It really helped me a lot to understand the JWT concepts and to implement the same... Hats off to you to make such a valuable video for better understanding...
For Refresh API, "do we need to pass anything in Header". For me evetime refresh API giving 401. Not able to get what is Wrong. As in Body already passing RefreshCred(jwt token & refreshToken).
Again, 2 fantastic , helpful and well explained videos (in spite of the fact that I got lost a little bit between the different objects :-) as this is very new to me ). Just to validate my understanding, so once we call the refresh api, to reauthenticate, 1 hour later, we should use the RefreshToken for reauthentificiation, am I correct or it is the original Jwtoken that will be extended by another hour?
Great job 👍 again)) but I think the expired of refresh token needs to be more than 1 hour this exactly the duty of refresh token but you copy paste the same time if jwt token
@Ali Haydar, thanks for watching! Yes, I copied and pasted without changing just for the interest of time, but yes refresh tokens are usually much longer-lived compared to a normal token.
In a realistic world, Will user be sending us both JWTToken and Refresh token and on API we need to first check if JWTToken is valid(not expired too) if expired then to use RefreshToken to validate?
@Care Covered, in the real world scenario, ideally the caller should be sending refresh token only when the auth token is expired. And the caller finds it out based on the Auth error response from the service. That is the workflow that is what I have seen normally used.
im just kinda confused. why does a jwt token expire that quickly when i could regenerate a new one with the refreshkey anyways? if someone steals my cookies im fucked anyways
@Marv3Lthe1, the reason you don't want to use a longer timeout is that if your token is stolen you will remain vulnerable for a longer time, hence using a refresh token.
@Flote Fuertes, thanks for watching. You should use a refresh token to get the new token only. For authentication, you should use the new token received with the help of a refresh token.
After the expiry of the access token, a new access token is not generated even with the Refresh Token. public AuthResponse Refresh(RefreshCredential refreshCredential) { SecurityToken validatedToken; var tokenHandler = new JwtSecurityTokenHandler(); var principal = tokenHandler.ValidateToken(refreshCredential.AccessToken, new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(key), ValidateIssuer = false, ValidateAudience = false }, out validatedToken);
@Anushree Desai, generating JWT token is similar, but I have dot done it using azure active directory service before, so I cannot tell for sure what goes into it. Once I try it out I can let you know.
Hello sir!! How do we add external login providers like facebook, google, linkedin etc in .net core web api.. for example: How do i add extra login providera like google facebook in this project that you have taught us?
Niraj Dahal so if I understand your requirement properly, you want to use Facebook or google etc as oauth provider. It should be similar way using a middleware. I can give it a try in a future video. Thanks
System.InvalidOperationException: 'Action 'Auth.Demo.Controllers.NameController.Authenticate (Auth.Demo)' has more than one parameter that was specified or inferred as bound from request body. Only one parameter per action may be bound from body. Inspect the following
i followed your tutorial, but the token expiry is not working.. i created the token for 2 minutes, but my token is working more than 2 minutes. Then i go through some other videos. x.TokenValidationParameters = new TokenValidationParameters { ValidateIssuerSigningKey = true, IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secreteKey)), ValidateLifetime = true, ValidateIssuer = false, ValidateAudience=false, ClockSkew= TimeSpan.Zero
};, in that they used ClockSkew property for token expiry. after i put ClockSkew , my token is not working more than two minutes.
It really helped me a lot to understand the JWT concepts and to implement the same... Hats off to you to make such a valuable video for better understanding...
VISHNU KUMAR thanks! I’m glad the video helped you.
For Refresh API, "do we need to pass anything in Header". For me evetime refresh API giving 401. Not able to get what is Wrong. As in Body already passing RefreshCred(jwt token & refreshToken).
Again, 2 fantastic , helpful and well explained videos (in spite of the fact that I got lost a little bit between the different objects :-) as this is very new to me ). Just to validate my understanding, so once we call the refresh api, to reauthenticate, 1 hour later, we should use the RefreshToken for reauthentificiation, am I correct or it is the original Jwtoken that will be extended by another hour?
@Salam Elias, you are correct, you need to provide the refresh token for refreshing and getting a new token.
Excellent tutorial boss. Please make a discussion on how to optimize dbcontext and configure connection pooling for entityframework core.
Hi, why does this code not refresh the expired JWT token.?
Do you have Git repo for this? it was a nice video thanks!
Yes I have. github.com/choudhurynirjhar/auth-demo
@@DotNetCoreCentral This is supposed tobe added in description. Anyways thanks..🙂🙂
Great job 👍 again)) but I think the expired of refresh token needs to be more than 1 hour this exactly the duty of refresh token but you copy paste the same time if jwt token
@Ali Haydar, thanks for watching! Yes, I copied and pasted without changing just for the interest of time, but yes refresh tokens are usually much longer-lived compared to a normal token.
In a realistic world, Will user be sending us both JWTToken and Refresh token and on API we need to first check if JWTToken is valid(not expired too) if expired then to use RefreshToken to validate?
@Care Covered, in the real world scenario, ideally the caller should be sending refresh token only when the auth token is expired. And the caller finds it out based on the Auth error response from the service. That is the workflow that is what I have seen normally used.
im just kinda confused.
why does a jwt token expire that quickly when i could regenerate a new one with the refreshkey anyways?
if someone steals my cookies im fucked anyways
Is this sliding token concept?
Awesome . Cleared my doubts. Thank you bro 🙏
@Birendra Sahu, thanks for watching!
Why should I use refresh token instead of increasing the timeout of my original JWT token ?
@Marv3Lthe1, the reason you don't want to use a longer timeout is that if your token is stolen you will remain vulnerable for a longer time, hence using a refresh token.
after receiving the refresh token after jwt expires. Which one should be use in the Authorization?
@Flote Fuertes, thanks for watching. You should use a refresh token to get the new token only. For authentication, you should use the new token received with the help of a refresh token.
@@DotNetCoreCentral Thank you very informative content
@@AzZaph you are welcome!
After the expiry of the access token, a new access token is not generated even with the Refresh Token. public AuthResponse Refresh(RefreshCredential refreshCredential)
{
SecurityToken validatedToken;
var tokenHandler = new JwtSecurityTokenHandler();
var principal = tokenHandler.ValidateToken(refreshCredential.AccessToken, new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(key),
ValidateIssuer = false,
ValidateAudience = false
}, out validatedToken);
Can you tell how can we generate JWT token using azure active directory (using client, tenant id etc) ?
@Anushree Desai, generating JWT token is similar, but I have dot done it using azure active directory service before, so I cannot tell for sure what goes into it. Once I try it out I can let you know.
I think without refresh key also we can regenerate token right
@AshokKumar Naralasetti, yes.
Hello sir!! How do we add external login providers like facebook, google, linkedin etc in .net core web api.. for example: How do i add extra login providera like google facebook in this project that you have taught us?
Niraj Dahal so if I understand your requirement properly, you want to use Facebook or google etc as oauth provider. It should be similar way using a middleware. I can give it a try in a future video. Thanks
If you please post a tutorial video on integration testing using key token, when token is generated in different api would be very helpful. Thanks.
@ayanghosh thanks for watching! Sure I will give it a try.
@@DotNetCoreCentral Thanks.
Very nice video. Thanks 🙏
Can you please try to do a video about Open ID connect using identity server 4?
@Muhammed Shuhaib, I will put it in my queue, thanks!
Thank you Brother....!
@Rahul jadhav, thanks for watching!
please shear the link of other videos you have mention at the start of this video
@Arslan Saleem, all the videos are available on my channel.
Is there a GitHub for this code? Would be helpful.
@Jamie Bowman, yes. github.com/choudhurynirjhar/auth-demo
Please share the repo in description.
It's in here: dotnetcorecentral.com/blog/authentication-handler-in-asp-net-core/
Thanks for watching the video.
Hey, really good video, but do you have any source code ? like on github pls ?
@Vennicks, thanks for watching! Here is the repo link: github.com/choudhurynirjhar/auth-demo
@@DotNetCoreCentral thanks a lot !
@@Vennix13 you are welcome!
System.InvalidOperationException: 'Action 'Auth.Demo.Controllers.NameController.Authenticate (Auth.Demo)' has more than one parameter that was specified or inferred as bound from request body. Only one parameter per action may be bound from body. Inspect the following
Pls sir look into this
@@koushikdas5122 can you share your code here, the part where you are getting error
hello sir do you have git repo please send the project git repo link we need to undestand
@sukurulla sheikh, here is the repo: github.com/choudhurynirjhar/auth-demo
Plz explain .net core project structure and easy to code tips
tech buzz I’m not sure I understand completely what are you looking for. Can you please elaborate?
@@DotNetCoreCentral .net core basic project folder, which files will use for what
@@techbuzz3869 Ok, I will make a video in the future for that. Thanks for the feedback
I need to destroy jwt token when user logout...can u please let me sir
SHIVA PRASAD MANCHALA on your logout API call you can remove the token from the toke store.
Sir if u have repository....can u please share sir
Am not saving token in database
@@shivaprasadmanchala3955 you can remove token from the client storage/browser
Can you please give us the link of the source code
@V VV, thanks for watching! The source code is available in my GitHub report here: github.com/choudhurynirjhar/auth-demo
Could you please share the source code for this
github.com/choudhurynirjhar/auth-demo
link to the repository github.com/choudhurynirjhar/auth-demo
i followed your tutorial, but the token expiry is not working.. i created the token for 2 minutes, but my token is working more than 2 minutes. Then i go through some other videos. x.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.ASCII.GetBytes(secreteKey)),
ValidateLifetime = true,
ValidateIssuer = false,
ValidateAudience=false,
ClockSkew= TimeSpan.Zero
};, in that they used ClockSkew property for token expiry. after i put ClockSkew , my token is not working more than two minutes.
@Pajani Arjunan, I will verify and let you know.