Stateless JWT Authentication C# .NET

Подписаться 1,6 тыс.

Просмотров 1,3 тыс.

50% 1

Implementing JSON web tokens (JWT) for stateless authentication & authorization as an alternative to the new .NET 8 Identity Endpoints using bearer tokens.
Source code: www.patreon.com/posts/json-we...
Get my packages: www.kiss-code.com/products
Access 34.000 remote jobs: remotive.com/accelerator?via=...
If you found this video helpful, like & subscribe! That means a lot to me!
00:00 Intro
00:37 Project Setup
05:10 Register User
12:49 Confirm Email
14:25 Login
16:05 Create Refresh Token
19:55 JWT Access Token
22:38 Inspect JWT
23:30 Current User Info
26:55 Forged JWT Experiments
28:00 Admin Protected
28:40 Recap
29:00 Refresh Tokens
37:23 Outro 1
38:13 Final Recap
38:40 Frontend?
39:20 Outro 2
#dotnet #csharp #webapi #serilog #logging #monitoring #api #webdevelopment #fullstack #fullstacksoftwareengineering #backend #docker #azure #containerization #devops #cloud #microsoft #entityframework #identityframework #mssqlserver #mssql #cleanarchitecture #authentication #development #local #web #fullstack #authorization #jwt #bearer #cqrs #mediatr #cors #http #stateless #webscraping #workers #migration
#development #blazor #wasm #pwa #progressivewebapps #webapp #webassembly #seo #rendering #client #render #server #prerendered #googlesearch #modular #monolith #verticalslicearchitecture #minimalapi #dotnet8

Опубликовано:

5 авг 2024

Ссылка:

Скачать:

Готовим ссылку...

Добавить в:

Мой плейлист

Посмотреть позже

Комментарии : 7

@orlandomalo7032 7 месяцев назад

Great video! I have one question, when you use refresh token endpoint you pass the access token and refresh token as parameters, but in the code you use only the access token to get the userId and also the RefreshToken value, so why do we need the refresh token?

@kis.stupid 7 месяцев назад

Great that you noticed that! It's a refactoring mistake in the video. I fixed that in the code afterwards. We need both because it's an extra safety check (while refreshing) The JTI claim should actually hold the Guid (Id) of the database record of that RefreshToken row, not the JwtID. So, if we then get an AccessToken and RefreshToken (JwtId), we look in the database if there is a record with the Guid (Id) that the AccessToken has as JTI claim and we check if the JwtID for that database record matches the incoming RefreshToken (JWTID). In this way, we're certain that the AccessToken and RefreshToken are a valid pair. To reduce confusion, I renamed JWTID to refreshTokenValue (Value as column name). And the Guid ID of the refreshToken database record is now named refreshTokenId (Id column). Don't worry if you don't have that, it's just an extra safety but how it should have been in the video (my bad).