Nice video , But I feel it would have been been great for beginners like me , if you had spent some time explaining the usage of each line while configuring authentication in startup and controller class files .
your tutorial is amazing, the IT community needs more people like you! however, MICROSOFT SUCKS for implementing a million different classes and ways to implement authentication /authorization classes then those classes get deprecated and then the developer will be scrambling for answers to solutions that new core version/framework is trying to introduce! For MS, there is no one universal, non-complex, non-confusing way to create a simple web API with basic authentication, it's like each authentication scheme is created by one developer that is trying to out-do the other developer within their team that has implemented a recent class/code! I hope, I really, really hope, that MS should one day be overtaken by another company or that incoming new developers will instead switch to open source and other tech stacks for web api-related stuff! I will be the first to rejoice if MS will file for bankrupcy one day, or get bought by Apple!
Excellent video, I have shared with my whole team to watch. Thank you. One question, at 15:56 you add the JwtTokenAuthenticationManager to services with the key, but what if you wanted to pass in the DbContext and also maybe the ILogger so the JwtTokenAuthenticationManager can confirm the credentials against the Db. How do you configure the services for the JwtTokenAuthenticationManager in startup to inject those into the class?
Hi, thanks for the tutorial! You keep the content simple and easy wich is great, but for future improvement you could add a real front end, just a login page, 1 or 2 authorized pages and a logout. this way we could see the complete workflow of the jwt and how is stored in page transitions.
Great video, i request you to explain the token validation parameter , and token descriptor class properties significance and what situation what value we should set may help great if you do some short video on that portion
@Jamie Bowman, refresh token comes to play when as an app you want to extend the token lifetime of the user without asking the user to enter id/pwd again for a new token after the initial token expired. The classic example will be a mobile application.
I am able to generate the token. I am also getting the data without authorisation. But when I give the Authorize for the get method I get unauthorised. Could you please help me solve this issue.
Thank you for your well explained video. If possible, could you please make another video to show, secure an api with azure active directory and consume it from AAD secured react app.
Very nice explanation !!! Just one query I have in simple asp.net api we used Owin and OAuth to generate and validate token but I dint see OAuth implementation in Core is there any reason ?
OAuth can be implemented by a middleware. I do not see any reason why it cannot be. I will give it a try. I did not have the need yet, hence I did not try it yet. I will post my video after I try it out. Thanks for the question.
@@STUPIDRU-vid_HIDINGMSGS problem is they ask for example how would you implement "JwtSecurityTokenHandler" and if you are a junior, unexperienced you can't give a straight asnwer, so the solution is to research about all those classes used and have an idea how they are implemented because in interviews they need one reason to not hire you.
@@ZnSstr This implementation and those classes are hard, even for mid-level and senior, unless they've memorized it or have coded that same code a few hundred times over and over. But who will remember those stuff now that everything changes and there's no one fixed implementation of JWT security? I think I've watched like 10 JWT security videos here in YT and every one of them is coded differently so it's very hard to remember which one works on certain implementation! I missed the times when there's not much security on web services and there's no REST or Web Api and WCF, just plain ASMX services.
Thanks for the Awesome Video. But I have a question. If I need to create a Custom Unathorized return message from any POST or GET api, what should I do ?
@Deepjyoty Roy, thanks for watching! In your scenario, you can remove the Authorize attribute and inside of each method check for User.Identity.IsAuthenticated, and based on that throw Unauthorised with you custom messages per method.
Hi, I see that the AuthenticationHandler class comes under two namespaces. - Microsoft.AspNetCore.Authentication - Microsoft.Owin.Security.Infrastructure could you please explain what factors decide the namespace I need to use.
@sanjay varma, Microsoft.Owin.Security.Infrastructure is the legacy namespace. If you are using ASP.Net Core 3.1 you should be using Microsoft.AspNetCore.Authentication .
its a good practice to send token as part of header, but nothing stops you from sending token in query string, there are use cases like websocket where you might need to pass it in query string
Thanks for the tutorial. You are explaining the concepts very well. Could you please give some suggestions on this? What are the ways to store a JWT token securely on client side. We can use cookies or local storage. But, however someone/ anonymous will able to see the token by using some debugging tools and they can mock the same request and use it in outside of the application. How we can avoid it? Thanks.
Saravana Kumar I’m afraid there is not many choices for storing token securely on client side. Your best bet is local storage. But in terms of avoiding security threats keep your token expiry shorter. So that even if it’s stolen it cannot be used for a longer period.
Hi, why did you uncheck the "Configure for HTTPS" and check "Docker enabled" option while creating the project? It'll be really helpful info if you tell us.
Hi thank you for posting this video. I find it very helpful. I have one question regarding the authentication step though. After receiving the token with a valid username + password combination and entering it as Authorization : Bearer[whitespace]token, the Get step still throws a 401 error. Any idea of what may cause this? Thanks!
Hi Thaks for the video, I have a couple of questions . can you please clarify this? 1. I got a token from the server. I just passed it to someone to use this token. he could able to access the API with the token until it expires. How can we restrict this? 2. I got a token from the server with an expiry time of 15 min. before 15 min I hit token controller and got another token with an expiry time of 15 min. Now I have two tokens with valid time. will the two tokens work? or only the latest one? if so how can we validate?
@Chandu Subhakara Reddy Satti 1. If you pass the token to someone else purposefully, there is nothing that can be done here right. Until the token expires that person will have access to your API unless you keep all tokens in storage and check against that, in which case you can flag the token. 2. It depends if you are keeping the tokens in storage, in that case, you can have an implementation of invalidating older tokens when you send out new tokens. Otherwise, both will be valid.
Hi, At timeline of 10:23 in this video, I have two questions here. 1) Why you used SecurityTokenDescriptor (from Microsoft.IdentityModel.Tokens); why not JwtSecurityToken (from System.IdentityModel.Tokens.Jwt)? 2) What is the difference between Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor and System.IdentityModel.Tokens.Jwt.JwtSecurityToken classes? When to use which?.
@Ravindranath S, JwtSecurityTokenHandler expects SecurityTokenDescriptor from Microsoft.IdentityModel.Tokens, hence. You can use JwtSecurityToken to create token, in that case, you will need to call WriteToken, instead of CreateToken on the JwtSecurityTokenHandler instance.
@Ramesh Kumar, in the controller you will need to do this: if (!User.Identity.IsAuthenticated) return Unauthorized(); Rest will be taken care of by the middleware.
Hi, at timeline of 11:26 in this video, you added 1 hour as expiration. I tried with 1 min. But, after 2 min also, I could able to use same token and get the data. Means: token is not expired. Could you please help me on this.
Thanks for the video. I followed exactly like you said. The token expiry I set as : Expires = DateTime.UtcNow.AddMinutes(Convert.ToDouble("20")); So, as you see I have set 20 minutes. I submit Authenticate request -> I get access_token, thats great! Now, I submit other API request with this access_token as bearer, I get the response as expected. Now, after 20 minutes, I try hitting the same endpoint, I still get response, even though 20 minutes have passed already. What am I missing? Please help.