Adding JWT Authentication & Authorization in ASP.NET Core

  Рет қаралды 226,647

Nick Chapsas

Nick Chapsas

Күн бұрын

Пікірлер: 189
@nickchapsas
@nickchapsas Жыл бұрын
Just a heads up. Roles and advanced feature are intentionally left out of this video because I will do an advanced and best practices follow up video. Keep coding!
@maskettaman1488
@maskettaman1488 Жыл бұрын
Looking forward to that one!
@jfpinero
@jfpinero Жыл бұрын
You should do a RBAC vs ABAC video and their uses.
@PGWalkthrough
@PGWalkthrough Жыл бұрын
I have an interesting question, can we use auth0 just for authentication then if user is authenticated when they hit our api we add our own api custom claims to the token to handle authorization?
@randomphilic27
@randomphilic27 Жыл бұрын
Looking forward to that one actually! Please do explain and show roles implementation in detail
@StefanOstojic98
@StefanOstojic98 Жыл бұрын
Can't wait! :D
@matasbernotas5036
@matasbernotas5036 Жыл бұрын
I think more topics about authentication and authorization in general would be great! Its necessary for nearly every project these days but there is so little good content online or and written by unknown people that you are not sure if you can trust!
@axelbreekweg
@axelbreekweg Жыл бұрын
There are plenty of videos out on this topic, yet your teaching style I find best. Please continue this topic also explaining how to refresh the tokens!
@spori858
@spori858 Жыл бұрын
If it had been made 4 years ago, it would have saved me a lot of headaches. Now it was very refreshing and enjoyable.
@mikereznikov5521
@mikereznikov5521 Жыл бұрын
GOGO Nick! In postman, instead of adding header Authorization, having Bearer (space) token U may get the same results easier going to Authorization tab (1 left from Headers), choose Type Bearer Token and just past the token in the right panel
@DeophobicMind
@DeophobicMind Жыл бұрын
can't believe I've been your subscriber all this time until I needed this video. By far the most concise explanation I've seen about jwt implementation.
@skylolo1101
@skylolo1101 Жыл бұрын
Great content as usual Nick! Keep it up and yes, please show us how you would do refresh token (I already implemented it but I find your implementations always cleaner and well thought of). Thanks! PS: maybe you can show how to add multiple Identity providers (facebook + google + custom) all at the same time.
@timothyapolinario5003
@timothyapolinario5003 Жыл бұрын
up
@dsowa
@dsowa Жыл бұрын
Instead of using an additional policy or attribute, i would suggest to add the custom claim "admin" as a "role" claim: var claims = new List() { new Claim(...), new Claim(...), new Claim("role", "admin"), new Claim("role", "..."), Then the controller/actions can be protected by using: [Authorize]
@jfpinero
@jfpinero Жыл бұрын
This should go in a handler that is associated to the policy instead of hardcoding directly in the controller
@rankarat
@rankarat Жыл бұрын
I always thought this is the best and most basic approach.
@AthelstanEngland
@AthelstanEngland Жыл бұрын
I think he did say that but just used admin like this for ease.
@seba123321
@seba123321 Жыл бұрын
Finally full JWT tutorial. Thanks!
@vincentbergeron518
@vincentbergeron518 Жыл бұрын
A refresh token video would be coll. And also how to use JWT with asymmetric keys
@11r3start11
@11r3start11 Жыл бұрын
the refreshing part was always tricky for me, so Im interested in dedicated video A LOT :)
@rusektor
@rusektor Жыл бұрын
What is the code of TokenGenerationRequest class?
@nickandrews1985
@nickandrews1985 Жыл бұрын
Glad to see you mix it up a bit by going back to some of the basic stuff nearly every application needs. I've used JWT authentication in a few apps, but I learned a few new tricks from this, thanks Nick!
@rustamhajiyev
@rustamhajiyev Жыл бұрын
If only you could give us OpenIdDict series. There is almost no content on this topic. I believe a lot of people will appreciate it :)
@rapzid3536
@rapzid3536 Жыл бұрын
I was shocked at how sparse the OpenIdDict documentation was.
@NoName-1337
@NoName-1337 7 ай бұрын
Thank you for this video. It was a great help for beginning with this topic. Would like to see some deep-dive videos into this topic.
@mehrankhan5410
@mehrankhan5410 Жыл бұрын
Hey Nick, thanks for this video and it would be far better if you make a video about the implementation of OAuth
@lennarthammarstrom1321
@lennarthammarstrom1321 Жыл бұрын
An advanced feature that I've seen a million ways that would be awesome to see you discuss would be how we can do "Enterprise Isolation". What I mean with this is that say that we have a SaaS where an "Enterprise" can have a subscription and manage their own details. For the sake of simplicity the developers want to have one shared database for all customers, which makes setup easy but it's equally dangerous because were just one missing .Where(x => x.EnterpriseId == _userEnterpriseId) from exposing other customers data. How would you setup that sort of thing? For example query filters in EF are awesome, but they don't help when patching / adding items.
@local9
@local9 Жыл бұрын
Perfectly turned up just when I needed it.
@magicspider8
@magicspider8 Жыл бұрын
I am doing this with okta but I use a combination of middleware and filter to programmatically add the policy to the Controller/Action. I was able to inject javascript to swagger and add the header programmatically to curl so that you don't have to use the swagger authorize UI manually.
@VahidRassouli
@VahidRassouli Жыл бұрын
Thank you Nick, great video as always! It would be great also to have a video about Refresh Tokens too. Thanks
@meowaves
@meowaves 3 ай бұрын
Thanks Nick, very useful and thorough explanation
@femus03
@femus03 4 ай бұрын
Great video and JWT Auth explanation. Thanks for the work
@VaragornX
@VaragornX Жыл бұрын
Great timing my dude! Want to implement JWT in my app atm.
@zagoskintoto
@zagoskintoto Жыл бұрын
Great video. What about api keys? Is there a clean way to have an endpoint require jwt auth, another having api-key auth requirement, and have both for the rest? An example of this would be great! I've done same like these in the past but never found a clean way to do it. I've tried looking into making an auth handler to implement permissions and having the api key be a permission but can't seem to get it the right way
@VapidLinus
@VapidLinus 10 ай бұрын
Did you find a solution for this use case?
@dmitri2366
@dmitri2366 Жыл бұрын
This came just at the right moment!
@itaccount1993
@itaccount1993 Ай бұрын
02:23 - defaults 04:07 - jwt settings in appsettings 05:47 - add authorization. Put UseAuthentification after httpsRedirection and before MapContollers 06:20 - withoud tag Authorize - it will not work 08:42 - разграничение, для одних методов чекать авторизацию, а для других нет 10:10 - Policy 12:16 - custom attribute 14:32 - handle in minimal api 15:26 - swagger support
@idrisAkbarAdyusman
@idrisAkbarAdyusman Жыл бұрын
Nice video! i'd love to see the video for the refresh token as well
@arcevico
@arcevico Ай бұрын
I'm confused...So its not a good practice to use the id_token when calling a API, it should be the acess token right?
@raphaelyaadar1645
@raphaelyaadar1645 Жыл бұрын
Great video!. Kindly show us how to refresh token as well. Thanks in advance
@abhishekjadhav9289
@abhishekjadhav9289 3 ай бұрын
Thanks. You are a great teacher. If you speak a little in slower pace it will be easier for some people including me to grasp every piece of information. Just a suggestion...
@georgekalokyris
@georgekalokyris Жыл бұрын
Great video - thanks Nick. Refresh token video please :)
@hevymetldude
@hevymetldude Жыл бұрын
Would be cool if you show in one of the next videos how to authenticate against Azure AD and lock down a Web-Application, so only users can use it when they are member of a specific group. :)
@Dustyy01
@Dustyy01 Жыл бұрын
Very nice video to teach the concepts🎉
@jeroenvanlangen8953
@jeroenvanlangen8953 11 ай бұрын
I didn't get the names of where to store the keys instead of the configuration? (did you say aws secrets manager?) What would you use to store those keys for a local project?
@Lidemann92
@Lidemann92 Жыл бұрын
I needed this video 4 days ago 😅 Do one for refreshing tokens aswell
@Cornet435
@Cornet435 Жыл бұрын
you could mention about Roles, for example Authorize(Roles = „admin”)
@fonskeee
@fonskeee Жыл бұрын
Thats the old way, now you better add the role as a claim to your policy, that way its mutch better to manage when your application grows or if some authorization stuff changes you just need to do it in one place
@ernestop74
@ernestop74 2 ай бұрын
Hey, thanks for this video. It was awesome. I have a question. I'm kinda knew using net core. I made a classic mvc app and I tried to protect my app putting an authorize decorator in all the controllers, but even when I'm logged in I can't access the controllers. I don't know if it's the way I'm invoking them. I have a menu with options and each option is an anchor html tag, where I use the tag helpers asp-controller and asp-action. Any thoughts?
@kudorgyozo
@kudorgyozo Жыл бұрын
Source code would've been nice!
@mayureshs80
@mayureshs80 Жыл бұрын
Nice basic video. Would love to see refresh token video.
@kippie86
@kippie86 Жыл бұрын
Hey Nick, Is there a specific reason why you use a custom claim and policy for your admin users instead of simple role based authorization? Or was this just done for the sake of showing off the custom policies?
@nickchapsas
@nickchapsas Жыл бұрын
It’s for the sake of showing off custom policies. I’m trying to have a basic barebones video so I can later do an advanced one that will show those
@timcesar1
@timcesar1 Жыл бұрын
Thank u for sharing this topic looking forward to more advanced options using this
@BrettManners
@BrettManners Жыл бұрын
Would be good to see how auth and Blazor WebAssemble play together :-)
@JohnnyCoRuyzo
@JohnnyCoRuyzo Жыл бұрын
I have the same interest, couldn't make it work
@iamaashishpatel
@iamaashishpatel Жыл бұрын
Is the sample source code available on GitHub?
@UmutDereWork
@UmutDereWork 3 ай бұрын
I like to see a new video about authorization & authentication topics on .net 8
@atdevdiver
@atdevdiver Жыл бұрын
JSON Phonetically JAsonWebToken - JAWT Some will then tell you it is actually JOT that just makes no sense at all I think it just confuses people and we should all just say J W T As to your question, I think we all want to see a video for Refreshing tokens. Thanks for the awesome videos Nick
@Naithe
@Naithe Жыл бұрын
very helpful. would very much like to see more about this topics like refresh
@julienraillard3567
@julienraillard3567 Жыл бұрын
Thanks for this wonderfull new video as always ;) I really would like you to show an implementation of refreshing JWT stored in any vault you want if it is possible :D
@JamesSecretofski
@JamesSecretofski Жыл бұрын
you can actually set auth bearer token in authorization tab in postman. just saying
@pwsh_supremacy
@pwsh_supremacy 7 ай бұрын
straight to the point. thanks!
@francisgauthier4160
@francisgauthier4160 Жыл бұрын
Hi Nick very nice videp, please make a video about the refresh token. I am currently implementing this on a projet!
@irfanshaik1302
@irfanshaik1302 3 ай бұрын
This is super helpful. Thanks!
@diyar9641
@diyar9641 23 күн бұрын
Is the Match method from OneOf library?
@cheynelothering7461
@cheynelothering7461 8 ай бұрын
As what did you declare the CustomClaim in your TokenGenerationRequest ?
@loganyoung228
@loganyoung228 5 ай бұрын
So authentication/authorization works on the api via an Identity provider. Fine, I'm okay with that. What I don't understand is how is my client application, say a razor pages app, supposed to work with this? I send a username and password to my API to login, the API returns the token and we're all great. What do I do with it then? I can embed it in an HttpOnly secure cookie, but that isn't enough to authorize the user to perform actions on the razor pages app, right? So how do I configure my app to use the token from the API to infer authorization status of a user?
@indiefold
@indiefold 9 ай бұрын
Thanks for this video! Was missing the correct issuer url in my case.
@yupii1997
@yupii1997 Жыл бұрын
Hey Nick great video as always . I would love to see your approach for JWT tokens for implementing where a user can perform update and delete operations only for posts that are created by them.
@pemifo260
@pemifo260 4 ай бұрын
We want to see a video about refreshing tokens!
@testtest-c4z
@testtest-c4z Жыл бұрын
What is the difference between Claim and Signature? what does each one reference?
@rrkatamakata7874
@rrkatamakata7874 Жыл бұрын
What about asymmetric encryption. What is the best practice for api projects.
@VladyslavHorbachov
@VladyslavHorbachov Жыл бұрын
Can you make a video about refresh tokens? It would be great ❤
@Otonium
@Otonium Жыл бұрын
Good video and it world be nice to have a video about refreshing
@alisonhj
@alisonhj Жыл бұрын
Hello! Thanks for sharing this video! Would you also be willing to share the Github repo for this examples as well?
@DaminGamerMC
@DaminGamerMC Жыл бұрын
Hey Nick, do you recommend using blazor for frontend?
@josephh8117
@josephh8117 Жыл бұрын
I already have oauth as my default authentication scheme for this one dotnet core app, can I tack jwt on to that?
@georgekon2007
@georgekon2007 Жыл бұрын
Did you ever use OpenIddict ?
@ahmedma527
@ahmedma527 Жыл бұрын
Thanks for the great video. I have one question. Why can't a hacker get the token from the network tab like any developer, but in the production environment? I know it is not possible and it would have been a disaster but why? Thanks again.
@KhaUh
@KhaUh Жыл бұрын
can we do refresh tokens too? i would like to know if some implementation i used is a good one
@jeroenvanlangen8953
@jeroenvanlangen8953 11 ай бұрын
It looks like a lot boiler plate code. There are not standard components for this?
@AddictOfLearning
@AddictOfLearning Жыл бұрын
Please add video to security refresh tokens
@fifty-plus
@fifty-plus Жыл бұрын
I think it's time we stopped pushing JWT now we know better and have done for some time. That said, the functionality within netcore for authetication and authorization are quite nice.
@buusouza
@buusouza Жыл бұрын
Hey, how would we do that in a azure function? i'm struggling with that
@0x4b55
@0x4b55 Жыл бұрын
No word on [Authorize(Roles = "Role1,Role2")] or User.IsInRole? ... which maps to the (default) role claim in the JWT
@levmatta
@levmatta Жыл бұрын
How to manage the token in JavaScript? How to make external complements use the token and be resistant to refresh. Thanks
@Hantick
@Hantick Жыл бұрын
Guys what would you recommend where i have role per resource (entity in table) which can be created by any user but then only Owner of entity can perform delete, update etc. For now I have just database call validating if user has Owner role in the resource, but wondering if there is better approach
@boommonkey111
@boommonkey111 Жыл бұрын
we used IdentityServer now moving over to OpenIdicct... massive pain in the ...
@hanaasihanish
@hanaasihanish Жыл бұрын
Hey, Can you make a video on Identity API
@TimmyBraun
@TimmyBraun Жыл бұрын
Minimal API with FastEndpoints FTW!!
@JohnnyCoRuyzo
@JohnnyCoRuyzo Жыл бұрын
It's posible to have both identity validation for login UI and JWT authorization? I was trying this last weekend, and couldn't make them work at the same time. Love your content 🤙🏻
@pramod.kulkarni9607
@pramod.kulkarni9607 Жыл бұрын
Make a advanced video indetail on the refresh tokens and specially what will happen to the token then user logsout please I will be waiting for this video
@PelFox
@PelFox Жыл бұрын
When do you really create and manage this yourself compared to using oidc providers like IDS or Auth0?
@nickchapsas
@nickchapsas Жыл бұрын
Everyone Nick has worked with, ever
@maherhujairi1601
@maherhujairi1601 Жыл бұрын
i would have done by having the initial service implement the handler too and this way to can add this new pattern into the existing code until you need a real reason why it has to be it's own set of handler classes .. this way you can introduce this pattern into an existing code without having to through the code you already had.
@cburys
@cburys Жыл бұрын
hands down the best explanation online. ty sir!
@hakanfostok2547
@hakanfostok2547 Жыл бұрын
Hi Nick, you always say the link to the code in the description below, but sorry, I have never seen a link to the code in the description in any video, Am I miss something?
@stanislavmasa3707
@stanislavmasa3707 Жыл бұрын
Thanks for the video! Will you do some auth videos about Blazor WASM in the future? What about some resource-based authorization?
@emilyanapenarandaanagua3529
@emilyanapenarandaanagua3529 7 ай бұрын
Hello! Love the video, I am introducing myself with it, I have some doubts about the project of Identy.API Someone has the code source or can explain how implement it?
@radekfilonik639
@radekfilonik639 Жыл бұрын
We need RefreshToken video ❤
@Krummelz
@Krummelz 10 ай бұрын
Why would you HAVE to move to an identity provider if you could just issue your own tokens?
@abdelmoumenbenaida8037
@abdelmoumenbenaida8037 Жыл бұрын
@nickchapsas Can we have source code used for this video ?
@JoeIrizarry88
@JoeIrizarry88 Жыл бұрын
The purpose of this video wasn't JWTs, HOWEVER, I think it's worth mentioning that no one uses symmetric keys with JTWs in the real world (like it shown here), it's always asymmetric. The importance is that when you build your API you do NOT need to protect the public key used to verify the signature which greatly simplifies the implied complexity mentioned here to protect that key. In practice the public keys for modern token validation are publicly accessible at the .wellknown endpoint, there are multiple keys, and they are rotated. Otherwise, great video!
@pickle1987
@pickle1987 Жыл бұрын
"no one uses symmetric keys" well it depends on your application needs, symmetric key encryption algorithms are there for a reason (simplicity, performance, speed...), also asymmetric encryption is usually implemented in upper layers (ex: https, wss, grpc..)
@JoeIrizarry88
@JoeIrizarry88 Жыл бұрын
“no one uses symmetric with JWTs” - in other contexts (non-JWTs), symmetric keys are still used widely.
@ghkpr
@ghkpr Жыл бұрын
Hey, Thanks for the great video, easy to follow, straight to the point. Would be nice if you could make one about refresh tokens.
@acmesoft
@acmesoft Жыл бұрын
Can you make a video with Blazor WASM with Cognito Authentication thats uses groups to profiling the app content? Thank you!
@nelsonrivers8546
@nelsonrivers8546 Жыл бұрын
Can you show how to "Refresh JWT Token" ?
@carlosbaptiste2062
@carlosbaptiste2062 Жыл бұрын
@Nick could you do a video on a hybrid approach? Oidc like Okta/Auth0 for authentication (AUTHN) and local claims for Authorization (AUTHZ)
@birukayalew3862
@birukayalew3862 Жыл бұрын
NIck a great video!! can you show the authorization using permission based please?
@alexandershubert573
@alexandershubert573 Жыл бұрын
Thank you indeed!
@gabrieldai88
@gabrieldai88 Жыл бұрын
I have a problem in my API when not sending the token, instead of 401 i'm getting 500. does anyone knows why that happens?
@gp6763
@gp6763 Жыл бұрын
Wait, we can use the James Webb Telescope to authenticate ourselves? 😅
@GlebWritesCode
@GlebWritesCode Жыл бұрын
One of the previous projects' lead insisted on storing user data inside the token as separate claims. Stuff like email, phone, country of residence. The reason was - not to query the DB (speed optimization). Is that a good idea? What if your phone changes and youre using the token with old data?
@FurqanaFathuzzaman
@FurqanaFathuzzaman Жыл бұрын
This might no longer relevant to your old question, but how often do you need phone number. It might make sense if EVERY endpoint you have require phone to be validated or have a use of it. Otherwise claims should carries only the minimum info needed. As for phone changes (in the case that you REALLY need it in the token), how often does it change? Remember that JWT is usually short-lived, so it should refresh on the next one.
@GlebWritesCode
@GlebWritesCode Жыл бұрын
@@FurqanaFathuzzaman we needed phone number and email for quite some calls. As for a token - I don't know if it's best practice, but for this system it was not 5 minutes
@FurqanaFathuzzaman
@FurqanaFathuzzaman Жыл бұрын
@@GlebWritesCode There are also other techniques such as caching if you simply don't want to hit the database often.
@GlebWritesCode
@GlebWritesCode Жыл бұрын
@@FurqanaFathuzzaman My thoughts exactly. Its much easier to update too
@onlycode8100
@onlycode8100 Жыл бұрын
Now waiting for Refreshing Token because without it this is only half implementation :)
@grzegorzr3621
@grzegorzr3621 Жыл бұрын
Great content. How to solve the case when the endpoint is accessed by the admin or the owner of the resource (move), e.g. downloaded from the DB?
@jfpinero
@jfpinero Жыл бұрын
Associate a handler to the policy that checks the role in the claim with your determined list of allowed roles for the resource. You can also look up resource based auth.
@Hantick
@Hantick Жыл бұрын
​@@jfpinero what if we also have roles tied to a resource. In example for application user has "User" role but in the resource it is Owner or Participant, where only Owner can perform Update, Delete actions ? Claims seem to be too much complicated to keep relationship between user roles and resources. For now i just make a call to a database to check if user X has role Owner in entity A
Implementing JWT Authentication in ASP.NET Core
23:51
Nick Chapsas
Рет қаралды 42 М.
FOREVER BUNNY
00:14
Natan por Aí
Рет қаралды 32 МЛН
The Logging Everyone Should Be Using in .NET
15:34
Nick Chapsas
Рет қаралды 85 М.
The Fix For Your Database Performance Issues in .NET
9:12
Nick Chapsas
Рет қаралды 51 М.
Why is JWT popular?
5:14
ByteByteGo
Рет қаралды 338 М.
Don't throw exceptions in C#. Do this instead
18:13
Nick Chapsas
Рет қаралды 262 М.
Forget Controllers and Minimal APIs in .NET!
14:07
Nick Chapsas
Рет қаралды 77 М.
NVIDIA’s New AI: Stunning Voice Generator!
6:21
Two Minute Papers
Рет қаралды 95 М.
Brutally honest advice for new .NET Web Developers
7:19
Ed Andersen
Рет қаралды 263 М.
Move Cross-Cutting Concerns Where They Should Be in .NET
10:21
Nick Chapsas
Рет қаралды 28 М.