Let's take a moment and appreciate the work you are doing. Honestly, people would charge hundreds of dollars if not thousands for these kind of videos. Very practical and to the point. Amazing explanation. I recently found your channel and believe me the content I'm finding here is exactly what I needed. Thanks man. Thank you so much for making such helpfull videos for us.
This is the place where real software engineers come to worship :) Thanks for these videos. Practical implementation is much required, you are filling the gap very well :)
I share the sentiment as many other folks who have commented here. I went through many videos to get a simple explanation to JWKS and none was as perfect and simple as your explanation. Crisp explanation. Not too fast, not too slow. Keep coming up with more videos.
Superb explanation and giving really good understanding to the securing API end points in microservice architecture using JWT. very practical!, thank you.
Thanks for the great tutorial . I have one doubt. You said jwks is the representation of public key but you passed the private key to convert into Jwks
I have a confuse, when you publish a jwk.json then attackers also be able to get it and use the man-in-the-middle attack method to decode, verify and change some information? can you explain it for me??? thanks advanced!
Only public key is exposed, and in an asymmetric algorithm like RSA, public key is publishable and it is no harm because public key is meant for public, moreover one can only verify the authenticity of the token with this key, he will not be able to modify the token in any way, incase if he does modify the token would not be valid when verified with a public key.
Is there a reason I can't just use environment variables and a db instead of doing all of the work with pem files? My system is set up so a secret is generated for each user and that is then stored as their own secret environment variable. On requests to my auth server it uses that environment variable to set a cookie, and my authserver verifys the jwt in the cookie to the db vs a json file. But isn't it all the same thing basically? Or is doing it this way worth the change in the code. Also it's a lot of dependencies this way and that always worries me.
I just subscribed. Great video. Very well explained with proper code walkthrough. May I know which IDE you are using and which theme. The IDE color coding looks very cool.
Dude this is an amazing tutorial. Thank you. Quick question for you or anyone. What's the best way to include multiple keys? I have a few different keys on my auth service, for like email verification, resets, two-point auth. Do the keys need to have a name associated with them at that point? Also is there any reason I can't store the key sets in a db? not for my own auth purposes, but I am building an oauth type system so I don't have to keep remaking the front-end logic for all the auth routes, and to offer to use it for my clients' sites as well. So what I have now is I generate keys using crypto, and then save them to an organization model. is that for any reason a security flaw? any suggestions on what I should do instead if there are security concerns.
In a authentication system, we have two tokens - refreshToken and accessToken. accessToken is needed to be verified on every microservices so, we definetly use public and private key pair for it. But the refreshToken is used to verify only on the auth service to return a access token. So, do we use public and private key pair of the refreshToken also or stick with secrets.
@@mafiacodesIf we have secret then we use env vars. But here we cannot push the cert folder to github or set them as env vars. So, how to handle deployment with public key and private key.
At 19:50, you should have explained why you're using "RS265", why not "RS384"? I understand these are not related to the keys that you generated. However, the questions about the choices that you made still confusing to some of us.. as to why you did not use X and used XX instead when they look almost similar. Overall, excellent tutorial though. 😃
hello I have a question, do you recommend to create your own authentication and authorization instead of outsourcing it? or get a library instead? if not what libraries or paid services do you recommend to use in medium scale to large scale application? thank you.
1. outsourcing? Depends on the project size, if small then definitely yes, example (firebase auth, auth0, magic links, etc, you can use any everyone has their advantages) 2. Library? One thing more you can definitely use libraries like - passport, next-auth for next's, etc. 3. If you have a large project, you should OWN your authentication system, otherwise you will be charged a lot in longer run, but that also means that what you are coding for authentication, and it should be rock solid, and only do that if you know what you are doing, otherwise use an authentication service as above.
Getting undefined when passed pem files to rsaPemToJwk() function... Any one can help me ? Note:the pem files is readed properly and import also done property...
Let's take a moment and appreciate the work you are doing. Honestly, people would charge hundreds of dollars if not thousands for these kind of videos. Very practical and to the point. Amazing explanation. I recently found your channel and believe me the content I'm finding here is exactly what I needed.
Thanks man. Thank you so much for making such helpfull videos for us.
I m glad that you like, comment like this motivates me in bringing more videos like this, thank you, subscribe like share 🙏
This is the place where real software engineers come to worship :) Thanks for these videos. Practical implementation is much required, you are filling the gap very well :)
I share the sentiment as many other folks who have commented here. I went through many videos to get a simple explanation to JWKS and none was as perfect and simple as your explanation. Crisp explanation. Not too fast, not too slow. Keep coming up with more videos.
Thanks for that!
Subscribe like share
Sinclearly explained 👍, got here from Google news on early mornings
where have you been amigo ? Have been missing these videos. Great to have you back !
I’ll try to be regular every week
This is excellent video. Exactly what I needed!
Man whenever I dig your channel I found something new ❤️
simply awesome tutorial. crisp & concise! was stuck because of jwks issues. thanks a lot for this. :)
Glad it helped!
I have only just found out your channel, and I really enjoy them! Thank you 😊!
I’m going to search your video library to check some more!
This is another level your are very Amazing
Beautiful.
Clear and Crisp.
Love it
Very good content, very well explained, amazing stuff.
Plain and simple! Keep going, please.
Loved your explanation.
👏👌👌
Thank you for this great resource.
Very grateful to you
Really good explanation and example. Nice job
Glad you liked it!
Welcome back buddy!!, thanks
A huge thanks for this video! Great flow of the explanation!!!
Welcome back, man.🎉🎉
Make a series on microservice application design in nodejs.
Superb explanation and giving really good understanding to the securing API end points in microservice architecture using JWT. very practical!, thank you.
good explanation..!! you have covered a lot in this one video. Thanks for sharing your knowledge.
Welcome back buddy!!
tks for sharing ... amazing teacher!
Glad you liked it!
This is simply brilliant
Great piece of work. Just a tiny correction for 2:06 . You should say "symmetric", not "asymmetric "
Very well, thank you for your efforts 🙂
Thanks for watching!
Master is back
Thank you for this Great video.
Awesome! Thanks
You deserve love
Welcome back ...
Thanks for the great tutorial . I have one doubt. You said jwks is the representation of public key but you passed the private key to convert into Jwks
Accurate ❤❤
Informative with demo
Waiting for your next video on node js Micro services
I have a confuse, when you publish a jwk.json then attackers also be able to get it and use the man-in-the-middle attack method to decode, verify and change some information? can you explain it for me??? thanks advanced!
Only public key is exposed, and in an asymmetric algorithm like RSA, public key is publishable and it is no harm because public key is meant for public, moreover one can only verify the authenticity of the token with this key, he will not be able to modify the token in any way, incase if he does modify the token would not be valid when verified with a public key.
I got it, thank you so much!
How can we use jwt for authentication for rest API mitigating XXS & CSRF attack?
Thaaaank's
Is there a reason I can't just use environment variables and a db instead of doing all of the work with pem files? My system is set up so a secret is generated for each user and that is then stored as their own secret environment variable. On requests to my auth server it uses that environment variable to set a cookie, and my authserver verifys the jwt in the cookie to the db vs a json file. But isn't it all the same thing basically? Or is doing it this way worth the change in the code. Also it's a lot of dependencies this way and that always worries me.
Whether this flow is same as OAuth 2.0 Client Credentials Flow...Can you please check and tell?
Very amazing video. Please make a video on jose npm package
Bro it’s the same with more features, you can use that as well
I just subscribed. Great video. Very well explained with proper code walkthrough. May I know which IDE you are using and which theme. The IDE color coding looks very cool.
Dude this is an amazing tutorial. Thank you. Quick question for you or anyone. What's the best way to include multiple keys? I have a few different keys on my auth service, for like email verification, resets, two-point auth. Do the keys need to have a name associated with them at that point? Also is there any reason I can't store the key sets in a db? not for my own auth purposes, but I am building an oauth type system so I don't have to keep remaking the front-end logic for all the auth routes, and to offer to use it for my clients' sites as well. So what I have now is I generate keys using crypto, and then save them to an organization model. is that for any reason a security flaw? any suggestions on what I should do instead if there are security concerns.
Make videos please we need you make more videos on backend and front end
Great video.
In a authentication system, we have two tokens - refreshToken and accessToken. accessToken is needed to be verified on every microservices so, we definetly use public and private key pair for it. But the refreshToken is used to verify only on the auth service to return a access token. So, do we use public and private key pair of the refreshToken also or stick with secrets.
Exactly you are correct, you can easily use secrets for refresh tokens, only access tokens need pub/priv key
@@mafiacodes Thanks!
@@mafiacodesIf we have secret then we use env vars. But here we cannot push the cert folder to github or set them as env vars. So, how to handle deployment with public key and private key.
Can u please make a series on design patterns, like DDD, TDD, SOLID etc, (Clean Code)
It is not available on UA-cam for NodeJS, please check this out!
At 19:50, you should have explained why you're using "RS265", why not "RS384"? I understand these are not related to the keys that you generated. However, the questions about the choices that you made still confusing to some of us.. as to why you did not use X and used XX instead when they look almost similar. Overall, excellent tutorial though. 😃
But we also send jwt secret from the auth service, so why we need this
You should start tutorials for Spring boot
And please make a video on how to deploy node microservice on aws or any other
hello I have a question, do you recommend to create your own authentication and authorization instead of outsourcing it? or get a library instead? if not what libraries or paid services do you recommend to use in medium scale to large scale application? thank you.
1. outsourcing? Depends on the project size, if small then definitely yes, example (firebase auth, auth0, magic links, etc, you can use any everyone has their advantages)
2. Library? One thing more you can definitely use libraries like - passport, next-auth for next's, etc.
3. If you have a large project, you should OWN your authentication system, otherwise you will be charged a lot in longer run, but that also means that what you are coding for authentication, and it should be rock solid, and only do that if you know what you are doing, otherwise use an authentication service as above.
how can I use this method with nginx?
Thanks!
Subscribe like share
Hi sir,
Can you please tell me the zsh mod you are using? Your terminal looks beautiful
Thank you
he is using Spaceship-prompt
How to setup authentication for mongodb in kubernetes
If both auth and resource modules are in same project, can we use directly public key to verify jwt
Yes
Can we store the keys for RSA in .env files?
Should we include or exclude .pem files while pushing to remote git repo and deployment??
you can use your rsa PUBLIC (ONLY PUBLIC) wherever you want, and just keep the private key safely locked...
@@mafiacodes where can we store it for a Docker application?
Please
You will write this way for express rest api
Getting undefined when passed pem files to rsaPemToJwk() function...
Any one can help me ?
Note:the pem files is readed properly and import also done property...
Getting same error here! @yoursTRULY267
const b = Buffer.from(privateKey, "utf-8");
let cert = b.toString();
let certString = cert + "
";
const jwk = rsaPemToJwk(certString, { use: "sig" }, "public");
console.log(jwk);
❤❤❤
Hello my dear brother, can I ask for help in decrypting the data of a game I want to modify
like what?
🧡
Where to store the token???
use either httpsOnly cookies or authorised headers
I echo Krishna Jha
Bad explanation
Good night! Why such a result is returning?:
node convertPemToJWK.js
undefined
Please, help me!
@Sahil Arora not yet