1 00:00:00,240 --> 00:00:04,686 Now that we've combined key based authentication and HTTP cookies to 2 00:00:04,686 --> 00:00:09,433 implement user authentication, let's take a look at the authentication 3 00:00:09,433 --> 00:00:14,652 process one more time, this time with ASP.NET Indentity specifically in mind. 4 00:00:14,652 --> 00:00:20,320 ASP.NET Identity sits between your web app and the client, the user's browser. 5 00:00:20,320 --> 00:00:24,410 This allows identity to inspect each incoming request. 6 00:00:24,410 --> 00:00:28,540 Identity starts by looking for an authentication cookie and 7 00:00:28,540 --> 00:00:33,040 if it doesn't find one it'll redirect the user to the sign-in page. 8 00:00:33,040 --> 00:00:36,980 Using a form on the sign in page, the user posts their user name and 9 00:00:36,980 --> 00:00:38,820 password to the server. 10 00:00:38,820 --> 00:00:42,850 An MVC controller in your web app handles the request and 11 00:00:42,850 --> 00:00:47,830 uses identity to verify the provided username and password. 12 00:00:47,830 --> 00:00:52,960 If the log in is successful, identity is then used to sign in the user. 13 00:00:52,960 --> 00:00:58,320 Signing in the user causes identity to create an authentication cookie containing 14 00:00:58,320 --> 00:01:03,780 information about the user and attaches it to the response returned to the client. 15 00:01:03,780 --> 00:01:08,140 The user information stored in the cookie is encrypted in order to keep it safe. 16 00:01:09,240 --> 00:01:11,700 After receiving the authentication cookie, 17 00:01:11,700 --> 00:01:16,320 the browser will include the cookie in every subsequent request to the server. 18 00:01:16,320 --> 00:01:20,540 This time, when Identity inspects the incoming request looking for 19 00:01:20,540 --> 00:01:23,660 an authentication cookie you'll find one. 20 00:01:23,660 --> 00:01:27,300 The user information stored in the cookie is then decrypted and 21 00:01:27,300 --> 00:01:28,980 added to the request. 22 00:01:28,980 --> 00:01:33,510 This makes the user information available to the rest of the code that will run 23 00:01:33,510 --> 00:01:38,360 as part of processing the request and preparing the response to the client. 24 00:01:38,360 --> 00:01:41,840 Because all of the identity information is kept in the cookie, 25 00:01:41,840 --> 00:01:46,230 the server doesn't need to keep track of the users who are authenticated. 26 00:01:46,230 --> 00:01:48,990 The presence of the authentication cookie alone 27 00:01:48,990 --> 00:01:51,910 is what determines if a user is signed in to our web app. 28 00:01:53,170 --> 00:01:57,785 In order to process incoming requests and modify outgoing responses from your 29 00:01:57,785 --> 00:02:03,035 ASP.NET web app, identity provides a set of OWIN middleware components. 30 00:02:03,035 --> 00:02:07,840 ASP.NET applications are built to run on a web server. 31 00:02:07,840 --> 00:02:11,260 A web server is a special type of application. 32 00:02:11,260 --> 00:02:15,460 Web servers listen for HTTP requests and host websites and 33 00:02:15,460 --> 00:02:21,560 web apps which are used to process requests and prepare HTTP responses. 34 00:02:21,560 --> 00:02:26,010 Microsoft's Internet Information Services, or IIS, 35 00:02:26,010 --> 00:02:31,208 is a commonly used web server for hosting ASP.NET applications. 36 00:02:31,208 --> 00:02:36,280 OWIN is the Open Web Interface for .NET. 37 00:02:36,280 --> 00:02:43,080 OWIN represents a web server as two separate concepts, a host and a server. 38 00:02:43,080 --> 00:02:46,930 The host manages the startup of your web apps which includes selecting and 39 00:02:46,930 --> 00:02:48,510 starting the server. 40 00:02:48,510 --> 00:02:51,889 Once started, the server listens for HTTP requests. 41 00:02:52,900 --> 00:02:56,940 When you write code for OWIN, you write components called middleware. 42 00:02:56,940 --> 00:03:01,200 These are components that sit in the middle between the server and 43 00:03:01,200 --> 00:03:02,580 your web app. 44 00:03:02,580 --> 00:03:07,390 A series of middleware components are combined to form a request pipeline. 45 00:03:07,390 --> 00:03:12,608 When the server receives an HTTP request it passes it through the request pipeline. 46 00:03:12,608 --> 00:03:19,170 Each incoming HTTP request passes through each of the middleware components in 47 00:03:19,170 --> 00:03:23,958 the pipeline in the order that they were configured, before reaching the webapp. 48 00:03:23,958 --> 00:03:28,730 After the web app has processed the request and created a response, 49 00:03:28,730 --> 00:03:32,830 the response then passes back through the pipeline in the reverse order. 50 00:03:34,100 --> 00:03:37,830 If the middleware component is able to fully process a request 51 00:03:37,830 --> 00:03:39,850 it can immediately return a response, 52 00:03:39,850 --> 00:03:43,365 short circuiting the remaining middleware components and the web app. 53 00:03:44,410 --> 00:03:48,730 When using OWIN, your code interacts with only the OWIN host and 54 00:03:48,730 --> 00:03:54,220 server abstractions instead of interacting directly with the underlying web server. 55 00:03:54,220 --> 00:03:58,940 This approach decouples your code from the specific web server that you use for 56 00:03:58,940 --> 00:04:01,280 development, testing and production. 57 00:04:02,420 --> 00:04:06,780 While it's possible for an entire web applications to be written using nothing 58 00:04:06,780 --> 00:04:12,690 but OWIN middleware components, this isn't the approach that ASP.NET identity takes. 59 00:04:12,690 --> 00:04:18,570 As mentioned earlier, ASP.NET identity sits between your web app and the client. 60 00:04:18,570 --> 00:04:23,510 To make this possible, identity leverages OWIN middleware components to inspect 61 00:04:23,510 --> 00:04:28,100 each incoming request and to modify request and responses as needed. 62 00:04:29,470 --> 00:04:35,142 By using OWIN middleware identity is also able to work multiple frameworks including 63 00:04:35,142 --> 00:04:43,100 ASP.NET MVC and web API while supporting any OWIN compliant host including IIS, 64 00:04:43,100 --> 00:04:47,800 Microsoft's Azure Cloud Computing platform and self hosting scenarios. 65 00:04:49,110 --> 00:04:53,050 Don't worry if you find any of this information confusing. 66 00:04:53,050 --> 00:04:57,170 The important thing to remember is that OWIN middleware components 67 00:04:57,170 --> 00:05:01,880 are used to process incoming requests before they reach your web app. 68 00:05:01,880 --> 00:05:06,503 And they're able to modify the responses that are created by your web app before 69 00:05:06,503 --> 00:05:08,508 they're sent back to the client. 70 00:05:08,508 --> 00:05:12,383 We'll continue to revisit each of the key user authentication concepts and 71 00:05:12,383 --> 00:05:15,630 components throughout the remainder of this course. 72 00:05:15,630 --> 00:05:20,400 So don't worry if you feel overwhelmed or confused, you've got this. 73 00:05:21,480 --> 00:05:24,350 In the next step, let's review the Visual Studio solution 74 00:05:24,350 --> 00:05:27,000 that we'll be working with throughout the remainder of this course.