No

Thanks to these videos I finally ACTUALLY understand how auth flow is supposed to work. About 3 years ago I thought it was as simple as sending post requests, hashing passwords, then sending back a session cookie (all done manually in poorly written PHP). I now understand when and why you should use certain levels of auth management and how to properly implement it (or when you shouldn't).

is he dancing i feel like he is dancing 😅😅

Thank you … not introducing unnecessary complexity into the stack is a skill I’m trying to improve. All the tools … All the shiny things

This is great video. I needed some guidance in its use cases. I'll watch it again to fully absorb it. Since I'm a visual person, can you please create videos like this using some diagrams? Diagrams would be immensely helpful in understanding topics like this. Thank you!

Jeez, finally a simple explanation of this holly mess of auth options! You helped me a lot to make make an informed decision on what I actually need for my app

thanks, you've just talked about my frustrations, thanks for clarifying it

Really useful explanation Anton. Thanks!

"need identity server" and "need an identity server" is quite confusing, as Identity Server is a product, but have a service/server for managing identity is a good idea always as it can be given it's own infrastructure that is more resilient and secure than the rest of your application, so even if you are doing simple email and a password hash for authentication, this should be compartmentalized and regardless of what technology you are doing authentication with

Nice to see you again, have to join the streams again ^^

I dont understand why this type of thinking is not more common in software development. Everyone always says "it depends" but never says what it depends on, they never seem to expand on why you should not use something.

great. spent a full day researching and copy-pasting tutorial code, repeatedly asking myself "do i even need this". i'm deving a spa app with a single database backend and probably some rest api in the future. guess this falls into the "no" category. thanks for this video :)

its good to see you posting regularly. As always great content, very informative.

Nice to see your videos again

Very useful summary!

I like this new format, happy to see you uploading regularily again! Couldn't agree more on the content

In my point of view. I think that the problem comes from net. I think there aren't a simple solution in order to implement a sso into spa and the team of Microsoft have to do more effort. No I don't need a identity server but what other settings exists in order to have a secure jwt into a web app with sso?

Nice video, nicer wall tag!

Great Explanation!!! Thank you

Great video, thanks for making it :) Btw what country is your accent from?

Unless you need go be a fancy Auth Provider that store your own data, then you don’t need one. Identity Server is hard to wrap your head around since there are so many use case mainly for bigger applications.

Thank you, this is exactly what I needed! I just have a question regarding sso for multiple apps in different subdomains. The apps are owned and developed by the same company, they are under the same domain but different subdomains. You mentioned that since it's not cut by domain its easy to implement sso without IdentityServer. Could you share how that could be done? Every solution I came up seemed like it involved a lot of custom implementation and I was wondering if I missed something.

Hi, What about solutions where you have one frontend and multiple backend services that this frontend consumes in which every service requires a user to be authenticated? Frontend X make requests to: Service A: Authenticating users and managing roles and permissions. (Authentication can be database, azure AD, etc.) Management of roles and permissions is custom Service B: Products service (only authenticated users from Service A can access) Service C: Orders service (only authenticated users from Service A can access) Service C communicates with Service B (validating product stock, etc.), so Firewall infrastructure can be suitable instead of client credentials flow. So, would I need Identity server for this scenario? If no, what can we use/do in such scenario?

Damn, you got a new camera man? Looks dope. Been missing hanging on with you on twitch though. Cheers!

Thank you!!!

bro, i like your wall😆

Hello, I'm happy to see you

The recent trend especially with ID5 is to move away from client side jwt due to token exfiltration and use server side cookie when possible.

i started your authentication and authorization series. i still didn't got what is the best case to use identity server 4. Just wondering have you correctly use in one your series

I got to say I almost got sea seek from watching how you rock left and right almost as if on the boat. Did any one tried to put some rap music to your videos? Otherwise great explanation, thank you so much.

Openiddict is another option. it's free OpenID Connect server library

this is gold

IMHO I think it would be perfect to use if you have multiple clients(e.g. Bank with multiple branches, e.g. Assume you own Google or Facebook ,etc xD), otherwise no need to add more complexity to your project,

Instant like for dancing

When you talk about Identity Server, do you mean the one from duende software? Or just the regular Identity Core library?

Can you provide sso without indentity server examples video?

Хорошо разложил. Жопа на стене тоже хорошая.

What about csrf attack?

Hi Great video. Just one question. If i have 3 services in .Net, Java and python. And Java and python need to validate jwt produced by .Net. Then do i need Identity server 4 as it can get public certificate from {domain-name}/.well-known/openid-configuration/jwks and can validate token or we implement our self. What are your thoughts on this

So if I have a WebAPI and Blazor ServerSide application, and only the frontend is public, I can use only .NET Identity for user authentication and that's it? Because the frontend fill communicate with API through local network only.

The life of IS4 support seems to be running out. IS5 is a paid solution. Do you see any alternative of a similar format? Azure B2C? Auth0?

Omg thank you, please explain this more.. if you Google API authentication, jwt pops up. my question is, if we are using jwt do we need refresh tokens? Do we write our own implementation of refresh tokens? Writing refresh token implementation is fishy because everyone implements it differently and I don't know what to believe anymore

it's like walking into a tech store. Do i need to buy this thing? No! Am i GOING to buy this thing? Yepp! So what has I learned? That I am going to use IDP. Not because I need it, but because i want it. So weak minded...

How are you? We missed you.

What about sticky sessions problem with Cookie authentication. If we scale up application then cookie auth creates problem. Because session data stored on one server and problem comes client request passed to other server.

I have an web api backend and blazor server on frontend. I have used jwt which works fine. However due to having blazor server at frontend it is impossible for me to have jwt refresh token working on the blazor server. If I had chosen identity server I wouldn't be in t this situation.

Can you do a series on cookie authentication with webapi and spa?

are you alive dude? do we need to make a standalone api microservice for authantication ?

Ok, so how do I get rid of my Identity Server? lol

Thank you! I have a question. I need to implement microservices app(back-end). I also have angular app(front-end). And i need to authenticate and authorize users. My mentor says me, that i need to implement authentication logic using IS4. But i dont see any sence to do that. My application will not allows third party application be integrated. How should i implemet authentication and authorization logic? (I want to use JWT)

Azure has out of the box OAuth solution.

Add dentityServer just in case :D

I'm only sure that the subtitles you don't write will help a lot of people.

Am I only see C# Rap Stand-up?..

Anton cool dawg 🦾🥰

👍🏽

Well, if *your* company needs an identity server, I think it is safe to say that at that point, you'll have a security expert employee, so *you* don't need to learn identity server 😉 On a more serious note, those videos helped me a quite a bit, since a lot of the things apply to the Azure's identity framework, which probably uses identity server in the background.

10 minutes stand up