Want to master Clean Architecture? Go here: bit.ly/3PupkOJ Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt

Bonus tip: the refresh token can be returned to the user by storing it in an HTTP-only cookie with the SameSite attribute set to Strict. This ensures that no JavaScript code can access the refresh token, which helps protect users from XSS attacks. The client app would call the refresh endpoint without needing the refresh token in the body, as the token is already stored in the cookie. However, implementing this requires the API and frontend to be on the same domain. To achieve this, I use a reverse proxy to map the frontend web app to the root (/) and the API to /api/. I'm still a student, so please feel free to correct me if I'm wrong (〃￣ω￣〃).

Almost no one created a video on how to build refresh tokens. Finally the video we needed!

Milan, you are my savior! I searched for a GOOD refresh token tutorial just a week ago, and you have finally done it! Thanks!

Love it! Actually implementing this right now. So this was right on time. Buy yourself a sljivovica 😂🎉

Awesome and useful content thank you Milan!

Best real world scenarios .Net channel!

Would love to see the UI flow of refresh tokens. Say I click Save on a page, call the Api, but my jwt has expired and I get the 401 back from the Api, what would the flow be on the UI side so it appears no different to the end user that a new jwt/refresh token had to be generated before calling the Api again trying to do the save

Great video! How we can manage to logout or force the unauthorized to the current bearer token that has not expired yet within the 10 minutes?

Why not using Keyclock or other alternatives ?

As all jwt have their expiry in them, why not check for expiry instead of waiting for the 401?

We did almost exactly the same thing EXCEPT, we use a secure httponly cookie to store the refresh tomen AND we rotate the refresh token (delete the old one and issue a new one) every time a new access token is requested. Why a secure httponly cookie? So it can't be retrieved via javascript using a malicious script.

curious, instead of storing the tokens in db, couldn't you just validate the jwt signature against a private certificate?

can you send git url for this project please ?

Why not use a guid for the token value?

I ran into a problem where every time I deploy the backend code, my users get signed out from the client. Is this expected? I thought as long as te token is still valid then you should continue being logged in.

Thanks for this video! Could you also show us how we should consume this kind of authentification in a Blazor environment? :)

How would this work in a webapp in that the user isn't calling refreshToken manually so how do you intercept the request if the accessToken is expired you'd need to replace it with a new one

I implement the refresh token exactly like this in my APIs.

Have you considered using redis to cache the refresh token instead of storing them inside the database? Also, love your content, keep it up.

How do you delete old used refresh tokens? Ideally it should be deleted when creating a new token paid for the user, so no one could use the old refresh token to get a new one. Video suggestion: show how to implement dynamic update of user claims using refresh tokens without forcing a user to re-login

Hi Milan! Thanks for the video-I really appreciate your work. However, regarding the refresh token implementation, I believe you’re missing a verification step to check for expired refresh tokens. This would ensure that the user has previously authenticated with their valid password. Additionally, the approach you demonstrated for cleaning the refresh token table could create issues when a user is logged in from multiple devices (for example, both a PC and a smartphone).

Can you make a video about HierarchyId and how to use it DDD

So I give the caller a very „timely limited“ accessToken (due to security reasons) but also gib him a „longer valid“ refreshToken the caller can use to create new tokens all the time😂 So if I „fear“ that the access token might get stolen (due to bad implementation of the caller/client) it does not increase security at all introducing a refresh token! Right?! OR probably I just did not get it! Another thing: it ist not a good pattern/style to create the primary key of a table (in your case the guid) in the code to set it than as the primary key of that row! This should be done by the (for example) SQL server! Because the database designs its indexes (eg primairy keys) with a tree and map and keeps therefore the guids „similar“! Generating own primary key guids breaks that and decreases performance!!

Could you please put the black friday discount back on the courses? I couldn't buy it because they hadn't paid me and now it's too late.

Hi @Milan

AWESOME!

Let's just take a moment to appreciate that he has his IDE configured to treat unused arguments as errors. Talk about YAGNI.

Day 50 How i am waiting Milian make your implementation OAuth2 without library ._.

"Multiple logins, multiple access tokens, how to invalidate the previous access tokens?"

I want to mention, there is no point of doing this if you are the authority and the user of the access token, other than to have revoking functionality. It is much simpler to create an access token that has 90 days of validity and let the user reauthenticate. Just having refresh token does not improve security by any means, and has no real security benefits if they are created and used at the same source.