God, I feel so dumb. I needed to implement microsoft auth in my project and there was literaly two outdated guides on msdn which were not helpful at all, now I can understand at least how to setup an external auth and move in the right direction, thank you
Anton, I can't thank you enough for your presentations! I hope you'll get to the point of publishing PAID classes - will be the first to pay and sign up.
This video is super DETAILED!! Thank you so much.. there are a lot of famous tech youtuber who have the same topic but nothing comes close to details and information that you provided in this video.
I didn't get your example to work with .net7. I had to use .net6 and then all worked fine. In .net7 I get a stack overflow exception. Do you know why this is?
Same issue here, the project was created in .net6 then updated to .net7 before trying this. Not sure if that could have an impact, maybe i didnt update properly but everything else worked.
Having a problem. A silly one. At 10:31, when first setting the Callback endpoint, I keep just getting ERR_CONNECTION_REFUSED. I'm on a Mac, using Rider. VPN is off, "Bypass Proxy settings for these hosts and domains" includes localhost. When I run with 'dotnet watch --no-hot-reload', I get 'dotnet watch XExited with error code 138' followed by 'dotnet watch Waiting for a file to change before restarting dotnet...'
Thank you very much! Video was amazing. I have to sent base64 encoded clientId and secret to fetch Oauth token. How to implement that? any suggestions would help me alot
@@RawCoding Anton, why did you choose .NET over Java for development? Maybe I'm asking the question wrong, and I apologize in advance. I need to make a choice for my personal project and also acquire a skill for the job market. It may seem like your answer is obvious, and I assume you made the choice based on something that I'm not able to deduce or know about your personal history (this is not a hate question, nor do I want to imply that one technology is superior to another. My reason is pure ignorance). And thank you in advance for taking the time to read comments!
@@RawCoding Great! Thank you very much for sharing your wisdom with others. It's evident that you have acquired a significant amount and quality of knowledge. Best wishes!
You almost don’t need to validate the token - because it’s via backend config which is in your hands. Otherwise you can hit the user info endpoint to validate it.
Great presentation as always Anton. Thank you for your effort and enthusiasm (and sense of humor) ! A general question on AuthenticationHandlers: Are they part of the Authentication Middleware (app.UseAuthentication) or the Authentication Services (builder.Services.AddAuthentication()) ? This is kind of blurry to me. I would say that the "Services" registers the Handler and when the Middleware is reached, then the handler is executed. Is that correct statement ?
@@RawCoding people compare it to other frameworks they have used in the past. And I think it's much harder to set up compared to spring security. Where you can set it up by providing a single method that loads your login data from the DB.
In your video on OAuth 2.0 & 2.1 you explicitly said that OAuth is not about authentication but only about authorising access to external resources. You said that by the point you start using the OAuth protocol, the user has to be already authenticated. Doesn‘t this „external authentication“ break that rule (and why does this rule exist in the first place)?
Your observation is 100% correct. > Doesn‘t this „external authentication“ break that rule Yes > and why does this rule exist in the first place access token gives access to api, not necessarily any information about the user - this can be abused to make unwary users to consent more data than is required. OpenIdConnect was created for this reason, to give id_tokens which is authentication session encapsulated in a jwt. all in all, it is NOT TERRIBLE to use OAuth for external authentication, but it could be and some external authentication providers don't give you anything else. It could be that some big tech companies don't understand or don't care enough to support oidc.
1:45 ... I am trying to set up oauth2 authentication for a different external api, discogs. Any idea of how I would determine what the first parameter (the authentication scheme) should be in "...AddAuthentication.AddOAuth(_____, 0 =>..." ? Many thanks for the content.
Hi Anton thanks for the awesome Video. Do you have any with SAML SSO? I know most things are similar but i am looking a comprehensive one as the web doesnt have any quality one/
Great video! I noticed in my program.cs that when I tried to call Add() on the OAuth.Scope to allow multiple scopes. It only works if you add the two scopes you want by space in one Add() Method. When I tried using two add methods, it would only show that the openid scope was valid and my request for other resources would fail. Are scopes supposed to be able to add to the collection for each scope that you want?
Thank you very much for your knowledge. Following your way I wrote the google login request, strangely I didn't get ctx.RefreshToken in OnCreatingTicket, it was always null. I set SaveTokens=true, and I also get ctx.AccessToken. Am I missing something? Any answer from you will help me a lot. Thank you.
What if I have a SPA application (Angular). My FE and BE have different domains. Could I set up RedirectUri to my FE domain? Then from the FE side, what should I do to know that the user is authenticated or not? What if from the FE side, I do call the /authorize and get the authorization code at FE side, then call the BE side to exchange the token and get back the FE?
@@RawCoding I have 2 fronts one for employees it's front end will be native apps will use jwt and another for customers a web react app will use cookies
@@RawCoding 1- I started the project with jwt for employees only and mobile apps in mind 2- I'm not very knowledgeable when it comes to cookies like how would I differentiate between the cookie for employee and customer write know I do it with claims in jwt 3- are cookies a better solution for the mobile apps than jwt the employees and customers access different parts of the api also in the employee part different employees might have different permissions
@@AhmedMohammed23 have a think about it, cookie is just a collection of claims encrypted. when cookie hits server you know what claims are inside the cookie. if you need to know claims on the app, query them from the api.
@@RawCoding I know that it's technically possible, but from what I've read no one really does it because handling cookies in react native is very problematic and it should be preferred to use token based approach. I'm kinda confused, because every example project in the Internet uses cookies for OAuth and at the same time people say you shouldn't use them in mobile apps. Also almost every example I've seen in react-native/flutter doesn't use backend as a proxy to call /oauth/authorize endpoint, they do that directly from mobile app. Isn't it an antipattern? I guess one could say it's still secure, because /oauth/authorize doesn't need clientSecret, but then how the asp.net core middleware should be configured if it expects an app to call /login which THEN redirects to /oauth/authorize?
@@matthewrossee If you want to authenticate your app with a token instead of a cookie you can do that. Send credentials and return a token. ua-cam.com/video/8FvN5bhVYxY/v-deo.html YOU DON'T NEED OAUTH to authenticate a mobile app. You need oauth if you want to DELEGATE ACCESS to external parties. (let that sink in) watch this for more: ua-cam.com/video/hesoqoKUMic/v-deo.html > Also almost every example I've seen in react-native/flutter doesn't use backend as a proxy to call /oauth/authorize endpoint, they do that directly from mobile app. Isn't it an antipattern? I would not advise this, tho mobile apps have better secure storage infrastructure than browsers, this still suffers from the same issues of transferring tokens via front channel - leaking logs, privacy infringing web views, etc..
@@RawCoding Yeah, I know that oauth is more about authorization, not authentication. Currently I'm writing an app at my university and it should allow users to sign in via their account in university's system in order to get some info about them. Basically, the flow looks like that: mobile app opens a webview => webview sends a request to backend that communicates with a crappy legacy authorization server that has almost no documentation AND uses OAuth1.0a in 2023. Then the backend redirects webview so the user can enter their credentials => authorization server hits the callback endpoint that gets user info => if a user with such email doesn't already exist in database, then it's created and a cookie is set. The thing is, if I wanted to use system's browser instead of the webview (which is a recommended way, otherwise Apple is gonna reject your app), then I physically cannot get the session cookie that was returned by the browser into my react native app, that's why I was considering using tokens. Not to mention that libraries that handle cookies in react native are of dubious quality. How would you go about that?
Dude you move way too quick. As soon as I try to digest what line of code you wrote, you already move on to another screen or start talking abouto something else.
God, I feel so dumb. I needed to implement microsoft auth in my project and there was literaly two outdated guides on msdn which were not helpful at all, now I can understand at least how to setup an external auth and move in the right direction, thank you
Glad I could help
Anton, I can't thank you enough for your presentations! I hope you'll get to the point of publishing PAID classes - will be the first to pay and sign up.
At some point )
This is how things should be taught. MSFT should hire you to help run their docs team. Many Thanks!
I appreciate it man, glad you’re enjoying these.
If you have twitter or linkedin id appreciate a share )
I love your background arts 😃😃
Wow nice background 👌
This video is super DETAILED!! Thank you so much.. there are a lot of famous tech youtuber who have the same topic but nothing comes close to details and information that you provided in this video.
Incredible, like the way you go through Microsoft's source code to understand the why's as well.
I didn't get your example to work with .net7. I had to use .net6 and then all worked fine. In .net7 I get a stack overflow exception. Do you know why this is?
I’ll take a look
@@RawCoding I found the error after following until callback endpoint was done. Then I had to switch to net6 for the rest of the video.
I thought i was doing something wrong, i have the same issue.
Same issue here, the project was created in .net6 then updated to .net7 before trying this. Not sure if that could have an impact, maybe i didnt update properly but everything else worked.
Getting same issue with .net8 exit code -1073741571
This is an excellent deep dive!
Great ! , I need yahoo authenticaion tutorial , please make a vedio for it
Having a problem. A silly one. At 10:31, when first setting the Callback endpoint, I keep just getting ERR_CONNECTION_REFUSED. I'm on a Mac, using Rider. VPN is off, "Bypass Proxy settings for these hosts and domains" includes localhost. When I run with 'dotnet watch --no-hot-reload', I get 'dotnet watch XExited with error code 138' followed by 'dotnet watch Waiting for a file to change before restarting dotnet...'
Loving your videos. Have you thought about doing some on 2FA, also with MFA, and TOTP, FIDO2 , SMS, etc?
Thank you very much! Video was amazing. I have to sent base64 encoded clientId and secret to fetch Oauth token. How to implement that? any suggestions would help me alot
You're awesome ! THANK YOU SO MUCH
Thank you for watching boss!
@@RawCoding Anton, why did you choose .NET over Java for development? Maybe I'm asking the question wrong, and I apologize in advance. I need to make a choice for my personal project and also acquire a skill for the job market. It may seem like your answer is obvious, and I assume you made the choice based on something that I'm not able to deduce or know about your personal history (this is not a hate question, nor do I want to imply that one technology is superior to another. My reason is pure ignorance). And thank you in advance for taking the time to read comments!
My life course took me through learning dotnet and not Java, I liked it so I use it.
@@RawCoding Great! Thank you very much for sharing your wisdom with others. It's evident that you have acquired a significant amount and quality of knowledge. Best wishes!
Thanks for the video. I have a question. Do you validate the token which comes from the external app? If yes then in with moment?
You almost don’t need to validate the token - because it’s via backend config which is in your hands. Otherwise you can hit the user info endpoint to validate it.
Great presentation as always Anton. Thank you for your effort and enthusiasm (and sense of humor) !
A general question on AuthenticationHandlers: Are they part of the Authentication Middleware (app.UseAuthentication) or the Authentication Services (builder.Services.AddAuthentication()) ?
This is kind of blurry to me.
I would say that the "Services" registers the Handler and when the Middleware is reached, then the handler is executed. Is that correct statement ?
That is exactly what happens! We explore that in the Authentication video (1st in the playlist)
@@RawCoding thanks for verifying.
It's impossible to use anything authentication related without reading a fucking book about it in ASP.NET core.
I think auth is pretty good in aspnetcore. People want it to be easy but it’s a big domain that takes time to learn.
@@RawCoding people compare it to other frameworks they have used in the past. And I think it's much harder to set up compared to spring security. Where you can set it up by providing a single method that loads your login data from the DB.
How cool
In your video on OAuth 2.0 & 2.1 you explicitly said that OAuth is not about authentication but only about authorising access to external resources. You said that by the point you start using the OAuth protocol, the user has to be already authenticated. Doesn‘t this „external authentication“ break that rule (and why does this rule exist in the first place)?
Your observation is 100% correct.
> Doesn‘t this „external authentication“ break that rule
Yes
> and why does this rule exist in the first place
access token gives access to api, not necessarily any information about the user - this can be abused to make unwary users to consent more data than is required.
OpenIdConnect was created for this reason, to give id_tokens which is authentication session encapsulated in a jwt.
all in all, it is NOT TERRIBLE to use OAuth for external authentication, but it could be and some external authentication providers don't give you anything else. It could be that some big tech companies don't understand or don't care enough to support oidc.
i wrote the same code into my app but it is giving me acess violation
what is device flow , while creating github app their is option to select for device flow can you please make video on this
Device flow is like a TV )
1:45 ... I am trying to set up oauth2 authentication for a different external api, discogs. Any idea of how I would determine what the first parameter (the authentication scheme) should be in "...AddAuthentication.AddOAuth(_____, 0 =>..." ? Many thanks for the content.
Hi Anton thanks for the awesome Video. Do you have any with SAML SSO? I know most things are similar but i am looking a comprehensive one as the web doesnt have any quality one/
Thanks, very helpful. Would love to see the own oAuth Server part :)
Check the playlist )
@@RawCoding saw it right after commenting :D thanks
Great video! I noticed in my program.cs that when I tried to call Add() on the OAuth.Scope to allow multiple scopes. It only works if you add the two scopes you want by space in one Add() Method. When I tried using two add methods, it would only show that the openid scope was valid and my request for other resources would fail. Are scopes supposed to be able to add to the collection for each scope that you want?
it's intresting. after adding CallbackPath to OAuth service, server can't run. just close browser without any error
Does dotnet watch produce any error codes for you when it quits?
@Uryupin1993 it's been a while since that comment. I don't remember the details. Somehow, I solved the problem but didn't take a note(
Thank you very much for your knowledge. Following your way I wrote the google login request, strangely I didn't get ctx.RefreshToken in OnCreatingTicket, it was always null. I set SaveTokens=true, and I also get ctx.AccessToken. Am I missing something? Any answer from you will help me a lot. Thank you.
What if I have a SPA application (Angular). My FE and BE have different domains. Could I set up RedirectUri to my FE domain? Then from the FE side, what should I do to know that the user is authenticated or not?
What if from the FE side, I do call the /authorize and get the authorization code at FE side, then call the BE side to exchange the token and get back the FE?
God like
would you make a video that show how to make normal asp core api project with both jwt and cookie auth and refresh token?
what's the use case?
@@RawCoding I have 2 fronts one for employees it's front end will be native apps will use jwt and another for customers a web react app will use cookies
@@AhmedMohammed23 why not cookies for both?
@@RawCoding 1- I started the project with jwt for employees only and mobile apps in mind
2- I'm not very knowledgeable when it comes to cookies like how would I differentiate between the cookie for employee and customer write know I do it with claims in jwt
3- are cookies a better solution for the mobile apps than jwt
the employees and customers access different parts of the api also in the employee part different employees might have different permissions
@@AhmedMohammed23 have a think about it, cookie is just a collection of claims encrypted.
when cookie hits server you know what claims are inside the cookie.
if you need to know claims on the app, query them from the api.
Can I use JWT instead of cookies? I need this for a mobile app.
You don’t need jwt for mobile app auth you can use cookies.
@@RawCoding I know that it's technically possible, but from what I've read no one really does it because handling cookies in react native is very problematic and it should be preferred to use token based approach. I'm kinda confused, because every example project in the Internet uses cookies for OAuth and at the same time people say you shouldn't use them in mobile apps. Also almost every example I've seen in react-native/flutter doesn't use backend as a proxy to call /oauth/authorize endpoint, they do that directly from mobile app. Isn't it an antipattern? I guess one could say it's still secure, because /oauth/authorize doesn't need clientSecret, but then how the asp.net core middleware should be configured if it expects an app to call /login which THEN redirects to /oauth/authorize?
@@matthewrossee If you want to authenticate your app with a token instead of a cookie you can do that. Send credentials and return a token. ua-cam.com/video/8FvN5bhVYxY/v-deo.html
YOU DON'T NEED OAUTH to authenticate a mobile app. You need oauth if you want to DELEGATE ACCESS to external parties. (let that sink in) watch this for more: ua-cam.com/video/hesoqoKUMic/v-deo.html
> Also almost every example I've seen in react-native/flutter doesn't use backend as a proxy to call /oauth/authorize endpoint, they do that directly from mobile app. Isn't it an antipattern?
I would not advise this, tho mobile apps have better secure storage infrastructure than browsers, this still suffers from the same issues of transferring tokens via front channel - leaking logs, privacy infringing web views, etc..
@@RawCoding Yeah, I know that oauth is more about authorization, not authentication. Currently I'm writing an app at my university and it should allow users to sign in via their account in university's system in order to get some info about them. Basically, the flow looks like that: mobile app opens a webview => webview sends a request to backend that communicates with a crappy legacy authorization server that has almost no documentation AND uses OAuth1.0a in 2023. Then the backend redirects webview so the user can enter their credentials => authorization server hits the callback endpoint that gets user info => if a user with such email doesn't already exist in database, then it's created and a cookie is set. The thing is, if I wanted to use system's browser instead of the webview (which is a recommended way, otherwise Apple is gonna reject your app), then I physically cannot get the session cookie that was returned by the browser into my react native app, that's why I was considering using tokens. Not to mention that libraries that handle cookies in react native are of dubious quality. How would you go about that?
Dude you move way too quick. As soon as I try to digest what line of code you wrote, you already move on to another screen or start talking abouto something else.
You can slow the video down )) but thank you for the feedback I won’t remake the video but I’ll consider it for further videos