The opinions in this post are obviously just my own, but they’re based on both how the ASP.NET team have described the APIs, what other people think about the design, and also my own feelings. My thoughts are predominantly based on the implementation as of .NET 8 preview 7. In my previous post I described the new ASP.NET Core Identity API endpoints introduced in .NET 8. In this post I look more at the design of these endpoints, the implications of using them, and finally, whether or not I think it’s a good idea to use them at all. This tutorial has been prepared for the beginners to help them understand basic ASP.NET programming.
I’ll keep this short, because if you’ve read the post, you’ll know my feelings already. Fundamentally, I think baking a token endpoint directly into ASP.NET Core Identity is going to encourage people to use a non-standard, less-secure solution, when we have many good alternatives. By using the Identity APIs and directly sending a username and password to the backend, you’re strongly coupling your application to the backend. The Identity APIs were created on the premise that you want to add user accounts directly to an application. That feels like the simplest “grow up path” from not having any accounts, but the trouble is, it ties you strongly to this one approach. And in any realistic business setting, it’s likely not the approach you want.
This tutorial covers all the basic elements of ASP.NET that a beginner would require to get started. When a browser requests an ASP or ASP.NET file, the ASP engine reads the file, executes
any code in the file, and returns the result to the browser.
You can add ASP.NET Core Identity and the default Razor Pages UI to your app by adding a few packages, updating your database schema, and registering some services. Connect and share knowledge within a single location that is structured and easy to search. Stack Overflow is leveraging AI to summarize the most relevant questions and answers from the community, with the option to ask follow-up questions in a conversational format. Because ASP.NET code is executed on the server, you
cannot view the code in your browser. For hosting app to an IP address you need the sdk to use WebApplication.CreateBuilder.
Starting his career on CSC’s elite R&D team testing leading edge platforms, Matt learned the importance of establishing standardized processes for developing web sites. At Embarc, a leading builder of web presences for biotech companies, Matt rose from developer to Director of Technology and board member. He went on https://www.globalcloudteam.com/ to build and run EditMe.com, winner of PC Magazine Editor’s Choice for wiki services, which was acquired by Wakefly in 2011. At Wakefly, Matt upholds a process-driven standard of excellence to deliver exceptional quality and value. ASP.NET is written using Object Oriented Programming languages such as C# or VB.net.
In defence of the Identity endpoints, the /login endpoint can be used in “cookie mode”. With this approach, you send a username and password, and the sign in process sets an authentication cookie (and doesn’t return a token), just like if you had logged in using the Razor Pages UI. If you’re interested in implementing the BFF pattern, Duende provide a self-contained solution based around IdentityServer. Alternatively, Damien Bowden has a plethora of templates and sample apps using different frameworks on his GitHub account which he keeps up to date. The compilation process also provides validation that all of the code is consistent. Interpreted languages would not identify this error until the code is actually run and tested.
Should you use the .NET 8 Identity API endpoints?
Websites and applications built with ASP.NET can be faster and more efficient than a website build with PHP, for example. ASP.NET applications are compiled, which means the code is translated into object code, which is then executed. This compilation process takes a small amount of time, but happens only once. After compilation, the code can be executed over and over by the .Net platform very quickly. There are plenty of good reasons to use ASP.NET when developing a website or an application.
In a similar vein, just as you can’t remove any endpoints, you also can’t change any endpoints. The current implementation has no facility for customisation, so if they don’t work exactly as you want, then you’ll need to implement the whole API surface yourself from scratch. Using the cookie implementation avoids the worst offender in the Identity APIs, but you still may want to reconsider whether the simplistic Identity endpoint approach is the best one to take.
Reasons you shouldn’t use the Identity API endpoints
But the key point I’m making here is that the pattern that the Identity endpoints use—send a username and password and get back access and refresh tokens—is not recommended. But it’s hard to say that this is a pattern you should be using these days, even in a “toy” application, when there are other (better) options available. Model binding is a powerful feature in ASP.NET Core that simplifies the process of handling data in RESTful APIs. It reduces boilerplate code, improves code readability, and enhances the overall development experience. By understanding the various use cases and benefits of model binding, you can build efficient and maintainable ASP.NET Core REST APIs that are easy to work with and extend.
and server code, using server code written in VB
or C# . Web Pages is one of many programming models for creating ASP.NET web sites and
web applications. V23.2 – our next major update – is around the corner (set for release in December).
Use Cases of Model Binding in ASP.NET Core REST API
Should you have any questions or need assistance from a member of our team, write to us at With our next major update (v23.2, set for release in December 2023), our assemblies will not be built against this target. As I noted, we will finalize our tests for all .NET platforms (not just WinForms and WPF) by release time (mid-December 2023). Actually asp.net core app (using web sdk to host to ip) can be modified from a console app (cannot host to ip) by changing the sdk, so it doesn’t really make a difference.
- On most measures, option 1 (add ASP.NET Core Identity to your app and use the default Razor Pages UI) could be considered the simplest.
- At Wakefly, Matt upholds a process-driven standard of excellence to deliver exceptional quality and value.
- These are all through the lens of OAuth 2.0/OpenID Connect, but they generally include more protections than the flows suggested by the Identity endpoints.
- ASP.NET is built on the Common Language Runtime (CLR), allowing programmers to write ASP.NET code using any supported .NET language.
- For line-of-business apps, your company likely already has some sort of single-sign-on central authentication mechanism.
- The latter points are problems that could feasibly be addressed in future versions of the Identity endpoints.
Here is a design mock up of what we are hoping to deliver (this is not included in the current preview build). We have enabled NuGet v3 support (nuget.devexpress.com) in test mode for eval purposes (before we officially ship this as the default method to consume NuGet packages in December). During this preview period, the UI used on nuget.devexpress.com will still display the URL for the NuGet v2 protocol.
As I described in my previous post, the Identity API endpoints are new in .NET 8, and are meant to provide an “API” version of the default Razor Pages UI. Interpreted code is not directly executed by the machine, but must be read and interpreted each time before being executed. Compiled code is usually faster and more scalable than interpreted code, and can do anything interpreted code can do. DevExpress engineers feature-complete what is asp.net Presentation Controls, IDE Productivity Tools, Business Application Frameworks, and Reporting Systems for Visual Studio, Delphi, HTML5 or iOS & Android development. Whether using WPF, ASP.NET, WinForms, HTML5 or Windows 10, DevExpress tools help you build and deliver your best in the shortest time possible. Whether the Identity APIs are otherwise suitable for your needs will depend very much on your requirements.