It really helped me a lot to understand the JWT concepts and to implement the same... Hats off to you to make such a valuable video for better understanding...
Again, 2 fantastic , helpful and well explained videos (in spite of the fact that I got lost a little bit between the different objects :-) as this is very new to me ). Just to validate my understanding, so once we call the refresh api, to reauthenticate, 1 hour later, we should use the RefreshToken for reauthentificiation, am I correct or it is the original Jwtoken that will be extended by another hour?
For Refresh API, "do we need to pass anything in Header". For me evetime refresh API giving 401. Not able to get what is Wrong. As in Body already passing RefreshCred(jwt token & refreshToken).
Great job 👍 again)) but I think the expired of refresh token needs to be more than 1 hour this exactly the duty of refresh token but you copy paste the same time if jwt token
@Ali Haydar, thanks for watching! Yes, I copied and pasted without changing just for the interest of time, but yes refresh tokens are usually much longer-lived compared to a normal token.
In a realistic world, Will user be sending us both JWTToken and Refresh token and on API we need to first check if JWTToken is valid(not expired too) if expired then to use RefreshToken to validate?
@Care Covered, in the real world scenario, ideally the caller should be sending refresh token only when the auth token is expired. And the caller finds it out based on the Auth error response from the service. That is the workflow that is what I have seen normally used.
System.InvalidOperationException: 'Action 'Auth.Demo.Controllers.NameController.Authenticate (Auth.Demo)' has more than one parameter that was specified or inferred as bound from request body. Only one parameter per action may be bound from body. Inspect the following
im just kinda confused. why does a jwt token expire that quickly when i could regenerate a new one with the refreshkey anyways? if someone steals my cookies im fucked anyways
@Marv3Lthe1, the reason you don't want to use a longer timeout is that if your token is stolen you will remain vulnerable for a longer time, hence using a refresh token.
Hello sir!! How do we add external login providers like facebook, google, linkedin etc in .net core web api.. for example: How do i add extra login providera like google facebook in this project that you have taught us?
Niraj Dahal so if I understand your requirement properly, you want to use Facebook or google etc as oauth provider. It should be similar way using a middleware. I can give it a try in a future video. Thanks
After the expiry of the access token, a new access token is not generated even with the Refresh Token. public AuthResponse Refresh(RefreshCredential refreshCredential) { SecurityToken validatedToken; var tokenHandler = new JwtSecurityTokenHandler(); var principal = tokenHandler.ValidateToken(refreshCredential.AccessToken, new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(key), ValidateIssuer = false, ValidateAudience = false }, out validatedToken);
@Anushree Desai, generating JWT token is similar, but I have dot done it using azure active directory service before, so I cannot tell for sure what goes into it. Once I try it out I can let you know.
@Flote Fuertes, thanks for watching. You should use a refresh token to get the new token only. For authentication, you should use the new token received with the help of a refresh token.
i followed your tutorial, but the token expiry is not working.. i created the token for 2 minutes, but my token is working more than 2 minutes. Then i go through some other videos. x.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secreteKey)), ValidateLifetime = true, ValidateIssuer = false, ValidateAudience=false, ClockSkew= TimeSpan.Zero };, in that they used ClockSkew property for token expiry. after i put ClockSkew , my token is not working more than two minutes.