Adding JWT Authentication & Authorization in ASP.NET Core 

Just a heads up. Roles and advanced feature are intentionally left out of this video because I will do an advanced and best practices follow up video. Keep coding!

I think more topics about authentication and authorization in general would be great! Its necessary for nearly every project these days but there is so little good content online or and written by unknown people that you are not sure if you can trust!

There are plenty of videos out on this topic, yet your teaching style I find best. Please continue this topic also explaining how to refresh the tokens!

Glad to see you mix it up a bit by going back to some of the basic stuff nearly every application needs. I've used JWT authentication in a few apps, but I learned a few new tricks from this, thanks Nick!

can't believe I've been your subscriber all this time until I needed this video. By far the most concise explanation I've seen about jwt implementation.

Perfectly turned up just when I needed it.

Great timing my dude! Want to implement JWT in my app atm.

Thank u for sharing this topic looking forward to more advanced options using this

If it had been made 4 years ago, it would have saved me a lot of headaches. Now it was very refreshing and enjoyable.

the refreshing part was always tricky for me, so Im interested in dedicated video A LOT :)

Finally full JWT tutorial. Thanks!

Thank you Nick, great video as always! It would be great also to have a video about Refresh Tokens too. Thanks

Great content as usual Nick! Keep it up and yes, please show us how you would do refresh token (I already implemented it but I find your implementations always cleaner and well thought of). Thanks! PS: maybe you can show how to add multiple Identity providers (facebook + google + custom) all at the same time.

Thank you for this video. It was a great help for beginning with this topic. Would like to see some deep-dive videos into this topic.

very helpful. would very much like to see more about this topics like refresh

Hey, Thanks for the great video, easy to follow, straight to the point. Would be nice if you could make one about refresh tokens.

Thanks for this wonderfull new video as always ;) I really would like you to show an implementation of refreshing JWT stored in any vault you want if it is possible :D

This came just at the right moment!

Very nice video to teach the concepts🎉

Nice video! i'd love to see the video for the refresh token as well

Thanks for this video! Was missing the correct issuer url in my case.

Hey Nick, thanks for this video and it would be far better if you make a video about the implementation of OAuth

Hey Nick great video as always . I would love to see your approach for JWT tokens for implementing where a user can perform update and delete operations only for posts that are created by them.

GOGO Nick! In postman, instead of adding header Authorization, having Bearer (space) token U may get the same results easier going to Authorization tab (1 left from Headers), choose Type Bearer Token and just past the token in the right panel

A refresh token video would be coll. And also how to use JWT with asymmetric keys

straight to the point. thanks!

I am doing this with okta but I use a combination of middleware and filter to programmatically add the policy to the Controller/Action. I was able to inject javascript to swagger and add the header programmatically to curl so that you don't have to use the swagger authorize UI manually.

Great video - thanks Nick. Refresh token video please :)

I needed this video 4 days ago 😅 Do one for refreshing tokens aswell

Great video!. Kindly show us how to refresh token as well. Thanks in advance

Good video and it world be nice to have a video about refreshing

Would be cool if you show in one of the next videos how to authenticate against Azure AD and lock down a Web-Application, so only users can use it when they are member of a specific group. :)

Hi Nick very nice videp, please make a video about the refresh token. I am currently implementing this on a projet!

Instead of using an additional policy or attribute, i would suggest to add the custom claim "admin" as a "role" claim: var claims = new List() { new Claim(...), new Claim(...), new Claim("role", "admin"), new Claim("role", "..."), Then the controller/actions can be protected by using: [Authorize]

Thank you indeed!

Thanks for the video! Will you do some auth videos about Blazor WASM in the future? What about some resource-based authorization?

If only you could give us OpenIdDict series. There is almost no content on this topic. I believe a lot of people will appreciate it :)

An advanced feature that I've seen a million ways that would be awesome to see you discuss would be how we can do "Enterprise Isolation". What I mean with this is that say that we have a SaaS where an "Enterprise" can have a subscription and manage their own details. For the sake of simplicity the developers want to have one shared database for all customers, which makes setup easy but it's equally dangerous because were just one missing .Where(x => x.EnterpriseId == _userEnterpriseId) from exposing other customers data. How would you setup that sort of thing? For example query filters in EF are awesome, but they don't help when patching / adding items.

This is an awesome video regarding claims and policies. The challenge though is to accept many claims under one policy; this works well when you have a user that falls under several claims. However, I think that the Authorization Attribute approach may be a better solution. With that said Nick, are those attributes "stackable" on a controller method?

Nice basic video. Would love to see refresh token video.

hands down the best explanation online. ty sir!

Source code would've been nice!

Great video. What about api keys? Is there a clean way to have an endpoint require jwt auth, another having api-key auth requirement, and have both for the rest? An example of this would be great! I've done same like these in the past but never found a clean way to do it. I've tried looking into making an auth handler to implement permissions and having the api key be a permission but can't seem to get it the right way

Can you make a video about refresh tokens? It would be great ❤

Nice channel ❤

Hello! Thanks for sharing this video! Would you also be willing to share the Github repo for this examples as well?

NIck a great video!! can you show the authorization using permission based please?

@Nick could you do a video on a hybrid approach? Oidc like Okta/Auth0 for authentication (AUTHN) and local claims for Authorization (AUTHZ)

you could mention about Roles, for example Authorize(Roles = „admin”)

How about making a video about OpenIddict about OAuth and OpenIDConnect?

What is the code of TokenGenerationRequest class?

Would be good to see how auth and Blazor WebAssemble play together :-)

can we do refresh tokens too? i would like to know if some implementation i used is a good one

What is the difference between Claim and Signature? what does each one reference?

i would have done by having the initial service implement the handler too and this way to can add this new pattern into the existing code until you need a real reason why it has to be it's own set of handler classes .. this way you can introduce this pattern into an existing code without having to through the code you already had.

I didn't get the names of where to store the keys instead of the configuration? (did you say aws secrets manager?) What would you use to store those keys for a local project?

Thanks for the great video. I have one question. Why can't a hacker get the token from the network tab like any developer, but in the production environment? I know it is not possible and it would have been a disaster but why? Thanks again.

What about asymmetric encryption. What is the best practice for api projects.

Hey Nick, Is there a specific reason why you use a custom claim and policy for your admin users instead of simple role based authorization? Or was this just done for the sake of showing off the custom policies?

It's posible to have both identity validation for login UI and JWT authorization? I was trying this last weekend, and couldn't make them work at the same time. Love your content 🤙🏻

Guys what would you recommend where i have role per resource (entity in table) which can be created by any user but then only Owner of entity can perform delete, update etc. For now I have just database call validating if user has Owner role in the resource, but wondering if there is better approach

As what did you declare the CustomClaim in your TokenGenerationRequest ?

How to manage the token in JavaScript? How to make external complements use the token and be resistant to refresh. Thanks

Hey Nick, do you recommend using blazor for frontend?

I already have oauth as my default authentication scheme for this one dotnet core app, can I tack jwt on to that?

Can you make a video with Blazor WASM with Cognito Authentication thats uses groups to profiling the app content? Thank you!

Hey, how would we do that in a azure function? i'm struggling with that

Hello! Love the video, I am introducing myself with it, I have some doubts about the project of Identy.API Someone has the code source or can explain how implement it?

Minimal API with FastEndpoints FTW!!

Please add video to security refresh tokens

Great content. How to solve the case when the endpoint is accessed by the admin or the owner of the resource (move), e.g. downloaded from the DB?

Hey, Can you make a video on Identity API

Is the sample source code available on GitHub?

We need RefreshToken video ❤

I want to see the consumer part. I mean, let's say I create a blazor/razor/react/angular/etc frontend, and now I want to use this api, ie, login, access protected endpoints, etc.

No word on [Authorize(Roles = "Role1,Role2")] or User.IsInRole? ... which maps to the (default) role claim in the JWT

@nickchapsas first of all thank you for sharing such good stuff always ... I am dying to see your video for refresh tokens have you made it if yes please give me link

It looks like a lot boiler plate code. There are not standard components for this?

I am currently implementing something similar at work😅

Now waiting for Refreshing Token because without it this is only half implementation :)

Can you show how to "Refresh JWT Token" ?

you can actually set auth bearer token in authorization tab in postman. just saying

So authentication/authorization works on the api via an Identity provider. Fine, I'm okay with that. What I don't understand is how is my client application, say a razor pages app, supposed to work with this? I send a username and password to my API to login, the API returns the token and we're all great. What do I do with it then? I can embed it in an HttpOnly secure cookie, but that isn't enough to authorize the user to perform actions on the razor pages app, right? So how do I configure my app to use the token from the API to infer authorization status of a user?

When do you really create and manage this yourself compared to using oidc providers like IDS or Auth0?

we used IdentityServer now moving over to OpenIdicct... massive pain in the ...

Did you ever use OpenIddict ?

I think it's time we stopped pushing JWT now we know better and have done for some time. That said, the functionality within netcore for authetication and authorization are quite nice.

Hi Nick, you always say the link to the code in the description below, but sorry, I have never seen a link to the code in the description in any video, Am I miss something?

I have a problem in my API when not sending the token, instead of 401 i'm getting 500. does anyone knows why that happens?

Why would you HAVE to move to an identity provider if you could just issue your own tokens?

One of the previous projects' lead insisted on storing user data inside the token as separate claims. Stuff like email, phone, country of residence. The reason was - not to query the DB (speed optimization). Is that a good idea? What if your phone changes and youre using the token with old data?

@nickchapsas Can we have source code used for this video ?

Wait, we can use the James Webb Telescope to authenticate ourselves? 😅

What about Refresh tokens?

Great video and very helpful. You just move really fast though. It's hard to see what you're doing.

Make a advanced video indetail on the refresh tokens and specially what will happen to the token then user logsout please I will be waiting for this video

this is very confusing

Can anyone tell me where s the config came out at 4.50 ??

Why do you think it's acceptable to omit random words in speech?

idea - how many clims is too much claims and when we should store only id there and go for permission to database