very much.

Wrapping Up

Thank you for listening to this episode of The Modern .NET Show with me, Jamie Taylor. I’d like to thank this episode’s guest, Dustin Metzgar, for graciously sharing his time, expertise, and knowledge.

Be sure to check out the show notes for a bunch of links to some of the stuff that we covered, and full transcription of the interview. The show notes, as always, can be found at the podcast's website, and there will be a link directly to them in your podcatcher.

And don’t forget to spread the word, leave a rating or review on your podcatcher of choice - head over to dotnetcore.show/review for ways to do that - reach out via our contact page, or join out discord server at dotnetcore.show/discord - all of which are linked in the show notes.

But above all, I hope you have a fantastic rest of your day, and I hope that I’ll see you again, next time for more .NET goodness.

I will see you again real soon. See you later folks.

Follow the show

You can find the show on any of these places