-
Notifications
You must be signed in to change notification settings - Fork 25.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ROPC: include for secure auth flow - managed identities - Razor Pages Tutorial #33408
Conversation
close open and rebuild, include name change was not registering. |
@tdykstra, @Rick-Anderson does this seem like the right approach for the tutorials where db connection strings are involved but for a non-production tutorial teaching situation like these? I can also take the feedback offline. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Too weak for ASP.NET Core. Stronger recommendations needed.
Our tutorials don't and shouldn't focus on secure auth, link off to that.
Feedback and improved change from Rick-Anderson Co-authored-by: Rick Anderson <[email protected]>
@@ -28,7 +28,9 @@ The generated connection string will be similar to the following: | |||
|
|||
--- | |||
|
|||
When the app is deployed to a test or production server, an environment variable can be used to set the connection string to a test or production database server. See [Configuration](xref:fundamentals/configuration/index) for more information. | |||
When the app is deployed to a test, non-production server, an environment variable can be used to set the connection string to a test, non-production database server. For more information, see [Configuration](xref:fundamentals/configuration/index). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
When the app is deployed to a test, non-production server, an environment variable can be used to set the connection string to a test, non-production database server. For more information, see [Configuration](xref:fundamentals/configuration/index). | |
In this tutorial, a local database that doesn't need a password is used. Therefore, a secure authentication flow isn't required. | |
When the app is deployed to a test server, an environment variable can be used to set the connection string to point to a test database server. An environment variable should not be used in a production system. For more information, see [Configuration](xref:fundamentals/configuration/index). |
@tdykstra I think that's easier to read.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tdykstra I think we should put the above in an include file and use it everywhere. Then we only have one place to change it. What do you think?
We'll need this boilerplate in MVC and other place. We could add it to EF tutorials.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wadepickett @tdykstra we need to work in something like this.
For VS/local db:
In this tutorial, localdb is used in dev on the local machine and doesn't use a password, therefore, a secure authentication flow is not required.
Then something similar for SqlLite
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We don't want to spook them right away so we need to tell them up front that since this tutorial uses a local db that doesn't use a password, a secure authentication flow isn't required. Maybe tell them that before the big warning.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Rick-Anderson, sure we can create another include for that case too only for VS/localDB
Clarification/question: For VS/localDB, when Trusted_Connection=True as we are using in the connect here, that results in Windows Authentication used. Wouldn't we consider that a type of Authentication flow? So to say one isn't required might be confusing. It may not be the best one for the situation depending, but is one. Maybe we are keeping to a narrower definition of Authentication flow?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Rick-Anderson, sure we can create another include for that case too only for VS/localDB
Clarification/question: For VS/localDB, when Trusted_Connection=True as we are using in the connect here, that results in Windows Authentication used. Wouldn't we consider that a type of Authentication flow? So to say one isn't required might be confusing. It may not be the best one for the situation depending, but is one. Maybe we are keeping to a narrower definition of Authentication flow?
Resource Owner Password Credentials (ROPC) grant is using a PW. No PW is used with local DB. We're only concerned where a PW is used, like the old deployment method where we put the PW in an env variable.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tdykstra I think that's easier to read.
Yes, and I tweaked it a bit.
@tdykstra I think we should put the above in an include file and use it everywhere. Then we only have one place to change it. What do you think?
Sounds good, but I don't think we should say "don't use environment variables in production" without saying what is OK to use and providing a link to how-to instructions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Then something similar for SqlLite"
@Rick-Anderson, I think the way you worded it in the last edit already fits both situations nicely by specifying "a local database" rather than more specifically "localDB".
"In this tutorial, a local database that doesn't need a password is used."
So only the one include would be needed for the note on using a local db. I will just add one include with your text, unless you still want some sort of separate message for SQLite.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sounds good, but I don't think we should say "don't use environment variables in production" without saying what is OK to use and providing a link to how-to instructions.
@tdykstra, to address this I added "An environment variable should not be used in a production system. For a production system, use a secure method such as Azure Key Vault configuration provider or Managed Identities for Azure resources to manage sensitive information like connection strings."
See the updated include. If they are not using Azure SQL server, then it would have to be key vault I assume, if they are then it would be Managed Identities for Azure resources.
However, between both includes it feels a little duplicated so maybe I need to address it differently in a combined way. See what you think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
However, between both includes it feels a little duplicated so maybe I need to address it differently in a combined way. See what you think.
Yup, too long, too much duplication.
Moved Rick's suggestion on a local db with no password info to an include and applied for Razor Pages example. Also addressed Tom's suggestion on recommending the correct path for production since we say env var cannot be used. All suggestions I know of are in. Good to know what you think of the added include Rick suggested, plus the change to address Tom's concern specify what to do instead of env var in production. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The following is WAY TO LONG
It repeats too much. @tdykstra how is my suggestion?
Removing include file entirely Co-authored-by: Rick Anderson <[email protected]>
Added commit from Rick for include statement on local db connection string. Co-authored-by: Rick Anderson <[email protected]>
@wadepickett do a pull before you push as I committed @tdykstra change, it was much better. |
ms.topic: include | ||
--- | ||
> [!NOTE] | ||
> This article uses a local database that doesn't require the user to be authenticated. Production apps should use the most secure authentication flow available. For more information on authentication for deployed test and production apps, see [Secure authentication flows](/aspnet/core/security/<!-- write create article something like secureAuthn-->). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@wadepickett create an issue to create [Secure authentication flows](/aspnet/core/security/<!-- write create article something like secureAuthn-->).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to make sure I am in sync with the intent:
- You added the commit that refers to a future topic not created so it is in the commit history along with Tom's last suggestion for it.
- Then you want me to pave over that with the last longer version of the include to merge today?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tracking issue: #33426 Secure Authentication Flows
@Rick-Anderson, The last commit you added had a non-existent link. Did you mean to change the include first? This is why I was asking that, if for now, we were using the previous version of the include before your last commit. Here is what it looks like now: |
Please don't merge my PR's for me, eh? I would rather do that. |
Oops, |
Fixes #33407
Contributes to #33407
Created include:
includes/managed-identities-test-non-production.md
Using standard note template, we are all using for ROPC.
See similar related include used by dotnet/docs:
SFI - ROPC: First group of updates docs#42254
This note was created in line with a recommended examples in the contributor's guide for test / non-production scenarios here:
https://review.learn.microsoft.com/en-us/help/platform/contribute-security-insecure-auth-flows?branch=main
Updated the Razor Pages Tutorial series to add the include and other recommendations related to the example of connecting to a database created through Entity Framework from a model class.
Internal previews