Changing the first letter "e" is not a good test for if the JWT is working, because the "e" is the base64 character for the open brace "{" for the JSON. That's why all JWTs start with an "e". It could be failing because it's not a valid JSON fragment
The first time in a long time I needed a refresher on this and this is the first recommended video, posted only 17 minutes ago. What sorcery is this, Nick?
Great video! I would suggest to people who are new to JWT first learn fundamentals about OpenID Connect and authorization methods like "Authorization Code Flow" or " Resource Owner Password Grant Flow". Once you understand the flow you will get that Cognito, IdentityServer4 or any other providers are just wrappers around this protocol
It would be awesome if you could show how to support multiple authentication methods. Like an API key together with jwt tokens. How do we correctly authorize endpoints and setup the auth ?
It's good starting video on using an external Idp, but don't forget that what's shown here is the bare minimum. Also, notice that Nick is using a stand-alone UI (i.e. Postman or similar) to exchange the returned auth code for a set of tokens that's stored locally (Redis is a great option for these types of short lived data); you'll need to build the exchange mechanism yourself, which is a fun little task. A word of caution: security is not something you should take lightly, especially in an public facing environment and you should never attemt to implement encryption algorithms, unless you're one of the very few experts in the industry, that works professionally on this topic.
What about the user in DB? Manage additional data ? That you don’t want to exposed in jwt How you will merge the auth flow with real application need like current user in a request context Gather additional info from db and so on In best practice from your perspective
Thanks, couple questions tho: How should I sync the users to my db with external id providers? Should I store roles, permission in my db or in the external provider? and also shouldnt client secret be secret? I shouldnt use it in a spa, right?
Let's demand a #buttercop series in which Nick takes a look at terrible butter advice posted on LinkedIn and signs off with "But now I want to know about you.... which butter do YOU think is the nicest butter? Are you using butter in your applications? Or a healthy low-fat substitute?"
Have you ever considered or compared this to something opensource and self hosted like key cloak? I've used it in a couple of project and i has pretty much all you've showcased but it's bit more quirky.
"Trust me" Famous last words :) But in all seriousness, could you use something like this to authenticate your application? Basically making it not possible for anyone outside of your hosted domain to request data from the API?
CORS is better suited for that. You can set it up a policy on your server to say “If a request comes from anywhere other than a specific URL, reject it”, and then give it the URL of your client application so that only requests from your client application are let through.
".NET does not have native JWT integration, so you have to install a Nuget package..." is said like it is a negative thing, but it is a positive one. Why would the core library have support for a specific auth mechanism, of the hundreds that have come and gone?
When i see you doing it seems graspable Why everyone else claims that authentication and authorization are the holy grail of programming? Concepts so difficult to grasp that you need a doctorate degree!?
It's poorly documented in certain areas, and I've found most of the answers digging through stack overflow. Concepts aren't that difficult, but implementation in .NET can be a she-dog...
Because the hard work is being done for us by people that know a lot more about it than we do. It's effectively lego-by-design specifically because it's so hard to get right.
Maybe production ready isn't a good term for this. I wanted to say that we're integrating an independent identity service which is what most modern production apps are using. Maybe "Modern" is better