52:27 I still think you're superman

No lie Tim. This authentication step nearly broke me. Fantastic video! Also thank you, comment section. Y'all saved me a couple times lol.

Hello Tim. It is me again. I have struggled to finish this lesson more then 3 days in row, JWT authentication did not work as it should. I started debugging session, and surprise it took me 3 days to make things working as you have in your lesson. I still don't know were my mistake was, but revert 2 last commits, started from scratch, and finally it works. It was not an easy experience, but it is a part of software development. I wish everyone do not have so long debugging session. )) I can continue follow you and hopefully I will catch you up in phase 3. Thank you.

Been waiting for JWT for almost a year! I know a lot of tutorials showing different ways of how to implement this, but I've been waiting on Tim's version since he explains why we should do it that way and how we can use it in our own projects.

13:50 Ohh my god! soo simple to find the users roles! Thank you soo much, i've been looking for that for ages!

Some checkpoints below Setting up JWT at 21:47 Setting up the Authentication in Startup.cs 49:10 Swagger Implementation at 1:00:45

This is great. JWT is explained in the best one could explain and understand. "Simply Perfect"

Great Tutorial Tim. I’m following the Timco retail course. This video helps me to understand the benefit of using dependency injection in that course. Thanks a lot.

Good work. I have found several of your videos very helpful. Thank you.

Thank you so much for this Tim. Great work!!! I can't wait for the addition of refresh tokens

For some reason the "var result = await response.Content.ReadAsAsync();" from the DesktopUI.Library.API.APIHelper could not quite fill the field "Access_Token" of AuthentificatedUser. Each of my attempt kept filling it with "null". After poking aroud for a bit, found out that the "ReadAsStringAsync" , on the other hand, would get me the desired token. Hmm, strange. Poked a bit more and ... Fixed my issue. It seems like the "_" of "Access_Token" was the source of the problem. Changed it to "Token" and everything went fine. Made me debug for few hours and dive into the code a bit more, had a blast! Once again, thank you very much for all this golden content, you ROCK !

Is just something in the way Tim explains things!

Excellent video. Covers all the key topics.

Thats a lot of documentation to read yamy!..... Thanks Tim. :)

If somebody gets " 'AuthenticationBuilder' does not contain a definition for 'AddJwtBearer' and no accessible extension method 'AddJwtBearer' accepting a first argument of type 'AuthenticationBuilder' could be found (are you missing a using directive or an assembly reference?)", include package Microsoft.AspNetCore.Authentication.JwtBearer, but use Version 3.0.0.

Hi Tim At ~ 04:35 when accessing '/api/product/' you are logged in with your credentials which is in the role 'Cashier' (which we added in the last video session), hence you are authorized. So to me it seems that we are doing authentication as we are supposed to. However, you state that we aren't - How come? If you at ~ 04:35 log out you will not be able to access '/api/product' which to me seems like the appropriate behavior. Am I missing something?

55:04 For everyone getting this failed msg (or something similar) "Exceptions caught: '[PII is hidden]'. token: '[PII is hidden]'." try increasing the lenght of your secret encryption password. In my case it needed to be atleast 1024 bytes so i just added some random words. Error is really unclear tho... but it did fix it

i like that ur making webservice secure via jwt, thats what im thinking of having for the soln im working on now. but there are many bits like refresh token that is needed to figureout., but i guess, your post confirm that jwt can also be used not just for sso/auth, but also for auth for web-api

I didn't get one thing. What did you mean when you said "We are not doing authentication at all" at 5:10 ? When you went to the "api/product" route at 4:30, weren't you already authenticated? And in the previous video we registered ourselves in the HomeController (Privacy method) and added all the roles in a cycle, didn't we? i'm confused a little bit. By the way, thanks for such a great course. You're great instructor and speaker. Even though English is not my first language, but i understand everything you're saying.

Hello Tim I skipped through a few videos after this one before I bothered you with this question, but it doesn't seem as though a possible bug was addressed. Logging in on the MVC page no longer works correctly after adding the JWT authentication codeblock in the StartUp file. After logging in it just loads up the home page with the options to register and login. You also can't use the controller routes since they require you to be authorized. What I find strange is if you comment out the JWT code block in StartUp and launch the API again you are already logged in as whichever user you tried to log in as when the JWT code block was active. Also just in case it matters you can log in to the WPF app just fine its only the MVC page that's giving the issue. I tried moving that particular codeblock higher on the order and I also downloaded your source code and created a user, but I still ran into the same bug. This is the first time I've dealt with Authentication and the first time I even heard of JWT, so while I've tried I have been unable to solve this.

"Let's get our swagger on" - I see what you did there :-)

Lol happy to see it's not just me 😂 Here's an idea for a video: setting up a STS using IdentityServer

Hi Tim, I am wondering why the exception (at 55:24) does not pop up in the code as for you did. In my case "Internal Server Error" is shown in the Login Form. Also, the console by default shows less info than yours. Please advise. Thank you.

Hi Tim, on the internet people say "don't roll your own auth". Is this video rolling your own auth? People say it so casually but they never say where the border is between rolling your own and not rolling your own. Does the process in this video fall under "not rolling your own" or do you need to go to something like Identity Server 4 to fall in that bucket?

I am a big fan of your videos :) cheers.

This was the most interesting lecture up until now in this series. Your lecture are amazing but WPF is so boring and dry(I am coming from angular and java-script) and I was waiting for asp core for so long. This lecture made that wait worth while. Can you let me know if you plan for security lessons sometime later? I am interested to learning how to make a secure banking type app without relying on third party packages.

When I added the non prerelease version (4.0.1) of swagger I could not add the using Microsoft.OpenApi.Models; using statement without getting a can not a reference error. I removed the non prerelease and installed the prerelease version (5.0.0-rc4) of swagger and everything worked as shown in the video.

Hi Tim! Great tutorial! I have a question: When we create a Web API using Individual User Accounts and add the [Authorize] attribute to our API methods, I am not able to call them without logging in first. What exactly does JWT Authorization add to security beyond what we already have? Thanks!

Hi Tim! Love your videos! I am having a issue that I am using .Net Core 3.1.3, and when running the application the same way you are doing, I cannot see the traffic that you are seeing in the console portion of the application. I only see information that is has started up and such. Do you know why or where to look for a option on adding this logging? All the information I find is basically on how to limit the logging, not adding that portion of logging. I appreciate any assistance.

Something that really tripped me up was _context.UserRoles. It was showing an error and I couldn't hit ctrl dot and add a using statement. In the end I manually added System.Linq at the top of the page and it worked. 👍

Excellent video, thank you

Did you need to use dynamic there instead of object? Maybe I missed where you used any members from the token.

Just a note on Microsoft.AspNetCore.JwtBearer. I tried to install the latest 5.0 version and it was rejected because it did not support .NetCoreApp 3.1. I had to specifically select the 3.1.0 package.

Great series,congrats. I've probably missed it but have gone through the tutorials in the series that deal with the web api side of things and I can't see endpoints for user/role creation/deletion. Can anyone advise on this please?

How do you get your field to automatically have the underscore in it? e.g _config instead of this.config as my VS does?

I apologize for a little critics but is it correct from REST point to name you endpoints like you did Tim? You mentioned CRUD operations and also you used capital letters. Maybe it’s me not understanding things correctly.

Error: CS1936 Could not find an implementation of the query pattern for source type 'DbSet'. 'Join' not found. Solution: Add "using System.Linq;" at top.

Thanks for the great tutorial Tim. I am new to WebAPI, and did not understand how the FormUrlEncodedContent passed from APIHelper mapped the values to the 3 parameters in Create method in Token Controller? Task Create(string username, string password, string grant_type)

hi Tim Thanx again for the wonderful videos.. I would like to know the name of the console like debug tool that you are using. thanx

Thanks Tim, Question, Secure Jwt token storage for client side for use in SPA is something which I have found difficult to come up with a clean secure solution. Using cookies, local storage, etc giving javascript access makes venerable to xss any thoughts. Maybe it is a different video.

Hi Tim! How do you authorize your APIs? Apart from jwt, do you use user/role claims? Will you make a video on this topic?

Hello Tim; would you mind doing a tutorial on Kestrel? I had to listen very carefully at what you were saying in this video, and try various interpretations of what you said (Castrol, Kastrol, Kestral..) I found a topic, but not really a way to install something?

Amazing tutorial, but I still don't understand a few things: Why did you only need to add JWT authentication to the server/API side? How does your WPF client store the JWT Token it got from the API? How does it attach the Token to the header of subsequent calls to the API after successful login? How does the API know if a user authenticated previously? (How does it store the login state of a user?) Are you storing Tokens in a database? Sorry that's a lot of questions but I'm just a little confused now :/

Newbies lesson learned in this video. Swagger is Case Sensitive. At 1:07:20 I get the same fetch error but no fail message from Castro. The problem was in my Startups.cs file : V in lieu of v was x.SwaggerEndpoint("/swagger/V1/swagger.json" is x.SwaggerEndpoint("/swagger/v1/swagger.json"

You have created token controller to create token and authenticate user detail.But from wpf client what you have used to access and store this token in wpf prject

Really Nice! One question, is mandatory to refresh the token?

Hello Tim. Thanks again for all your video. I'va also the error at minute 55:45 but me the UserId is null. Do you have an idea of what it could be?

The 'taxRate' from 'Web.config' of the old API was not transferred to the 'appsettings.json' of the new API. This leads to an exception during 'Check Out' when the 'taxRate' is fetched for verification at the back-end, by the API Library, in the 'ConfigHelper.cs' file. Please address this issue in an upcoming video.

Hi Tim, I stuck at 50:00 as my application show Internal Server Error message when I hit the Log In button. Could you help me with that? Also there is no Kestrel console pop up when I run the app.

Hey Tim, fantastic stuff! I asked early last year another video about my connection string not working while trying to work through that video but on .net core, it ended up being exactly the issue you had at the start of this! I'd given up and just hard coded it until now. Today I went through all these steps and got it working, but one thing i had to do was convert all my controllers and data access files from using static to newing things up, it took forever. What is the advantages/purpose of using non static over static in your dataaccess stuff? This was a ton of work to simply get the connection string working correctly, so i'm hoping I gained something else by converting over from static. Thanks again as always!

FWIW, I would love to see a straight forward video on Web API authentication. Something simple that is secure but doesn't involve Microsoft identity platform or Azure. And it should also show how to call that API as well. I'm having such a hard time wrapping my head around this, or understanding why .NET Core doesn't have an option to add the simplicity of individual accounts when creating Web API projects (which this video seems to be using). I will watch the rest of the video in the hopes I can learn more about JWT, but the video was a bit jarring because it appears to start out already in the middle of a project, and seems to focus on topics not related to authentication.

Hello Tim at 55:45 you captured `userId` and paste it to data base row. In my case a have got null in `userId` field, so my MPF not receiving token from the API. I am debugging 2 days. In the API token controller it is generate a token also you mentioned `program.cs` is consumer. But seems after API controller my generated token has null some were. I am not really experienced well, but I think something go wrong in `porgram.cs` in API project.

Thanks for the video. It is great to have a working template now with the authentication. This upgrading business can be really tricky though. I had a lot of problems with readAsync as I was always getting an error that http.net.formatting had a missing file. It is not easy to see what is actually wrong but finally I got it fixed by getting a Microsoft.AspNet.WebApi.Client nuget package in the UI project, even though it is in the library project where it is actually used. Kind of silly but at least I got it to work by doing that.

Thanks for the tutorial. I can get to the api/product in the first part of the tutorial, but I get an "Internal Server Error" when I get to minute 55: I've watched and rewatched the tutorial several times. I set a breakpoint at the GetById in the UserController and it is not reached. Any help would be appreciated.

I got a weird error when i left an empty constructor on the UserController and that gave me a 500 "internal server error" when the ApiHelper called the GetLoggedUserInfo method but after a day i finally figured it out, most problems seems to be simple things.

Tim do you know if you've done some special configuration to get all those info logs into Kestrel? I've been following this course from the start and I haven't noticed you doing anything about that and the "Logging" settings you have in appsettings.xml are the same as mine. Yet somehow I'm only getting a couple info logs from Microsoft.Hosting.Lifetime when I start my application but after that I get barely any. I also don't get that fail log as you do when you first try opening swagger and encounter that error.

It may be worth going over the git mv command so that the copied controllers and models carry over their version history. Would have to make the move and the modifications in 2 separate commits, though.

tnx, why you use MVC controller for token insted of API controller?

Hi Tim, my VS 2019 doesnt show the command line interface like your does?

Tim, quick question if I may. I am upgrading to .netcore 6.0 as I go through these and I'm just wondering if there was a change at some point to the way Kestral works as although I had the Swagger error, I had no errors reported in the Kestral window, which would have made it hard to debug if I wasn't following along. Are there some settings that you can add to change the level of logging?

after following along until the end, I noticed something. After we added JWT, I can no longer login through the browser. What approach could I take if I wanted to allow both types of logins (assume browser mvc uses standard method + mobile app using the api)?

Hi Tim, We have a legacy (WPF, WCF) application designed back in 2015 and for the website believe it or not its old VB6 Web Classes which integrate with the WCF etc. Customer are requesting an API which will allow them to login using JWT etc. I watched your earlier (part of TimCo Retail Management) video about Web API and generate access Token etc. But then you upgraded that to .Net Core. My question is the customer are using somewhat legacy application and require an API so shall I stick to your previous Web API and access token or upgrade to .Net Core to generate JWT? I am a little confused and so request if you could explain please? Many Thanks.

Hi Tim, Is Windows Communication Foundation dead? Is it really worth it to learn it at the moment? Or web API is the new way to go? You hardly if never mentioned it in your courses, while your courses are really world and covering many scenarios,. so I assume you can now live without it. Are there special cases where it's best suited to use it? Thanks for great courses, from Electrical background, i am learning a lot from your courses.

uhh, I'm just past the point of 5:23 and you're telling you get something but you're not authorized.... But if you look closely, when the default page opens when the app is started, you are automatically logged into the site, and you already had your roles set for your user including "Cashier", so you ARE actually authorized and that's why it will show you the products, logout and try it again, and you'll see you'll get the loginpage and your breakpoint in ProductController is not hit. And now I also see a 'bug' in IsValidUsernameAndPassword() as you use FindByEmailAsync, but it should be FindByNameAsync (which normally would be the same, but doesn't have to be (check the database)

Is this source code for Patreon Members or people who buy the course? Sorry - I am a little confused.

my question is how do you remain login? do you send the token all the time each time you make a request or is it something that I can store in the cookies and be able to persist login, instead of login everytime I send a request on api

Thanks for this tutorial, much appreciated. why do get this error each time i try to login or register on client side. "AggregateException: One or more errors occurred. (No connection could be made because the target machine actively refused it. (localhost:5001))"

Toward the end of this video yesterday, after we had installed all of the swashbuckle/swagger packages we needed to continue to our project, everything ran just fine. However, I had realized earlier that the kestrel wasn't popping up when I ran the app, so I doinked around with some settings to get the kestrel to show up, and afterwards when I ran the app and tried to login to our api login form I kept getting the following error: "An error occurred while sending the request." I have my start up projects set as TRMApi and TRMDesktopUI, which I believe are correct. Not sure what I've broken, but I need advice on what I need to do to fix it so my app will run properly again or at least where I should start looking for what the problem is. Thanks ahead of time for any tips, help, advice.

Tim, sorry to ask this here, but I can't find an answer - my Kestrel output only seems to be showing info level logs, and I can't find how to change it for the life of me... Do you have any idea how I can fix it?

For some reason my Combo Box is not populated with AvalilableRoles. It was with the old version of API. Any suggestions, please?

Hi tim! Thanks for the video It seems i have an error on min 55:40 , when you get an exception, i get an Internal Error -> Debugging i found out that is happening in the GenerateToken method, on line 74 : var output = new { Access_Token = new JwtSecurityTokenHandler().WriteToken(token), Username = username }; It won't go though that one. Any ideas on what's going on? Thanks :)

I am not getting verbose messages from kestrel like Time is at 1:07.49. I looked into customization, i googled kestrel and have not found anything that helps. Anyone?

Hi Tim, Please share a video on covariance and contra variance

For some odd reason, in the API for Swagger I can't login, I'm getting an internal server error. My api/User says to pass in text/plain instead of application/json I've been trouble shooting for a couple of hours and can't get it to login, Is anybody else having this problem?

Hi Tim, all the API calls on the frontend is failing to parse the returned result as it sees its media format as html/text no longer Json as started in the httpClient header, new to .net Core, dont know where to change the media format. there is no app_start folder to change all that config ?

If a user reset their password, the JWTs generated before the password change would still be valid, right? And if so, what would be the best way to tackle such an issue?

when you add and remove the roles (without Logging Off) they create a new instance in the dropdown and then you see multiple admins and cashiers and managers.

I'm trying to do this on a separate project and it seems that I need to add "AllowAnonymous" on top of the TokenController. Is it necessary?

The authentication system broke when we moved to the .NET Core API, was this purely because the .NET Core API didn't have the necessary configuration in Startup.cs? Would it have been possible to continue using the Bearer tokens (and not introduce JWT) if we modified Startup.cs appropriately?

When I run this my Kestrel window doesn't show all the request/response calls that your's does. Mine just says it's listening on localhost:5001. It also says it's hosting environment: Development... It doesn't show anything else, no matter how I use the API or UI. Is there some configuration to Kestrel that's required so that it outputs all the requests and responses? Thanks.

At the very end, when I login and go to User Display, I can Remove a role and then when I go to Add a role, it adds the role back to the database but doesn't add the role name back to the UserRoles listbox. It has a blue outline that the role name is there but the letters aren't there. So it's there but it's not there. Any idea why this is happening???

Hi @IAmTimCorey I am getting a 405 Error from using (HttpResponseMessage response = await _apiClient.PostAsync("/Token", data)) in the API Helper, is this just happening to me and if not how would I fix the problem? Is it something to do with security?

I've been following along today but I'm having a few issues with my project. I have got to the end of the video and my WPF UI is working as yours. However: If I add a uri of xxxxx/api/Product I get a completely blank page. If I go to swagger, which shows the Product uri and try it, nothing happens, I get no response. I put a break point on the constructor and the get() method in the ProductController I hit the breakpoints when running from WPF but not from the browser. Any ideas?

Are you gonna make a client app for that api or you already made one ?

Hi Tim, thank you very much for the great course. I have encountered a problem while authenticating the username and password. when I hit the Log In button, got red text: An error occurred while sending the request. checked the username and password, they are correct. checked the _apiClient.BaseAddress, which is also correct (the 5001 one) in APIHelper.cs in Authenticate method, in the using statement using (HttpResponseMessage response = await _apiClient.PostAsync("/Token", data)), which return the exception. any idea to solve this? I have set breakpoint, but when go into the using statement, it cannot step into, so, still no idea what's wrong. Thanks!

I am unable to get the logs in console somehow. I tried adding "Debug": { "Default": "Trace", "Microsoft": "Warning", "Microsoft.Hosting.Lifetime": "Information" } under the logging section in appsettings, to no effect. Any suggestions?

Hello Sir, Please don't leave in between the course. I need help of some inbuilt features added in core like JWT token and referesh token.

I have just started this series, using .Net 6 and I am getting this error "AuthenticationException: The remote certificate is invalid according to the validation procedure." I am not sure if this is related to changes in .Net Core between the versions. Anyone else running into this issue?

Hello I implemented Token and refresh token,But dont know how to use that in angular

Tim, I enrolled for the full course ;-) I am at the point in this vid where I am installing Swagger. I am way late into this course so versioning of Nuget packages has been a challenge. I've resolved everything on my own to this point but, I cannot get Swashbuckle.Core to install without this error: Severity Code Description Project File Line Suppression State Warning NU1701 Package 'Swashbuckle.Core 5.6.0' was restored using '.NETFramework,Version=v4.6.1, .NETFramework,Version=v4.6.2, .NETFramework,Version=v4.7, .NETFramework,Version=v4.7.1, .NETFramework,Version=v4.7.2, .NETFramework,Version=v4.8' instead of the project target framework '.NETCoreApp,Version=v3.1'. This package may not be fully compatible with your project. DataManagerAPI C:\Users\Joe\Git\Websites\MSIE\DataManagerAPI\DataManagerAPI.csproj 1 I googled the CRAP out of this and I cannot get Swashbuckle.Core to install as a .Net Core version. It reverts it to .Net Framework. In your tutorial, the first one you installed for Swashbuckle was Swashbuckle.AspNetCore. I tried using version 5.6.3 instead of the latest (6.3.0) thinking that it might be I need an older version. It installed that package just fine. I cannot get past this error for the Swashbuckle.Core. I spent at least 2 hours trying to resolve it. IF you know offhand what the answer is for this, I would be grateful if you could shed light on it. I am not asking you to do my work for me so if you don't know, please just tell me "sorry..." 🙂

48:10 - Hi Tim, ever since Parlor went down, I feel that we as programmers need to take charge of Authentication as at least we have control.

How can I use JWT to authenticate users on desktop app?

After two hours of trying to figure it out, I am restoring to commenting. I am encountering an error with the password. At 55:00:00 I did not get any error. I am getting the 401 when i try to go to the products page as i should, but It just proceeded to give me an invalid password message in Kestral and a bad request, bypassing almost all the code written in this video near the bearer token. I did create the new user in the database as well. Everything seems to work until "return await _userManager.CheckPasswordAsync(user, password); " returns false.

I have encountered a problem while authenticating the username and password. After i enter the username and password an exception is caught in loginviewmodel that says "An error occurred while sending the request". The authenticate method in the ApiHelper awaits the httpresponse and hits back to the exception in loginviewmodel. Please help me solve this problem.

Wat is the point of writing WPF in Dot Net Core, it will only work on Windows.

Whenever I attempt to add a new MVC controller to our TRMApi project, I get the following error: Visual Studio 2019 System.IO.FileNotFoundException: Could not load file or assembly'Microsoft.VisualStudio.Web.CodeGeneration.Utils, Version 3.1.2.0, Culture = neutral, PubliceKeyToken=adb9793829ddae60'. The system cannot find the file specified. Any idea what is causing this and how I can fix it? Thanks ahead of time for any and all comments/suggestions.

I added this to a new .net web application with razor template. The identity auth works for the api controller. however, when I add this line for the Jwt - DefaultAuthenticateScheme = "JwtBearer" the login section doesn't really jive with it. So if I comment this line out, and I don't login first (using Swagger) it will shoot the 401. But if I login to the default login from the razor login, it works. If I un-comment this line "DefaultAuthenticateScheme = "JwtBearer"" it will work in swagger but not via the default razor page/login. Seems like either or and I am missing something and just need to get past that. :)

I am getting "An error occurred while sending the request" when I try to test at the end the whole process... WTF!!! where to look? help me!!!

First of all, thank you for a great series. After adding the HTTPGet and post code I still got errors, well just a 404. Eventually I found the problem. The Version number (V1) in the SwaggerDoc line is case sensitive when it gets to SwaggerEndpoint("/swagger/V1/swagger.json". If V1 used as SwaggerDoc and v1 used as Endpoint it WILL NOT WORK.

I think the only flaw i see is your controller knows about your business logic. Actually it should not know that. Its not its responsibility. For JWT Token creation logic cant we move it from the controller. In real MVC architecture . Controller is treated as input device so in case of web its a weblistner it does not need to know the process of processing data. So I think JWT token creation logic should moved away from the conttoller.