Implementing JWT Authentication in ASP.NET Core
Рет қаралды 52,588
Күн бұрынDownload the code: mailchi.mp/dom...
Check out my courses: dometrain.com
Subscribe to my weekly newsletter: nickchapsas.com
Become a Patreon and get special perks: / nickchapsas
Hello, everybody. I'm Nick, and in this video, I will show you how you can add production-ready authentication and authorization in .NET and ASP.NET Core with JWT tokens using a real identity service.
This video is sponsored by AWS. To get $50 free AWS credit, check out this link: aws.amazon.com...
Workshops: bit.ly/nickwor...
Don't forget to comment, like and subscribe :)
Social Media:
Follow me on GitHub: github.com/Elf...
Follow me on Twitter: / nickchapsas
Connect on LinkedIn: / nick-chapsas
Keep coding merch: keepcoding.shop
#csharp #dotnet
@mynameisshadywhat 3 ай бұрын
The first time in a long time I needed a refresher on this and this is the first recommended video, posted only 17 minutes ago. What sorcery is this, Nick?
@nickchapsas 3 ай бұрын
I’m behind you
@willbo_ 3 ай бұрын
(⊙ˍ⊙)
@aracon9721 3 ай бұрын
it's called youtube algorythem *smirk*
@SunriseTequila523 3 ай бұрын
@@nickchapsasDo you have a course on sql for ef core developers?
@vornamenachname906 3 ай бұрын
That's called a kind of P-hacking. You internally calculate "wow how low was the chance, that this specific channel releases a video about this topic now" But in reality you have many channels and probably many queries/demands. The chance that one of them by one of them is fullfilled is much higher.
@frossen123 3 ай бұрын
2:30 "It's a piece of string!"😄love it
@AJIexa8 3 ай бұрын
Great video! I would suggest to people who are new to JWT first learn fundamentals about OpenID Connect and authorization methods like "Authorization Code Flow" or " Resource Owner Password Grant Flow". Once you understand the flow you will get that Cognito, IdentityServer4 or any other providers are just wrappers around this protocol
@DustinKingen 3 ай бұрын
I wouldn't recommend IdentityServer4 since it's no longer maintained. Instead use Duende IdentityServer (commercial) or OpenIddict.
@hero3616 3 ай бұрын
ROPC flow is obsolete and it should not be used unless your api and STS are on the same server
@PhantomPhobos 3 ай бұрын
Wish to see more on this topic, I started off by rolling own ID server using OpenIddict, was quite a rough start first time learning in the whole OpenID process 😅. Video on rolling your own ID server would be nice, even better if it's using OpenIddict. Still waiting for more videos on event sourcing too, only see one in your channel, perhaps those are locked behind patreon?
@Octopie18 3 ай бұрын
The modern way to create JWTs is using the new `JsonWebTokenHandler` class, not the older & slower `JwtSecurityTokenHandler` class.
@nickchapsas 3 ай бұрын
You are right. I used my old codebase for this video instead of the new one that used the WebToken one 🤦
@conniedecinko9245 3 ай бұрын
We're using Keycloak for both Java and .NET apps
@DasBloch 3 ай бұрын
It would be awesome if you could show how to support multiple authentication methods. Like an API key together with jwt tokens. How do we correctly authorize endpoints and setup the auth ?
@EduardLlull 3 ай бұрын
I think you should comment that once you start using AWS Incognito service, you don't need the "token generator API" anymore. In my experience, most developers brains shortcircuit when they try to understand oidc and some may think they still need the API even after they start using Incognito because they don't understand how it works.
@tomtoups 3 ай бұрын
Changing the first letter "e" is not a good test for if the JWT is working, because the "e" is the base64 character for the open brace "{" for the JSON. That's why all JWTs start with an "e". It could be failing because it's not a valid JSON fragment
@SlyEcho 3 ай бұрын
They all start with "ey". It's like the Matrix, you start to see the code and recognize it if you look long enough.
@hero3616 3 ай бұрын
I don’t think author knows details
@codecomposer88 2 ай бұрын
You can always decode a base64 string. Nothing is secret about that. The point of changing the content of the token payload was to show that as soon as the payload is changed, the token is invalid because the content no longer matches the signature verification.
@Paps526 3 ай бұрын
Funny thing is that I made exact same implementation with keycloak yesterday for the first time
@local9 3 ай бұрын
This couldn't of come at a better time.
@aborum75 3 ай бұрын
It's good starting video on using an external Idp, but don't forget that what's shown here is the bare minimum. Also, notice that Nick is using a stand-alone UI (i.e. Postman or similar) to exchange the returned auth code for a set of tokens that's stored locally (Redis is a great option for these types of short lived data); you'll need to build the exchange mechanism yourself, which is a fun little task. A word of caution: security is not something you should take lightly, especially in an public facing environment and you should never attemt to implement encryption algorithms, unless you're one of the very few experts in the industry, that works professionally on this topic.
@aracon9721 3 ай бұрын
so pro-apprentices like me probably still better use Auth0?
@insteor 3 ай бұрын
@@aracon9721 not only you, but almost everyone, except if you work in that Cognito team. as I've heard - never write your own logging and auth.
@justinassakalavicius4465 3 ай бұрын
Great video! I would like to hear more about the other option you mentioned in your video. Server-side applications with confidential clients
@festussila8859 3 ай бұрын
@nickchapsas Great refresher. I find it difficult to establish a resources that outlines at length the ins and outs of security(providers, users, flows, scopes, policies, federation). As part of the courses offered on Dometrain do you have a plan to do a comprehensive course on the subject.
@vintage8 3 ай бұрын
Thanks, couple questions tho: How should I sync the users to my db with external id providers? Should I store roles, permission in my db or in the external provider? and also shouldnt client secret be secret? I shouldnt use it in a spa, right?
@MarvinKleinMusic 3 ай бұрын
It would be pretty intersting how you can secure a Blazor app with JWT.
@codecomposer88 2 ай бұрын
Same way as the API example in the video. The authorization feature for a blazor component is decoupled from the authorization method. For example, for a product I made a blazor app authorizing users with OpenID through Azure AD but the components themselves has no idea HOW the user is authorized. They just allow access IF the user is autenticated and - in some case - is authorized with certain roles. In this case the OpenId could easily be replaced with a simple login using JWT without changing anything in the blazor components.
@LilPozzer 3 ай бұрын
These Boots Have Seen Everything
@paulguk 3 ай бұрын
I much prefer jwt.ms over Auth0's decoder. Much simpler page and also decodes the iat and exp values etc.
@vasilyh4588 3 ай бұрын
What about roles check during API call?
@christianschieder3140 3 ай бұрын
I'd like to see something simular also showcasing the approach via azure (if possible not sure). And maybe also with something more restrictive configuration(if possible of course), like enabling google or facebook login, where you can customize which google emails can register but , restricted to a specific domain. Or for the facebook side enabling registration for specific users(ofcourse if possible). Otherwise again a nice lecture, i enjoy your videos, keep it up👍
@hero3616 3 ай бұрын
It’s called B2C in Azure and free up to 50K users
@margosdesarian 3 ай бұрын
Hey Nick, can you make a video about which is the nicest butter?
@petewarner1077 3 ай бұрын
Let's demand a #buttercop series in which Nick takes a look at terrible butter advice posted on LinkedIn and signs off with "But now I want to know about you.... which butter do YOU think is the nicest butter? Are you using butter in your applications? Or a healthy low-fat substitute?"
@hristoivanov6436 2 ай бұрын
Nice video! Could you show us S2S auth process?
@checox1909 3 ай бұрын
Nick which SO do you use?
@kidsam27 3 ай бұрын
Have you ever considered or compared this to something opensource and self hosted like key cloak? I've used it in a couple of project and i has pretty much all you've showcased but it's bit more quirky.
@PelFox 3 ай бұрын
Keycloak follows the oidc/oauth2 protocol and comes with lots of identity providers, user management and roles. It's a complete solution compared to this example which just creates a JWT token from hardcoded values.
@SuperAndrea000000 3 ай бұрын
It would be awesome if you could make a video about how to implement a refresh token mechanism in my API project. My API issues a JWT with a refresh token, but when the browser makes multiple requests in parallel, sometimes they fail because the first one refreshes the JWT, while the others fail because the refresh token has already been used. It would be nice to see how you'd solve this problem.
@hck1bloodday 3 ай бұрын
may be implement a retry mechanism on the frontend?
@ibnfpv 3 ай бұрын
What about the user in DB? Manage additional data ? That you don’t want to exposed in jwt How you will merge the auth flow with real application need like current user in a request context Gather additional info from db and so on In best practice from your perspective
@Arshaad786000 3 ай бұрын
cool. could you show us how this would work with the microsoft identity tables in SQL
@alanis4AL 3 ай бұрын
When i see you doing it seems graspable Why everyone else claims that authentication and authorization are the holy grail of programming? Concepts so difficult to grasp that you need a doctorate degree!?
@cocoscacao6102 3 ай бұрын
It's poorly documented in certain areas, and I've found most of the answers digging through stack overflow. Concepts aren't that difficult, but implementation in .NET can be a she-dog...
@diadetediotedio6918 3 ай бұрын
I never saw anybody saying it is "the holy grail of programming", but it is a difficult problem, yeah.
@maskettaman1488 3 ай бұрын
Because the hard work is being done for us by people that know a lot more about it than we do. It's effectively lego-by-design specifically because it's so hard to get right.
@ezekielgallardo8385 3 ай бұрын
Can you show an example of this using Active Directory?
@the_arch 3 ай бұрын
Any chance of making a video for integration with MS Entra SSO?
@phillipkatete634 3 ай бұрын
Is there a way to add users to the cognito service (rather than users having to enrol)?
@mibli2935 3 ай бұрын
Yes. (If I understood your question correctly). Login to your AWS, find Cognito Service, create your UserPool and in the tab "Users" you can do just that.
@yaroslavsolodyankin928 3 ай бұрын
Does .dometrain have any support? What is the problem with the video player?
@TheCodeCreator 3 ай бұрын
Can JWT also be used in simple ASP NET Core webapps (no API's), right? Thanks.
@rennasccenth 3 ай бұрын
Ok, this bg3 reference got u one more like. Are you happy now???
@nickchapsas 3 ай бұрын
What an absolute banger of a game
@chrisstephens2694 3 ай бұрын
A really clear and concise explanation, as usual! It would be good to see something similar but utilising Entra Id rather than AWS Cognito.
@SILASGAH 3 ай бұрын
Not sure if I am the only one or not, kindly take your time when talking, you seems to be extremely fast when talking. You are educating us
@SuperLabeled 3 ай бұрын
"Trust me" Famous last words :) But in all seriousness, could you use something like this to authenticate your application? Basically making it not possible for anyone outside of your hosted domain to request data from the API?
@DisturbedNeo 3 ай бұрын
CORS is better suited for that. You can set it up a policy on your server to say “If a request comes from anywhere other than a specific URL, reject it”, and then give it the URL of your client application so that only requests from your client application are let through.
@lexmadur 3 ай бұрын
@@DisturbedNeo From what I understand about CORS is that it cannot be used to authenticate your application. CORS being only relevant within a browsers JavaScript, they read the CORS headers from the response and raise the error if the URL doesn't match the one in your address bar. Anyone can still make a request and get a response with curl or any other API tool.
@hero3616 3 ай бұрын
@@DisturbedNeocors has nothing to do with server side
@mhDuke 3 ай бұрын
definitely make a video for service/machine/server authentication. duh! uh, i mean please :)
@I-PixALbI4-I 3 ай бұрын
What do you mean "Production Ready"? I already implemented JWT to PROD using knowledge from your previous video about JWT! o_0
@nickchapsas 3 ай бұрын
Maybe production ready isn't a good term for this. I wanted to say that we're integrating an independent identity service which is what most modern production apps are using. Maybe "Modern" is better
@izobrr 3 ай бұрын
Who else felt odd when Nick wrote just 60?
@lylobean 3 ай бұрын
Don't think when making an advert video he could do 69.
@sachinmaharjan6398 3 ай бұрын
Hi, NIck, coud you make video about ocelot api gateway with Scalar.AspNetCore
@VanDameDev 3 ай бұрын
I'd suggest using YARP instead..
@sachinmaharjan6398 3 ай бұрын
@@VanDameDev does YARP can be integrated with scalar for centralize API docs?
@VanDameDev 3 ай бұрын
@@sachinmaharjan6398 If you do include scalar in the ApiGateway(YARP) project, I don't see why not..
@vornamenachname906 3 ай бұрын
Im really wonder why you repeatingly confuse classes and functions , e.g. 3:16 and also in other videos
@lucianbumb6690 3 ай бұрын
I don’t know what other people feel about your way of speaking but I feel tired after listening you for 5 minutes. In my opinion quality doesn’t mean 100 words per minute. In the past your explanations were more human than now. Hope you understand my feedback.
@InfernalPoetry89 7 күн бұрын
Slow it down, youtube allows it xd
@JacobGlanz1234 3 ай бұрын
You’re not explaining what anything means, you’re effectively showing how to copy paste your code
@nickchapsas 3 ай бұрын
There are 500000 videos explaining JWT including mine. Watch those. I just wanna show the implementation
@maskettaman1488 3 ай бұрын
You're missing the point of the video if you're expecting a dive in to how JWT works
@Paps526 3 ай бұрын
@@nickchapsas I would explain what's MetadataAddress, this has a key role I think in this approach
@molanlabe6543 3 ай бұрын
My gosh, you use so many words to convey so little information.
@CharlesBurnsPrime 3 ай бұрын
".NET does not have native JWT integration, so you have to install a Nuget package..." is said like it is a negative thing, but it is a positive one. Why would the core library have support for a specific auth mechanism, of the hundreds that have come and gone?
@nickchapsas 3 ай бұрын
It’s not said as a negative thing. It’s said as an observation
@Otto-the-Autopilot 3 ай бұрын
Also the package is still from Microsoft themselves, thus you don't have to rely on some 3rd party library.
@hero3616 3 ай бұрын
Azure AD (Entra) B2C is way better than Cognito
@rohitm8814 3 ай бұрын
too fast man!!!
@richardrawson381 3 ай бұрын
var key="sdfafas"u8; just to learn this notation was worth watching the video 🙂
Patrick God
Рет қаралды 19 М.
Kate Brush
Рет қаралды 45 МЛН
BalcevMMA_BOXING
Рет қаралды 1,2 МЛН
Code Insights by Surya
Рет қаралды 613
Rahul Nath
Рет қаралды 101 М.
Cosden Solutions
Рет қаралды 160 М.