Secure a .NET Core API with Bearer Authentication

Подписаться 100 тыс.

Просмотров 191 тыс.

50% 1

In this step by step tutorial, I show you how to secure a .NET Core API with JWT Bearer Authentication, using Azure Active Directory as the Identity and Access Management Layer. I also show you how to write a “secure” API client to call and authenticate to the secured API endpoint.
We use the Microsoft.Identity.Client and Microsoft.AspNetCore.Authentication.JwtBearer packages amongst others.
Level: Intermediate
Code on GitHub: github.com/bin...
Companion Article: dotnetplaybook...
My Book: www.apress.com...

Опубликовано:

5 окт 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 332

@radeksendecki9922 2 года назад

It's October 2022 but for me it's still the best free material about a practical approach to learn authentication in .NET on the internet. Great job. Congratulations and thank you!

@vipinsingh-ji8dj 4 месяца назад

Which channel best for paid version?

@DaydreamtombLP 4 года назад

I would be interested in third party sign in (Twitter, Google, etc) and associating that sign in with an application user. For example a user might have a profile in our application, and that profile should be associated with their third party sign in. Hope that makes sense. Keep up the great videos.

@lukasostar3008 4 года назад

Yes, this, PLEASE

@MB-nw5sz 4 года назад

Yes, i agree - a user sign in tutorial would be fantastic :) Thanks for the helpful video

@harishgk2947 3 года назад

@Les Jackson, please post an video on OAuth

@developersamim786 3 года назад

Yes, exactly we need this

@maximlejaeghere1730 3 года назад

Watch out on minute 31. Azure added an extra field when creating a client secret. Make sure you copie the value and not the ID!! Super video thank you so much.

@richarddufour 2 года назад

Absolutely love the way you've explained all of this. I've been googling, watched other videos, tutorials, but nothing comes even close to what you've done here. Cannot thank you enough!

@richarddufour 2 года назад

Would love for you to have a video on setting up an Azure WebApp running behind an Azure Front Door.

@brianhoskins1979 3 года назад

[EDIT] - I forgot to say thank you for the video, extremely useful indeed! 17:25 Regarding your advice not to use appsettings.json for production use. I can appreciate that there is a need to be careful with this during development: the application is on your local machine along with the appsettings.json file which reveals security critical information. And you certainly wouldn't want to commit that to git or any other version control. But once you've deployed to your production environment I feel like it's pretty safe to use appsettings.json. This is because the file is then on the server (be it Azure or somewhere else). Nobody else has access to it. And, if they do, it means they already have control of your server and therefore the security has already been compromised. So on local machine: be careful with appsettings.json as it contains secure information. On production (deployed to server): appsettings.json is OK. Do you disagree?

@blinkskaterkc 4 года назад

After searching for many many hours on this topic, with no luck, I came across this video. You explained things clearly and made a lot of sense out of a confusing topic. Many thanks!!

@JonOvereem 4 года назад

Thank you for explaining everything so clearly. I’ve been wanting to learn this for a long time. Since I started watching your videos it finally starts to make sense to me.

@nicholasmohammad6961 3 года назад

I dont mean to be offtopic but does someone know of a trick to log back into an Instagram account?? I stupidly lost my login password. I would appreciate any tricks you can offer me.

@boebawashere 4 года назад

Loved this video! Good explanation, my teachers could learn a lot from u! I did get an error at the end: "The remote certificate is invalid according to the validation procedure". But I got it working by adding this code right above making the httpClient: HttpClientHandler clientHandler = new HttpClientHandler(); clientHandler.ServerCertificateCustomValidationCallback = (sender, cert, chain, sslPolicyErrors) => { return true; }; The HttpClient then uses another constructer like this: var httpClient = new HttpClient(clientHandler); Thanks a lot! Subbed immediately ;)

@ThomasPoth 4 года назад

Thanks for sharing your solution. Imho this should be only necessary for local testing. BTW, thanks Les for your great work.

@mikeha 4 года назад

I tried that, it didn't work, now I get Unauthorized back even though I did get the token

@svetlin2010 4 года назад

The best video ever. Very well explained. What is missing is additional video in case you have swagger and you need to be able to test the API using AAD.

@SpoderSuperhero 3 года назад

This is honestly the best .NET Core channel out there.

@HenryTsang 4 года назад

Love your teaching style, very realistic and practical explanation. Thanks very much for making this video, you have demystified the Bearer Authentication a great deal

@DChristop Год назад

Les Jacson σε ευχαριστούμε που υπάρχεις και μας δίνεις τόσες χρήσιμες συμβουλές!!

@sebastianayalavalderrama3269 3 года назад

Thank you Les for your time. I was getting crazy until I saw your video with the resourceId "/.default" . I missed this part. Thank you.

@Ajmal_Yazdani 4 года назад

Les Jackson Sir. You save my lot of time. This is exactly what I have assigned to do. Superb!!!

@CognatioBestia 4 года назад

Great video! I'm a Sr Software Engineer (and manager) and found a lot of value in your video. Explained everything very well! Thanks for sharing!

@VikInks 4 года назад

Thank you very much for your videos, I'm a student as an IT Dev, and your the best teacher I could ask for.

@binarythistle 4 года назад

Greetings from Melbourne Maxime! Thanks for the lovely comment - I really appreciate it. Cheers, Les

@ptry1000 2 года назад

This is really great. I watched about a million videos and blogs and all are talking bits and pieces but couldn’t get a complete picture. This session gave me the whole picture and finally I am able to successfully build a system for my purpose. Great explanations. Really loved !!!!

@miklosnemeth8566 4 года назад

I am at 5:28, and I had no any info earlier, how this works, just what you show on your diagram, and scenario. Just for fun, from your diagram, I guess, the way it works is, that the JSON token is signed by one of Azure's private keys and the dot net core tool kit has the Azure's public key(s). This is how I'd implement this. I am looking for the end of the story, if I was right. Your videos are tremendously entertaining.

@DavidEvans-uj3uw 4 года назад

Another great video from Les. I enjoy his teaching style and clear explanations. But I had to ditch this approach for securing the API I'm building because I cannot see how to set up user roles with this approach. I'm probably missing something simple, but it's throwing me for a loop. I would love to see a video showing how to set up user login and adding user role claims to the JWT token in Azure.

@sergiobrascher4134 3 года назад

Very good tutorial! Could you make one with a SPA app consuming this API? Thanks from Brazil!

@rainron2664 3 года назад

Agree to this.. 👍☝️ plss.. sir.

@ronaldabellano5643 4 года назад

I like your other videos that have broken the parts of your video, it's easy to follow because I will know what topic you're talking to that point. It's hard to watch the video for more than 15 minutes.

@manishjawarkar84 4 года назад

The Key things in your Videos are Very well explained, Practical usage and content oriented. Thank you so much for sharing your knowledge.

@albxdotcom 4 года назад

Great video, best one I've seen so far. Thanks so much!! But can you explain what is the id property in the appRoles section, In your example it was "id": "6543b78e-0f43-4fe9-bf84-0ce8b74c06a3"

@naveenthallam145903 3 года назад

Thank you so much for the crystal clear explanation. I was able to follow without any problem. Thanks once again for the great videos. Could you please do some videos on Microsoft Azure Services for Developers.

@sandeepsoni7162 4 года назад

Watching your video like some rocking movies....Great mate!

@binarythistle 4 года назад

Oh wow! Thanks Sandeep!

@naveenpatel8039 2 года назад

I found a lot of value in this video and the way it is explained is very impressive! Great video. Loved it

@randomvideos9444 4 года назад

Wow! How easily you have explained this complicated topic. Thanks for sharing this video.

@jeffpetrie5191 4 года назад

Ok, Les, you got me! I spent 2 days on your 3 hr. API video and transferred all that knowledge to my big project, works Great! Now adding the tokens. Lots of little bumps that force a good developer to understand their environments, like sometimes VS Code just gets lost and you have to restart it, all good. I love your stuff is CURRENT! 2017 is ancient times in technology;-) Enjoy the wine, wish I could deliver it personally and share a bottle to thank you. I think that would be a riot! Keep going and good luck! Oh yes, you should get yourself a green screen;-)

@jaifranhernandez3901 4 года назад

I'm going to keep the track on this season, great series of tutorials. Awsome job man, just awsome!

@lokeshmaganti5524 4 года назад

Pretty neat explanation in layman terms and been searching for this kind of video...thank you so much.

@binarythistle 4 года назад

Awesome! Cheers Lokesh!

@nileshv123 4 года назад

Great video Les....I have been following your videos and found them extremly crisp and to the point without rushing in....It would be great if you did video on a production quality code for a small microservice app which would include Authentication / Authorization, Unit Testing etc. I know it might be a long video, but still it might be of great help...Thanks for your effort mate...

@jono261970 4 года назад

Fantastic video - it's nice to follow a video through to the end and everything works! - I added the token to Postman and received a status 200 OK - looking forward to S3 E2 - thanks!

@rakeshchauhan-op8qw 3 года назад

46:50 - music got me off the edge of my seat. The suspension was intense. Good video btw Les

@duck1girl 4 года назад

Thank you so much. I have taken up learning about securing an Api and this video was a great beginning.

@hetallcc 3 года назад

Hi Les, Just wanted to say thank you for making this video. This what i need to figure it out the Authentication flow on Azure Ad.

@asadali118 4 года назад

That is a great video tutorial. Thanks for explaining everything in a detailed manner. Looking forward to seeing more videos from you.

@ayushjoshi2367 3 года назад

By far, the best tutorial on authentication. Thank you so much for this amazing tutorial.

@schoesa 4 года назад

Awesome video, best teacher I have ever seen. Now I understand that whole bunch of Azure AD authentication via JWT Bearer Token in only 60 minutes. Thumbs up :-)

@stephenholmes7585 4 года назад

Super informational video. Followed it along in VSCode and although I had some issues in Azure (Granting API access was greyed out), it all worked and I can say I learned something very useful! Thanks for sharing!

@paulsebeikin 4 года назад

Hi Les, thanks for the informative video. I'd be interested in the same kind of video showing how to set up a client app that authenticates with the API using a user name and password.

@JitendraGupta-lc6de 4 года назад

Thank you Les. This is really very helpful video and you explained every step very well . I was very much confused regarding this azure active directory steps . Now understand very well. I would love to watch your more videos.Thank you again.

@masimbagndadzibaya3616 2 года назад

Thank you so much man, you just tabledout a lot for most of us. Awesome video

@fazilb195 4 года назад

Wow this is awesome.. it'd be really helpful if you could make a series on this topic with other types of clients too. Loved it Les. Thank you so much

@matchchow7648 3 года назад

It's a very excellent video to explain such complicated topic and used the easiest way to demo how to achieve most of requests as we have to make sure them running in demon mode! thanks!

@bobbykaruturi2300 3 года назад

Awesome step by step tutorial for authenticating .Net core API.

@snowke5095 3 года назад

Thank you for putting this video together. This was especially relevant to something I am working on now and helped clarify a topic I was finding otherwise confusing when trying to read through the documentation. This video made is simple and straightforward. I've liked and subscribed, thank you again!

@MrAndrewslaughter 4 года назад

Great set of tutorials. The one improvement I would recommend is ditching that music at the start :)

@SuperCedric29 3 года назад

I find the music at the beginning actually pretty cool

@aandrew_ 3 года назад

Great video, really good explanation. One thing is annoying tho, the background static sound

@medusa121 4 года назад

Thank you! Please create a role base access interactive ones..

@binarythistle 4 года назад

Hi mate, funny you should say that - that's exactly what I'm working on at the moment!

@moshikof7778 3 года назад

well explained, even if im not azur developer, the concepts are well explained. keep going with the good work

@soucianceeqdamrashti8175 4 года назад

I went through all the steps. Wounderfully explained! Keep up the hard work!

@byuidan 4 года назад

First time seeing your videos... subscribed to your channel in the middle of watching the video. Great content and great delivery! I'll look through to see some of your other titles and look forward to what you do in the future. Thanks for the great work.

@josephcorbett7805 3 года назад

Thanks for putting this together! It really helped clarify a lot of things for me.

@vikass1078 2 года назад

Excellent tutorial. Thanks a lot for demonstrating the practical approach.

@parvkaurav7973 4 года назад

Great Video. It saves me. I see a lot of implementation but they are quite complicated and not complete.

@ANILKHANDEI 4 года назад

This is very informative video. thanks for sharing your experience and knowledge. I wanted to understand this sing long time Azure AD, and api auth together!! Can you create a video on best practices for how to store secure data like keys and passwords in vaults and access them in application ?

@runek75 3 года назад

I immediately hit subscribe just by looking at the shelf in the background :) my kinda guy. Pluss, ofcourse, the content seems spot on for me (after 5 minutes in)

@ankitsachan1242 4 года назад

Thank you for this amazing tutorial. I saw lot of tutorial on this topic but I can say without any second thought that this is d best. If you can make a video to use Google, Facebook or Twitter to authenticate our Web API it will be more helpful.

@davidlingier579 3 года назад

Nice job, thanks for sharing your knowledge! From now on "Les is more for sure".

@sandipkurwale5050 4 года назад

Thank you so much ... i loved it .. tried the same with Azure CLI since I wasn't having an access to Azure AD ... had a hard time with command line but now i can relate this stuff and search for precise Azure CLI commands ... Thanks again..

@antoniusvanhaeren6984 4 года назад

Very clear and good course. Maybe you can create an app that require user identification, authorization and user claims policies, Thanks

@tauqirchaudhry2876 4 года назад

Man that was cool - I just happened to be working on exactly these implementations, great clarity, fun music.

@binarythistle 4 года назад

Glad it was helpful!

@jaydev1263 3 года назад

@@binarythistle 25:56 you missed the "/" between the values in authority....man i was so confused for an hour that why this is not working just for me

@ChandreshMakwanaakapg 3 года назад

Hi Les, truly interesting, informative and well composed video, that reveals the underlying mechanism of Azure AD being, kind of a registrar of resources. Just one question. For iOS and Android applications also do we need to register the corresponding client apps ?

@soucianceeqdamrashti8175 4 года назад

Like your videos and style a lot! Will for sure buy your book in the near future! Thanks for the awesome material!

@arcsha2336 4 года назад

Thank you so much Les!!. Excellent!1 Real world problem and you covered it perfect. Easy to understand.

@binarythistle 4 года назад

Cool glad it helped you out! Cheers, Les

@rossthemusicandguitarteacher 4 года назад

You are a complete champion my friend, thanks!

@starman9000 4 года назад

Very Satisfying video! content cleared laid out! I enjoyed and learned thoroughly! Best tutorial better than Udemy and Plural sight content! Thank you, Subscribed!!

@ivanpesenti202 4 года назад

Hi Les, thank you for your time and for sharing with us this video 🤞

@abp07082007 Год назад

Wonderful video, very nicely explained, This was really helpful to me. Thank you.

@nick11927 4 года назад

Any chance of doing a video on user secrets or correctly storing sensitive information in the appsettings.json file?

@faceless9367 3 года назад

Did you find any solution?

@rhmirani4367 4 года назад

Excellent and well explained one of the complicated topic, great work!!

@binarythistle 4 года назад

Thanks!

@yajuvender99 3 года назад

Superb Video Les!! Thank you soo much for explaining in detail.

@gauravparikh1205 3 года назад

Nice one Les, Only thing want to know why we created 2 resources

@neicaro 4 года назад

I just finish :-)!! thank you a lot for all the tips, I really enjoy and learn with your way of teaching

@binarythistle 4 года назад

Hi Carolina! I'm so happy to hear that - great work! And thank you for your kind feedback. Take care, Les

@manishraj-it2qv 3 года назад

Hie, for me Grant permission button at 36:30 time , the button is disabled its not working can you tell me the reason

@ChilezieUnachukwu 3 года назад

There's an AppRole feature now, which I used while following the tutorial. Generated same thing as what you copied in.

@cycostallion 3 года назад

Fantastic!! This was a great tutorial coupled with lucid explanation.

@parthgoyal8322 3 года назад

So beautifully explained and coded. Thank You for making such stuff

@hagopvittali3465 4 года назад

Thank you, can you please make a video in which you explain how clients can signup/signin (email, google, facebookl to web api which uses azure b2c authentication ?

@binarythistle 4 года назад

Hi Hagop - I'll put it on the backlog! Thanks for the suggestion, Les

@PadamAgrawal 4 года назад

Thank you , you are too good!! could you please also make video for micro-services like this.

@HonorHasCome 4 года назад

Great Video! Can you plase tell me in which Video you have explained where to store the Credentials for the Production Environment? Thank you!

@azer6849 3 года назад

Thank you, Les, I would like to express my gratitude for your excellent video, and god bless you.

@chandrashekareluri 4 года назад

We are expecting more videos in FULL STACK (.net core , Entity FW and React/Blazor). I really like your Videos Thanks.

@SagnikSaha94 4 года назад

Thank for nicely explaining the concept step by step, It was crystal clear :-).

@MirjamvanM 4 года назад

Hey Les! Awesome tutorial! I followed everything step by step, but at the end of it all I get Unauthorized. I already looked at all the code again and made sure that there aren't any typo's. What could it be? I do get the bearer token.

@mohanhegde 4 года назад

Yeah, even I'm getting the same 401 unauthorized error. Followed all steps and double checked the Guid values

@blinkskaterkc 4 года назад

I was seeing the same thing. For me, I had my app service in Azure set with authentication turned on, which was from earlier attempts and messing around.

@mikeha 4 года назад

same here, I get the same error. Did everything exactly as in the video

@eutitiaj 3 года назад

@@mohanhegde check appsetings section and Configuration["app:variable_name"] services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme).AddJwtBearer(opt => { opt.Audience = Configuration["app:ResourceId_API"]; opt.Authority = $"{Configuration["app:Instance_API"]}{Configuration["app:TenantId"]}"; });

@sathiyalr 4 года назад

You are really fantastic Jackson..Thanks for this wonderful session

@muslehhaj4164 4 года назад

Thank you very much for the amount of information that you made easy for us and that saved a lot of time, but frankly I was looking forward to seeing an illustrative example of a safe verification method for user authorization as full stack example :). We all very grateful for your efforts. Best Regards

@2005bgva 4 года назад

Fantastic video, thanks a lot. I would like to learn about a non Microsoft security (identity) alternative, some videos to recommended to me?

@rajanbabu033 Год назад

Great Video. Thanks for creating such a wonder video which is easily understandable.

@kennygilmore1057 3 года назад

I really enjoyed the video! Great job and VERY helpful.

@csalgo7345 3 года назад

Greatest .net core tutorial out there!

@mwardell18290 2 года назад

Great video. I am however confused as to wether this should be done in code or through something like azure api management?

@gerharddiedericks2120 3 года назад

I love you, man! Exactly what I was looking for - a "Hello, world" of bearer token authentication. Just one friendly request - will you please give us an updated vid for .NET version 5.0? I shat bricks trying to do this even after I obtained the token - got SSL errors. It was only after created a new solution in Visual Studio 2019 that I managed to come right. I removed the swashbuckle / swagger stuff that comes with the new project templates, then got 2 prompt screens asking me whether I want to trust the certificate - then it worked (after several hours of tears) - I still don't really understand why. I don't think this constituted a code change; but maybe to the OS itself? Thanks for all the tutorials, appreciate all of them!

@Tech_Publica 4 года назад

Really well done tutorial.. but I think that the scenario of a daemon app using no sign in is severely limiting the usefulness of this material. It would be much more useful to show a a JWT bearer token example involving a front end app (blazor webassemly maybe?) ...

@tuck1726 2 года назад

I know I am late to party but a lot of people have pointed that out. This video is about fundamentals. Throw in other stuff and it takes time away from talking about tokens. I have a cs degree, have worked in the industry for 4 year, watch RU-vid, take web courses and have done a high dollar boot camp.(not bragging). I tell you that to say the bootcamp and countless people online talk bad about CS degree. Yea if you just take CS courses you’ll probably be lost ball in high weeds on full stack. However, courses I’ve never explicitly used like assembly, discreet structures/math, computer be architecture, networking, operating systems, compiler construction and c/c++ are most valuable. Those course guide you in understanding logic, memory me management, bottlenecks, optimizations, data representation, designing protocols, importance of good architecture and problem solving skills far beyond any online courses or the bootcamp I attended. Once you know the fundamentals wiring everything up is easy. I see lots of people that can whip together a full stack application, but it’s slow, not maintainable, inefficient, and insecure. So I appreciate watching videos that teach fundamentals and understands developer have competency to wire it all up. For my capstone project we had a full stack mean application using bootstrap framework. The dataset was orders of magnitude larger than anything we worked with before and most of the people on project had never used a web framework. Most had built 1 REST api in node.js with 1 model and 4 endpoints 2 for each crud operation on model (GET, POST, PUT, DELETE). Only 2 of us had used angularJS and a handful bootstrap, but none of us had done anything on that scale. Well it was no problem. After we got approval to start we put it together in a month. It was comparable to enterprise applications I’ve worked on that took professionals years.(bureaucracy plays a part)

@rimbik1 2 года назад

That awesome, 1 ques, what if some non .net client want to consume weatherpai? How they acquire JWT token, Lets say a CRM system wants to access the API considering integration projects

@adhivenkatesh3431 4 года назад

Jack, it was nice explanation,and cool to understand , thanks for the video.

@seppe317777 4 года назад

Loved the video could you do a tutorial about Identityserver4?

@michaelviglianco6121 4 года назад

You mentioned using user secrets or key vault and I understand why. It seems you leaned towards user secrets? Can you tell me why? Do you have any good resources for that?

@vnkmvp 3 года назад

Great tutorial, I would also be interested in hand-rolling my own authentication server for supplying the token. Is there some resources that you would recommend for the same.

@ThomasPoth 4 года назад

Thank you so much for sharing your knowledge on this channel. You made me a wise man :-)