Very nice video and good explanations! Quick question: in the token endpoint at 18:03, you set the sub claim to a NewGuid(). What would be the correct implementation if we want to keep track of the user? Should it be added to a new property in the AuthCode class and set during the Authorization endpoint? And then if we want to add other claims, a database lookup should occur in the token endpoint, am I right? Thanks for clarifying this! Keep the good work :) I hope you'll make an OpenId Connect video soon!
Anton, for parsing a query string (will work for any string that looks like a query string), you can use the the System.Web.HttpUtility.ParseQueryString() method.
That was awesome. Question: How do you handle `Challenge` in this case? Like how do you provide login form for the users to sign in if they navigate to [Authorize] pages? Also how do you provide Consent screen in this setup? Can you please elaborate on that? Maybe create a new video on that? Thank you!
hey anton, you've already created another identity server, super amazing video I would love to see any small actual example using blazor wasm and webapi with oauth2.1 video !!
@@RawCoding you just asked "where is?" 😂If you ask about the country, Latvia is located somewhere in Europe. If you want to know the name of the courses, you are especially beloved by "she goes tech" students and mentors. The video where you make a chat is especially popular, because creating a chat is there a final test
@@RawCoding WOW! Incredible! I feel like I just found my lost brother!😂😳 Maybe that's why Latvians love your tutorials so much - it is easy to understand you, because we think in a little similar way^^ Also I suppose that you are from a Russian speaking family, because only Russian speaking persons use this smile ")" instead of ":)". Am I right?) The most popular free courses in Latvia are made by Accenture. There are about 160 hours of learning and then the most motivated and talented students can get an internship in Accenture. So if you plan to make a new ASP.NET chat tutorial someday, say hi to Latvian Bootcamp students or to Latvian She Goes Tech students, if you wish to greet only girls😏
Can I ask you if it is possible, once the web api has been authenticated, at the same time to protect certain actions of the webapi with authorization by checking the token received? Anyway, congratulations, a truly complete job
Спасибо за доходчивое разъяснение материала. Еле смог подписаться на патрионе. Только никак не могу понять с конечной точкой /oauth/custom-cb. У меня ошибка при редиректе. В клиенте не нашел описания и в серверной части тоже
Bro, you'r rock! What about the client app logout? I'm trying to make a UI in the authorization server where the user can choose a bunch of client apps and then log in, kinda a sso. If the user log out from authorization server, the cookie in the client still work. I think i am messing up with the concepts pretty hard lol
What can I do if I want that the endpoint GET /login be a complete html file including styles, js and more? not just a plain html with two inputs. Thanks in advance!! And great video by the way.
I go nuts. I don't understand how I can read login information in token endpoint so I can load the claims and pass them to client with token. Please help pipez
Great video. Thanks for your effort. I got one question. I want to check for client id and client secret for multiple clients. Where is the best place to validate? Is it login page post handler or Authorization handler? Where can I find the client secret inside authorization url? Thank you in advance
@@RawCoding Thank you for your quick reply. In fact I could not find the client secret in the return url received at the authorization end point. I could see the client id. Is there any way to include the client secret with the return url? Thank you very much for your help
Hi Anton, could you say where did client pass parameters like for example "code_challange" or "code_challange_method" in the AuthorisationEndpoint class?
as pre specification pkce spec: www.rfc-editor.org/rfc/rfc7636#section-4.3 and oauth spec: www.rfc-editor.org/rfc/rfc6749#section-4.1.1 The client constructs the request URI by adding the following parameters to the query component of the authorization endpoint URI using the "application/x-www-form-urlencoded" format so you add these as query parameters to the get request.
Can you help me with this error? Although, I coded TokenEndpoint endpoint but got error " The input does not contain any JSON tokens. Expected the input to start with a valid JSON token, when isFinalBlock is true "
@@RawCoding when I added attribute Authorize to my web api endpoint then returnUrl parameter doesn't contain code_challenge and code_challenge_method properties. I didn't add login endpoint to my web api so I didn't call Challenge method. Is it required in web api project?
Watch this video. Learn about all the topics. Then go find a proper implementation, open source or commercial, and use that instead. Never use your own identity management solution for anything that matters. KeyCloak is an excellent option.
your deveky logic has an issue it should be like public class DevKeys { public DevKeys(IWebHostEnvironment env) { Rsakey = RSA.Create(); var path = Path.Combine(env.ContentRootPath, "crypto_key"); if(File.Exists(path)) { // Instead of creating a new rsaKey instance, use the existing Rsakey instance Rsakey.ImportRSAPrivateKey(File.ReadAllBytes(path), out _); } else { var privateKey = Rsakey.ExportRSAPrivateKey(); File.WriteAllBytes(path, privateKey); } } public RSA Rsakey { get; } public RsaSecurityKey RsaSecurityKey => new RsaSecurityKey(Rsakey); } Please let me know if I understood wrongly or if you had an issue.