There is like a million videos out there, which already shows how to do this. So why would we need another one? Well, because you don't just show HOW to do it. You actually make it possible to understand WHAT is going on. Brilliant work, please keep it up! :-)
Thank you! I'm glad you enjoyed the video. That's what I try to do in all of my videos. My goal is to always show things in the context of the real world. How they would be used, when to use them, what the best practices are, etc.
Great video, as always. Really excited for this course! Just wanted to let you know I just got my first job as a software developer recently, mostly thanks to my github which I've built up using your tutorials. You've helped me take all the knowledge I've gained through years of fiddling around with spaghetti code aimlessly and use it to build an app, start to finish, with proper design and documentation in mind. You helped me make my dream of becoming a developer come true, and for that I am extremely grateful. I hope to become a patron soon, once I get financially stable, to do my part of thanking you for all the knowledge you selflessly share with the community. We do appreciate you. Cheers!
At 13:30 the one difference for me was, that "http:..." in the URL didn't work for Postman, because my template site was "https:..". After I corrected for that, Postman was able to get a response. I hope others will find this useful. :) Thanks for the course, Tim!
This is a very complete course. Explained very carefully and in detail. And thank you for always explaining the differences in techniques used in the working environment and the learning environment. Actual work experience is a very valuable explanation for current students.
Great course , I used to be a C# mainly developper all doe now i've moved to PHP and I'm following this course and mirroring everything to PHP so far so good. Great work and thank you for your videos.
Tim up at 4:16am teaching us how to do this beautiful coding setup. Love your classes, keep up with the good work. When I get a C# job i'll buy all classes from your site. The best teacher out there.
I am glad I signed up for the year pass. This lesson, so far since I am just starting, has already helped me to see the strength of Visual Studio in Authentication. I remember the days of creating our own authentication methods. This was the best-presenting treatment of the topic. Much appreciated.
Hmmm I've never known Postman to allow a body of any sort be passed into a GET request. For anyone that is blocked from doing so in Postman for the token request, change the verb to POST and continue as instructed by TC. Thank you Tim for the series. I'm a MSSQL developer looking to expand into C#, particularly WebAPI for integration purposes. Your channel is blessing for it.
Make sure to like this so that it will become a top comment. I have spent hours and hours trying to figure this issue out. When I posted a comment about it, it was deleted, because of this comment I guess. So if we make this a top comment it will show up out of 600+. Thank you.
Although this video is just over a year old, there was one thing that was mentioned that's a minor point but I thought I'd comment. Tim you had mentioned that you are a one man project team so you are not worried about branching to add features. I would still recommend this flow (branching off, and merging back), as a one man dev team. This allows you to work on multiple things are the same time as well as store code changes to a feature on a branch. Yes, there's the extra work on merging back to master, but this does permit a much more dynamic environment while deving. Again, small but it is handy. But I agree, excellent video. I did get some pointers on getting tokens and using them. Very cool.
Super fantastic video and course so far. Let's see -- never used gitHub before, never did an API project, never used postman. The tournament tracker course was my first "C#" project, first time doing MVC, and so on and so forth. At the same time, I am keeping up and not getting too blown away. Keep up the good work. I think my current old foxpro applications will lend themselves more to a webForms type application -- but I am keeping my options open and my bias in-check.
What an outstanding explanation Tim! Many thanks to you! It seems like by watching your videos I am really getting a grasp of what is the real job of software developer.
Hi Tim, Just wanna say thank to you for creating this course. I have been following this course till this third video on my first day. Hope I can follow the rest in the future. And again, thank Tim!
Hey Tim, thanks for another awesome Video! I've heard you talk about in a couple of different videos how you're not a big fan of Entity Framework. I don't know what constitutes proper subject material for your weekly challenges, but if you made either a weekly challenge or a quick video explaining why you dislike Entity and ways to accomplish the functionality that EF seeks in different ways that would awesome. I would be super interested to hear your take on it. (You may be a video about this topic already... if so, disregard this :) )
ASP.Net is not my thing and I doubt i will ever use it at work, but to get the 100% of this course, i will have to follow. Thanks Tim!. My no. 1 new year's resolution is to follow this course to the Tee and gain every knowledge from you.
Excellent! Yep, I get that there are some things that you don't really want to do normally but having a well-rounded education is key in the job market.
I would like to thank you for all the serious of valuable courses that are added a lot to my Knowledge and change it upside-down, I have already attended several courses, though I am a BMC-REMEDY expert but I believe I will start changing my skin to .NET C# with all asp.net, core, MVC because of you.
As a non very experienced person I always felt insecure about Authorization, profiles, tokens etc. Gonna tackle this in the following days, thanks for the video.
Howdy Tim ... suggestion. Maybe consider putting together a "prerequisites" video where you cover all the software, components and web accounts (GitHub, etc) that will be needed. Where to download them, any special installation requirements, etc. I'm only on the second video and I've had to install Git and several components within Visual Studio and set up an account on GitHub. Not a huge deal, but if we know in advance what will be needed we can spend some time getting everything downloaded and installed without having the stop in the middle of the videos to do it. I'm sure some viewers already have all this stuff installed. But many, like myself, do not. Thanks for the great videos!!
Great series so far, not done web API stuff for ages as I've not had the need to, so great refresher so far - and postman is something I've never used so more on that would be good as we go through the project! Thanks!
Thanks. I'll add Postman to the suggestion list. That probably deserves a video of its own, although we will also use it more in this series, I'm sure.
We start with .NET Framework, then upgrade to .NET Core 3.1, and then upgrade to .NET 5. Doing it this way will give you experience with the upgrade process, not just in the final version.
Note that you cannot use the postman web client when using localhost. Install the desktop client. It's kinda obvious but might save you a quick stack overflow search.
Hi Tim, First of all, I love your videos. Small question, you did a get request to the token action (localhost:..../token) but I didn't see it on the page at 13:59 (localhost.../Help page) why isn't is shown?
I was also wondering about this. My assumption was probably because it's buried deep within metadata somewhere. Meaning, it's baked into C# where as what we're seeing is an application similar to what we'd build on top of it. To prove my assumption, I began my F12 (Go to definition) journey. Here's the path if anyone's interested: Startup.Auth.cs line 39 ApplicationOAuthProvider line 53 OAuthTokenEndpointContext line 12 OAuthAuthorizationServerOptions line 33 comment has "/Token" in the summary. How this all works is waaay beyond my skill level. Everything else we see when we click on API is under Areas => HelpPage => Views => Help. I probably made like 1% dent to your question and my ever growing curiosity but, progress is progress :) Hope it did help though.
@@IAmTimCorey Hi, thanks for responding. I feel I ought to give you an update. I have learned a load of info along the way. I have set up the models and scaffold-ed controller / views. I am kind of stuck from there (first experience with the whole dot net and web-dev in general). But it's been pretty fun and asp dot net core is well structured, Microsoft docs are helpful and 1 day is not enough in any case. Thank you again.
Hey TIm, great video. Is it possible to scaffold this all without the (MV)C? So purely for API projects. Or is the only way to manually remove it like you said in the end in the video?
In the .NET Framework, the two are tightly tied together. In .NET Core, which we will upgrade this to in this series, we can more easily separate out API from MVC. They both run off the same base, but we don't need to bring in the MVC parts if we don't want them.
This video was godsent, I found very few resources discussing API authentication. Do you recommend doing this(issuing the JWT tokens from the same app) in a production environment instead of a third-party issuer?
Maybe I didn't pay enough attention, but when was the SQL Server-connection created? Was that done default by some hidden setting for the project template? PS: Your tutorials are great!
The only SQL connection we have right now is the authentication connection, which does get created as part of the template. We will set up our own SQL connection soon with Dapper. So we will have two databases, one using Entity Framework for authentication (that we don't really manipulate or change) and one that we connect to via Dapper for our application data.
Visual Studio 2019 (16.3.7). Authentication forces SSL certificate (it creates a self-signed one for you that you must accept the risk of when you browse to the URL the first time). Additionally Postman 7.10.0 when the POST "Headers" tab "Content-Type" is left as "text/plain" will cause an exception, you must change it to "application/json" and make sure to use "" instead of ""
Thank you Tim , this was so useful.. Your videos are great. I have a request can you make a video of adding refresh tokens as a second part of this video.
That's a great video! There are not a lot of information about .net Authentication in internet. If you had a video with cookie authentication, that will be great too!
So, I'm coming into this lesson knowing nothing about web API, or anything this video really covers. I'm wondering what kind of prerequisites you'd give for this series? is this something I can hop into once I've got the basics of C# down, or is there something I need to cover to bridge the gap from being decent at C# and this course?
Hi Tim, Thanks for the great explanation. I have a doubt as to how the api is validating the token. I don't see the token being saved anywhere in the local SQL DB. Could you please help me on this
The token is encoded, not encrypted. That means that the API can decode the token and see the various parts. One of those parts is an encrypted version of the secret key that was used. The API compares that secret key to what it has for a secret key. If the two match, it trusts the token.
I like to keep the auto-generated database separate from the database I create. It keeps a clear separation. Also, keeping the identity information separate from the rest of the data allows me to secure the database differently and back it up differently.
Hey Tim, Love all your videos I have seen so far, thank you for sharing your knowledge! Quick question, I have tried making this project a few times now and every time it does not create the authorization database automatically. Any thoughts on why and how to fix this problem?
Great video, would it be possible for you to make a video on what to do when the access token expires? What is the standard procedure? ask for password again? how to use refresh tokens?
Hi Tim, I find your videos motivating and cannot stop working on the TimCo series as a preparation for my own application. In this regard I am asking myself how to deploy / release such a solution. Is that somewhere covered in your course? The application I would like to develop is rather simple and I do not have a specific server infratructure available. It should run locally only with a DB and so far I only see a WPF front end, however I clearly see the benefit of having an API for bundeling business logic (and also to be future-proof). But in general, I don't need all the web stuff. Would you still go for a web API? How would the release process look like (e.g. publish on Azure)? Where and how would the DB be published? As usual, thanks for your helpful comments and time you put into your videos.
Deployment is something we will be covering coming up in the course. I do have videos on deployment on this channel but we will cover the TimCo scenario specifically with deployment soon. As for having an API, it allows you to be flexible. However, it is a layer of complexity so it depends on your scenario. The nice thing with an API is that it holds all of the security, etc. behind a wall. So, you won't need to put a database connection string on the client machine. That alone can be worth putting an API in place for.
Tim, great video as always. Isn't it considered bad practice to send sensible information (as passwords) using get, since it gets logged in the browser history and it can be intercepted by someone else on the network?
Yes, I should have sent it via POST. I'm not sure if form data is stored in the URL but it can be cached so POST would have been the better choice. I use POST in the future videos.
I don't use UML. I haven't seen it used in a company since college. It may be that its usage depends on where in the world you are located. Personally, I have not found full UML valuable. However, I do draw out designs and databases. I'll probably do that for this project, although I'm planning on doing smaller-scale planning at each step instead of trying to plan out the entire application all at once (agile vs. waterfall).
Hi Tim, I just bought the course from your website and went through this but got stuck at trying to get the access token with a not supported error when you execute the get command. With many hours of frustration I have solved it now and I have come to the conclusion that the video needs updating. Postman doesn't allow you send a body parameter with Get commands anymore so you have to use Post to get your token otherwise this doesn't work.
@IAmTimCorey "Half the time or more those don't come to pass and so why spend time on something that might happen when I have plenty to do already" Apart from coding we learn and life quotes so true haha thanks for the share , love your videos i am starting to become addicted! Good job keep going!
Hi Tim. Excellent video as always. What about managing expiration dates for access tokens, so that users will need to login after a set period of time?
You can change the amount of time a token lasts by setting the AccessTokenExpireTime when you set up the token. You can also set up refresh tokens if you prefer. I left it at the default since I wasn't too concerned about it. I was treating the site more like Facebook, where you could stay logged in for days if you want.
Hi Tim. Great video! I came across an API the other day (using swagger) that also required the user to send an x.509 certificate. I am curious how much safety this adds to the client/server interaction. If you want the API to be very secure, is this the right way to go? If useful as an extra security layer, could you perhaps show how to set this up.
A 509 certificate basically creates an identity with the server. It says that you are who you say you are, kind of like a password but in some ways better. They are a pain, though, since each client needs to set one up with the server. I don't often see them used. However, this might help you out: stackoverflow.com/questions/35582396/how-to-use-a-client-certificate-to-authenticate-and-authorize-in-a-web-api
I came across it when connecting to an api that provides details of healthcare professionals and institutions. It is only open to those who have a valid reason to lookup those details. They first need to get certified. The idea stuck in my mind though, that it may be a secure way to design an application and/or app for 1 organization that works with sensitive private data (e.g medical files) and only software clients who have a certain certificate and token can use that api. Are there perhaps better ways to achieve a very high level of security?
Two factor authentication is a good solution. It allows you to verify that the correct person is the one using the credentials. Usually it involves a hardware key or secondary device (like texting a phone, although that isn't terribly secure).
Your videos are awesome... But can you pls provide a advanced level Web API videos which includes internals structure and difference of request / response of GET, PUT, POST, DELETE with form-data, urlencoded, raw. etc.
Hey Tim, Great Video... a quick question... you also showed the database, was that created by default when you added the web api project into your solution?, and secondly, does the default code for POST will update the database with userid and pwd info?
The database was created the first time I asked for data or tried to insert data. It was created by Entity Framework auto-magically. The OAuth code used for authentication and authorization is written to use that database directly.
If you are on .NET Core, you have Bootstrap 4. I haven't experimented with moving it to 5 yet. The 3 to 4 transition is not something I would recommend. I'm going to figure out the 4 to 5 transition and see. My guess is that it will be more possible if you are willing to do a bit of work.
Hey Tim! Just curious: What are your specs? I'm running on a I7 4790 and 8GB RAM and my VS takes a considerably longer amount of time to set up stuff than yours does. Keep up the good work
Well, I do pause the video sometimes for long-running tasks so it appears to take less time. However, I have an i7-7700K with 32GB of RAM and a 500GB M2 SSD.
@@IAmTimCorey That's quite the machine. I should upgrade soon, for I am constantly being reminded that 8 gigs ain't cutting it anymore, and not having an SSD certainly doesn't help either. Thanks
Very nice and clear course, thanks so much 🙂 The information I am looking for is HOW the framework manages to validate (or not) the tokens presented by the clients in their requets headers and if necessary make the association with an existing user(so we can finally get it for instance in a controller as you explained) As far I know the tokens issued by the application /token endpoint are not stored (?) so... except the magic I dont understand 😭 Can you give me a hint? Hope my question is clear enough (as you probably guessed English is not my 1st language ;-))
Yes, the token is stored because it is used on all calls after the user is authenticated. The /token gives the caller the token. Then, they pass that token back whenever they make a call to verify that they are a valid user.
@@IAmTimCorey Hi Tim thanks a lot for the answer 🙂 unfortunately probably due to my bad english my question was the reverse one, sorry. When the application server receives a request (e.g. for accessing to an [Authorize] api) how does it to validate the presented request header token (i.e check not expired, find to which user it has been issued to authenticate him (or not)..). For a JWT I can understand / imagine how but for a "meaning less" token I cant 😞
Hi Tim, Can you help me how can I best way to design Web API with binary stream data? I mean Web API takes byte[] as input, stream as input and byte[] as output or stream as output. Thanks for your great explanation. Ram
APIs don't do well with data streams if you are expecting the stream to continue over time. In that case, look at gRPC instead. It handles long-running streams well.
Sorry Tim for my previous post, you are right it's the url, this is the problem with copy and paste lol, but thanks anyway, I am good to go as you always say.
If you like me were reviewing this lesson, and couldn't get it to respond on the call to api/account/register. check the url... in 2019 seems the default is to use a self signed https: SSL cert... (so in postman I finally got an option to ignore it for testing purposes) to be able to register the user.
Hi Tim, I was wondering if I have the "All Access Pass", is the Source Code that you used in this video also available in the "All Access Pass", or does this source code need to be purchased separately?
Tim, how do we make this work with windows Auth, so it will just check the users AD user name and do some custom auth checking in another app database?
Thanks Tim for the tutorial I have few questions: What role I can apply for learning this new course somehing like WebAPI developer? Is WebAPI independent of C#(which means without C#, can you develop WebAPI app)?
WebAPI is tied directly to C# (technically .NET so you could use VB.NET but I don't recommend it). APIs can be built by anything but WebAPI is Microsoft's tool for building APIs with C#.
Sir - Very informative and helpful video Sir, Thank you for your help. I would like to view entire series which you have mentioned at the start - can you please let me know where I can find the entire series of this video so that I can go through the same. Thank you.
Tim,is it possible to start this course although it is for 3 years ago? It seems great course but I'm little bit concerned about the technologies that been used in this project
Yes it is. The source code is no longer on Patreon, but you can get it by following along or you can purchase the entire course ( www.iamtimcorey.com/p/timco-app-series ). The reason why we used the technologies that we did was to simulate the real world. In the real world, you will find a LOT of organizations that are still using the .NET Framework. So, I intentionally started there. Once we built a simulation of a full application, we upgraded the application to .NET Core 3.1. Then, after adding CI/CD and more, we upgraded again to .NET 5. The purpose of this application was to show how older systems were built and to give you experience upgrading them to modern versions. The code you will use even in older systems is still relevant to modern development, so even that is good training both on older systems and newer ones.
Hi IAmTimCorey Thanks for the great sources and your efforts. How would you add this token authentication to existing database? How would you wire it up? Would you create the necessary table in the database and change the connectionString from localdb to your database or how? Thanks once again. Br.
Hello, can I somehow specify that the tables AspNetusers etc. during the registration process should be created under my specific database and not create their own one? I want to keep it together under one project database.
Yes, you can. However, then you are going to run into potential issues in that the authentication database is automatically created with Entity Framework. If you try to modify it, you will have two different systems that both have control over making changes to the database. That's not ideal. That's just one of the reasons why I prefer to keep them separated.
Aren't your rolling your own authentication by doing this? Would it be easier to just add an identity provider on azure where the app is likely to be hosted?
It is the Microsoft-provided authentication system, but it is local. So, no, I'm not rolling my own (that would be bad), but I am using local authentication instead of a service. A service is a great option, but there are enough out there that you get a lot of fragmentation (and possible expenses). For instance, if you want users with permission levels, you could use Azure Active Directory (if you are using Azure and not AWS or another cloud provider), but then if you wanted to allow users to register, you would need to add Azure Active Directory B2C.
Hi Tim. Thanx for the videos. Very informative. Can you please discuss refresh tokens more? Would the bearer token expire every 30mins and refresh token be a long-lived token like 2 weeks? What would you recommend? Since most companies already have a database with a user table, how would you add token authentication with refresh token in dotnetcore webapi? Thanx
Hi Tim, I loved your video and was able to follow the steps on my machine. Only thing, I could only make the web application in VB and not in C#. Visual Studio is not giving me an option to create a web application with Dotnet Framework in VB... ideas?
There is like a million videos out there, which already shows how to do this. So why would we need another one? Well, because you don't just show HOW to do it. You actually make it possible to understand WHAT is going on. Brilliant work, please keep it up! :-)
Thank you! I'm glad you enjoyed the video. That's what I try to do in all of my videos. My goal is to always show things in the context of the real world. How they would be used, when to use them, what the best practices are, etc.
@@IAmTimCorey Absolutely correct.
Great video, as always. Really excited for this course!
Just wanted to let you know I just got my first job as a software developer recently, mostly thanks to my github which I've built up using your tutorials. You've helped me take all the knowledge I've gained through years of fiddling around with spaghetti code aimlessly and use it to build an app, start to finish, with proper design and documentation in mind.
You helped me make my dream of becoming a developer come true, and for that I am extremely grateful.
I hope to become a patron soon, once I get financially stable, to do my part of thanking you for all the knowledge you selflessly share with the community. We do appreciate you.
Cheers!
Awesome! Congrats on the new job!
At 13:30 the one difference for me was, that "http:..." in the URL didn't work for Postman, because my template site was "https:..". After I corrected for that, Postman was able to get a response. I hope others will find this useful. :) Thanks for the course, Tim!
For those stuck in the first post command. Disable in Postman setting SSL certificate verification and make sure your link is https and not http
Thanks for sharing.
This helped me, thanks
@@daviddow5591 Ur welcome)
Thank you, this was driving me crazy.
Thanks, was stuck for a while on this one.
This is a very complete course. Explained very carefully and in detail.
And thank you for always explaining the differences in techniques used in the working environment and the learning environment. Actual work experience is a very valuable explanation for current students.
You are welcome.
Great course , I used to be a C# mainly developper all doe now i've moved to PHP and I'm following this course and mirroring everything to PHP so far so good.
Great work and thank you for your videos.
You are most welcome. Thanks for watching.
Tim up at 4:16am teaching us how to do this beautiful coding setup. Love your classes, keep up with the good work. When I get a C# job i'll buy all classes from your site. The best teacher out there.
Thank you! I'm glad you are enjoying the videos.
I am glad I signed up for the year pass. This lesson, so far since I am just starting, has already helped me to see the strength of Visual Studio in Authentication. I remember the days of creating our own authentication methods. This was the best-presenting treatment of the topic. Much appreciated.
I am glad my content has been helpful.
Hmmm I've never known Postman to allow a body of any sort be passed into a GET request. For anyone that is blocked from doing so in Postman for the token request, change the verb to POST and continue as instructed by TC.
Thank you Tim for the series. I'm a MSSQL developer looking to expand into C#, particularly WebAPI for integration purposes. Your channel is blessing for it.
You are most welcome. Thanks for watching.
Make sure to like this so that it will become a top comment. I have spent hours and hours trying to figure this issue out. When I posted a comment about it, it was deleted, because of this comment I guess. So if we make this a top comment it will show up out of 600+. Thank you.
Wow. 2 1/2 years and so much has changed with Visual Studio. Still a great course!!!
Thanks!
I like how you read all the comments and reply. Thanks Good Job Tim
I try. Thanks for watching.
Where were you when I was in college.
This is amazing. Clear and concise.
Thank you!
one of the best tutorial video channel. As soon as I am ready I swear I will do the patreon thing.
I am glad you are getting so much value out of it.
Although this video is just over a year old, there was one thing that was mentioned that's a minor point but I thought I'd comment. Tim you had mentioned that you are a one man project team so you are not worried about branching to add features. I would still recommend this flow (branching off, and merging back), as a one man dev team. This allows you to work on multiple things are the same time as well as store code changes to a feature on a branch. Yes, there's the extra work on merging back to master, but this does permit a much more dynamic environment while deving. Again, small but it is handy. But I agree, excellent video. I did get some pointers on getting tokens and using them. Very cool.
Yes, it does add functionality. It just takes longer on video to display.
Super fantastic video and course so far. Let's see -- never used gitHub before, never did an API project, never used postman. The tournament tracker course was my first "C#" project, first time doing MVC, and so on and so forth. At the same time, I am keeping up and not getting too blown away. Keep up the good work.
I think my current old foxpro applications will lend themselves more to a webForms type application -- but I am keeping my options open and my bias in-check.
Awesome!
What an outstanding explanation Tim! Many thanks to you! It seems like by watching your videos I am really getting a grasp of what is the real job of software developer.
I am glad it was helpful.
As usual Tim hits it out the park. Love how you keep it simple and go in-depth with the knowledge if not point in the right direction.
Glad you enjoyed it
Hi Tim, Just wanna say thank to you for creating this course. I have been following this course till this third video on my first day. Hope I can follow the rest in the future.
And again, thank Tim!
You're very welcome!
This man's tutorials are great, I clearly understand concepts if i'm not hasty. Thank you Tim!
You are welcome.
Hey Tim, thanks for another awesome Video!
I've heard you talk about in a couple of different videos how you're not a big fan of Entity Framework. I don't know what constitutes proper subject material for your weekly challenges, but if you made either a weekly challenge or a quick video explaining why you dislike Entity and ways to accomplish the functionality that EF seeks in different ways that would awesome. I would be super interested to hear your take on it. (You may be a video about this topic already... if so, disregard this :) )
I don't have a video on that yet (not specifically). That sounds like a good suggestion. I'll add it to the list.
ASP.Net is not my thing and I doubt i will ever use it at work, but to get the 100% of this course, i will have to follow. Thanks Tim!. My no. 1 new year's resolution is to follow this course to the Tee and gain every knowledge from you.
Excellent! Yep, I get that there are some things that you don't really want to do normally but having a well-rounded education is key in the job market.
I would like to thank you for all the serious of valuable courses that are added a lot to my Knowledge and change it upside-down, I have already attended several courses, though I am a BMC-REMEDY expert but I believe I will start changing my skin to .NET C# with all asp.net, core, MVC because of you.
You're very welcome!
As a non very experienced person I always felt insecure about Authorization, profiles, tokens etc. Gonna tackle this in the following days, thanks for the video.
You can do this. Just take it one step at a time. You may also want to consider this video - ua-cam.com/video/b4GzbZhjE1A/v-deo.html
Howdy Tim ... suggestion. Maybe consider putting together a "prerequisites" video where you cover all the software, components and web accounts (GitHub, etc) that will be needed. Where to download them, any special installation requirements, etc. I'm only on the second video and I've had to install Git and several components within Visual Studio and set up an account on GitHub. Not a huge deal, but if we know in advance what will be needed we can spend some time getting everything downloaded and installed without having the stop in the middle of the videos to do it. I'm sure some viewers already have all this stuff installed. But many, like myself, do not.
Thanks for the great videos!!
Good suggestion. I'll see what I can do.
This is an awesome video. Tim Corey does a great job at explaining things, I'll have to go through the entire playlist now.
Thank you!
Great series so far, not done web API stuff for ages as I've not had the need to, so great refresher so far - and postman is something I've never used so more on that would be good as we go through the project! Thanks!
Thanks. I'll add Postman to the suggestion list. That probably deserves a video of its own, although we will also use it more in this series, I'm sure.
The best tutorial I be ever seen. Man you are the best
Thank you!
Awesome! Simple and yet powerful! Thanks for this Tim, keep it up!
Thanks! Will do!
@@IAmTimCorey Good
Hi Tim very excited for this course but can I choose .net 5 version to create the project? Or it’s strictly 3.x ? Thank you for your tutorials so far.
We start with .NET Framework, then upgrade to .NET Core 3.1, and then upgrade to .NET 5. Doing it this way will give you experience with the upgrade process, not just in the final version.
@@IAmTimCorey Thanks a ton. You are amazing!
Note that you cannot use the postman web client when using localhost. Install the desktop client. It's kinda obvious but might save you a quick stack overflow search.
Correct. Thanks for sharing.
Thanks for your help.
Hi Tim,
First of all, I love your videos.
Small question, you did a get request to the token action (localhost:..../token) but I didn't see it on the page at 13:59 (localhost.../Help page) why isn't is shown?
I was also wondering about this. My assumption was probably because it's buried deep within metadata somewhere. Meaning, it's baked into C# where as what we're seeing is an application similar to what we'd build on top of it. To prove my assumption, I began my F12 (Go to definition) journey. Here's the path if anyone's interested: Startup.Auth.cs line 39 ApplicationOAuthProvider line 53 OAuthTokenEndpointContext line 12 OAuthAuthorizationServerOptions line 33 comment has "/Token" in the summary. How this all works is waaay beyond my skill level. Everything else we see when we click on API is under Areas => HelpPage => Views => Help. I probably made like 1% dent to your question and my ever growing curiosity but, progress is progress :) Hope it did help though.
Excellent video specifically the way you went through each step and explained web API with the help of POSTMAN
Thanks!
Thank you, I have one day to build a basic POS and this should be good!
You are welcome.
@@IAmTimCorey Hi, thanks for responding. I feel I ought to give you an update. I have learned a load of info along the way. I have set up the models and scaffold-ed controller / views.
I am kind of stuck from there (first experience with the whole dot net and web-dev in general). But it's been pretty fun and asp dot net core is well structured, Microsoft docs are helpful and 1 day is not enough in any case. Thank you again.
This was so useful. Sooooo useful.
Awesome!
Thanks Tim for another great video
You are welcome.
Hey TIm, great video. Is it possible to scaffold this all without the (MV)C? So purely for API projects. Or is the only way to manually remove it like you said in the end in the video?
In the .NET Framework, the two are tightly tied together. In .NET Core, which we will upgrade this to in this series, we can more easily separate out API from MVC. They both run off the same base, but we don't need to bring in the MVC parts if we don't want them.
@@IAmTimCorey Thank you for the quick reply! Keep it up :)
Really good at explaining c# code.
Thank you!
I really like the idea of showing of first .net framework then .net core ;)
I'm glad.
You rock Tim! Great to see a real security example, and not just a bunch of regurgitated techno babble.
Thank you!
amazing as always - raise your hand if you watch in 1.25 speed ;)
I'm more of a 1.5x or 2x. I'm glad you found the speed that works for you.
@@IAmTimCorey You are a Star!
Thank you so much for this video! It helped me connect a Flutter app to my existing Identity database.
You are welcome. I'm glad it helped.
from start to finish round 2!
Excellent!
This video was godsent, I found very few resources discussing API authentication. Do you recommend doing this(issuing the JWT tokens from the same app) in a production environment instead of a third-party issuer?
If Postman gave you a problem, Go to Settings\General and turn off SSL Certificate verification
thank you!
Yep, thanks for sharing.
Thanks Tim, your tutorials are the best.
Thanks!
Your course is really valuable!
Thank you!
"It looks a lot like a guid... because it is"
I don't know why but that made me bust out a laugh. Great video!
lol, I'm glad. Any time I can make a person laugh when we are writing API code, I call it a win.
Maybe I didn't pay enough attention, but when was the SQL Server-connection created? Was that done default by some hidden setting for the project template?
PS: Your tutorials are great!
The only SQL connection we have right now is the authentication connection, which does get created as part of the template. We will set up our own SQL connection soon with Dapper. So we will have two databases, one using Entity Framework for authentication (that we don't really manipulate or change) and one that we connect to via Dapper for our application data.
Excellent work! Thank you from Argentina
Thank you!
Visual Studio 2019 (16.3.7). Authentication forces SSL certificate (it creates a self-signed one for you that you must accept the risk of when you browse to the URL the first time). Additionally Postman 7.10.0 when the POST "Headers" tab "Content-Type" is left as "text/plain" will cause an exception, you must change it to "application/json" and make sure to use "" instead of ""
Crazy how much this stuff changes in the span of several months.... just another thing you've got learn to roll with I guess.
Yep.
I'll be watching your vids for a while, Tim. I have to create web API with swagger.
Thanks for trusting Tim to help you thru that.
Thank you Tim , this was so useful.. Your videos are great. I have a request can you make a video of adding refresh tokens as a second part of this video.
I will add it to the list. Thanks for the suggestion.
That's a great video! There are not a lot of information about .net Authentication in internet. If you had a video with cookie authentication, that will be great too!
I will add it to the list. Thanks for the suggestion.
So, I'm coming into this lesson knowing nothing about web API, or anything this video really covers. I'm wondering what kind of prerequisites you'd give for this series? is this something I can hop into once I've got the basics of C# down, or is there something I need to cover to bridge the gap from being decent at C# and this course?
Im doing the same thing, know nothing about web API, just C# basics. How are you doing after two weeks?
@@vitorvs @jecyn how are you guys doing so far?
This had me stumped for a while, until I realized that turning off SSL Certificate check in PostMan was the proper medicine.
Ah, yeah, they can cause issues.
I mean, that's one way to learn to read the error messages.
Hi Tim, you mentioned showing the conversion to the Core Framework. Hope this is in a later video to come!
It will be. We have to build it first.
Excellent! Definitely matchless content!
Thank you!
Hi Tim,
Thanks for the great explanation.
I have a doubt as to how the api is validating the token.
I don't see the token being saved anywhere in the local SQL DB.
Could you please help me on this
The token is encoded, not encrypted. That means that the API can decode the token and see the various parts. One of those parts is an encrypted version of the secret key that was used. The API compares that secret key to what it has for a secret key. If the two match, it trusts the token.
@@IAmTimCorey
Thank you 🙂
I also am confused by where the token lives. Is it in the database somewhere?
Hi Tim. Quick question, why you choose to create separate database for Identity instead of creating the tables in TRMData?
I like to keep the auto-generated database separate from the database I create. It keeps a clear separation. Also, keeping the identity information separate from the rest of the data allows me to secure the database differently and back it up differently.
Hey Tim,
Love all your videos I have seen so far, thank you for sharing your knowledge! Quick question, I have tried making this project a few times now and every time it does not create the authorization database automatically. Any thoughts on why and how to fix this problem?
Figured it out. The database is not created until you add the admin account through postman.
Thank you for sharing the problems AND the solution! I'm sure this will help others who struggle on this issue.
Great video, would it be possible for you to make a video on what to do when the access token expires? What is the standard procedure? ask for password again? how to use refresh tokens?
We appreciate the suggestion and I have added it to Tim's list.
Tim ji you are great....🙏
Thank you!
You have the best videos man
Thanks!
Me: Watched the video
Result: Now this is easy as F !
Thanks
Awesome!
Hi Tim,
I find your videos motivating and cannot stop working on the TimCo series as a preparation for my own application. In this regard I am asking myself how to deploy / release such a solution. Is that somewhere covered in your course?
The application I would like to develop is rather simple and I do not have a specific server infratructure available. It should run locally only with a DB and so far I only see a WPF front end, however I clearly see the benefit of having an API for bundeling business logic (and also to be future-proof). But in general, I don't need all the web stuff. Would you still go for a web API? How would the release process look like (e.g. publish on Azure)? Where and how would the DB be published?
As usual, thanks for your helpful comments and time you put into your videos.
Deployment is something we will be covering coming up in the course. I do have videos on deployment on this channel but we will cover the TimCo scenario specifically with deployment soon. As for having an API, it allows you to be flexible. However, it is a layer of complexity so it depends on your scenario. The nice thing with an API is that it holds all of the security, etc. behind a wall. So, you won't need to put a database connection string on the client machine. That alone can be worth putting an API in place for.
Thank you for the wonderful explanation!
You're very welcome!
Tim, great video as always.
Isn't it considered bad practice to send sensible information (as passwords) using get, since it gets logged in the browser history and it can be intercepted by someone else on the network?
Yes, I should have sent it via POST. I'm not sure if form data is stored in the URL but it can be cached so POST would have been the better choice. I use POST in the future videos.
In creating the application flow, would you be using UML diagrams, or just a layout of each of the functionalities?
I don't use UML. I haven't seen it used in a company since college. It may be that its usage depends on where in the world you are located. Personally, I have not found full UML valuable. However, I do draw out designs and databases. I'll probably do that for this project, although I'm planning on doing smaller-scale planning at each step instead of trying to plan out the entire application all at once (agile vs. waterfall).
Hi Tim, I just bought the course from your website and went through this but got stuck at trying to get the access token with a not supported error when you execute the get command. With many hours of frustration I have solved it now and I have come to the conclusion that the video needs updating. Postman doesn't allow you send a body parameter with Get commands anymore so you have to use Post to get your token otherwise this doesn't work.
Yep, that is correct. Thanks for pointing it out.
@IAmTimCorey "Half the time or more those don't come to pass and so why spend time on something that might happen when I have plenty to do already"
Apart from coding we learn and life quotes so true haha thanks for the share , love your videos i am starting to become addicted! Good job keep going!
I am glad you are enjoying it.
Hi Tim. Excellent video as always. What about managing expiration dates for access tokens, so that users will need to login after a set period of time?
You can change the amount of time a token lasts by setting the AccessTokenExpireTime when you set up the token. You can also set up refresh tokens if you prefer. I left it at the default since I wasn't too concerned about it. I was treating the site more like Facebook, where you could stay logged in for days if you want.
Wow, so comprehensible, I couldn't imagine it would be so)
Excellent!
Hi Tim. Great video! I came across an API the other day (using swagger) that also required the user to send an x.509 certificate. I am curious how much safety this adds to the client/server interaction. If you want the API to be very secure, is this the right way to go? If useful as an extra security layer, could you perhaps show how to set this up.
A 509 certificate basically creates an identity with the server. It says that you are who you say you are, kind of like a password but in some ways better. They are a pain, though, since each client needs to set one up with the server. I don't often see them used. However, this might help you out: stackoverflow.com/questions/35582396/how-to-use-a-client-certificate-to-authenticate-and-authorize-in-a-web-api
I came across it when connecting to an api that provides details of healthcare professionals and institutions. It is only open to those who have a valid reason to lookup those details. They first need to get certified. The idea stuck in my mind though, that it may be a secure way to design an application and/or app for 1 organization that works with sensitive private data (e.g medical files) and only software clients who have a certain certificate and token can use that api. Are there perhaps better ways to achieve a very high level of security?
Two factor authentication is a good solution. It allows you to verify that the correct person is the one using the credentials. Usually it involves a hardware key or secondary device (like texting a phone, although that isn't terribly secure).
Your videos are awesome... But can you pls provide a advanced level Web API videos which includes internals structure and difference of request / response of GET, PUT, POST, DELETE with form-data, urlencoded, raw. etc.
I will add it to the list. Thanks for the suggestion.
Hey Tim, Great Video... a quick question... you also showed the database, was that created by default when you added the web api project into your solution?, and secondly, does the default code for POST will update the database with userid and pwd info?
The database was created the first time I asked for data or tried to insert data. It was created by Entity Framework auto-magically. The OAuth code used for authentication and authorization is written to use that database directly.
@@IAmTimCorey thanks Tim... Will try this during the weekend today...
Hey Tim, I just started watching and following this video again. There is now Bootstrap 5.0.2. do you recommend to update the bootstrap now?
If you are on .NET Core, you have Bootstrap 4. I haven't experimented with moving it to 5 yet. The 3 to 4 transition is not something I would recommend. I'm going to figure out the 4 to 5 transition and see. My guess is that it will be more possible if you are willing to do a bit of work.
@@IAmTimCorey thank you Tim! :) i actually tried updating it and end up redoing my solution haha
Hey Tim! Just curious: What are your specs? I'm running on a I7 4790 and 8GB RAM and my VS takes a considerably longer amount of time to set up stuff than yours does.
Keep up the good work
Well, I do pause the video sometimes for long-running tasks so it appears to take less time. However, I have an i7-7700K with 32GB of RAM and a 500GB M2 SSD.
@@IAmTimCorey That's quite the machine. I should upgrade soon, for I am constantly being reminded that 8 gigs ain't cutting it anymore, and not having an SSD certainly doesn't help either. Thanks
The SSD is definitely the easiest thing to upgrade and it gives you the most power for the cost. Moving beyond 8GB of RAM would be a boost too though.
Very nice and clear course, thanks so much 🙂
The information I am looking for is HOW the framework manages to validate (or not) the tokens presented by the clients in their requets headers and if necessary make the association with an existing user(so we can finally get it for instance in a controller as you explained)
As far I know the tokens issued by the application /token endpoint are not stored (?) so... except the magic I dont understand 😭
Can you give me a hint?
Hope my question is clear enough (as you probably guessed English is not my 1st language ;-))
Yes, the token is stored because it is used on all calls after the user is authenticated. The /token gives the caller the token. Then, they pass that token back whenever they make a call to verify that they are a valid user.
@@IAmTimCorey Hi Tim thanks a lot for the answer 🙂
unfortunately probably due to my bad english my question was the reverse one, sorry.
When the application server receives a request (e.g. for accessing to an [Authorize] api) how does it to validate the presented request header token (i.e check not expired, find to which user it has been issued to authenticate him (or not)..).
For a JWT I can understand / imagine how but for a "meaning less" token I cant 😞
Hi Tim,
Can you help me how can I best way to design Web API with binary stream data? I mean Web API takes byte[] as input, stream as input and byte[] as output or stream as output.
Thanks for your great explanation.
Ram
APIs don't do well with data streams if you are expecting the stream to continue over time. In that case, look at gRPC instead. It handles long-running streams well.
Great video! It would be cool if you could make a video doing Email Verification using API :)
I will add it to the list. Thanks for the suggestion.
please make an authentication & authorization video for dotnet 6
Thanks for the suggestion. Please add it to the list on the suggestion site so others can vote on it as well: suggestions.iamtimcorey.com/
@@IAmTimCorey SUre !
Sorry Tim for my previous post, you are right it's the url, this is the problem with copy and paste lol, but thanks anyway, I am good to go as you always say.
Glad we got it fixed.
If you like me were reviewing this lesson, and couldn't get it to respond on the call to api/account/register. check the url... in 2019 seems the default is to use a self signed https: SSL cert... (so in postman I finally got an option to ignore it for testing purposes) to be able to register the user.
Could you let me know how to set the postman to ignore the https?
Thanks. this is very wonderful
Hey tim!
Are you planning on making a video on QR reading?
If not, would you recommend any documentation?
Thanks
I don't have any content on that (or know where you point you). I don't think we will cover it in this course.
Hi Tim, I was wondering if I have the "All Access Pass", is the Source Code that you used in this video also available in the "All Access Pass", or does this source code need to be purchased separately?
The source code for all courses is included in the All Access Pass. That includes this course.
Tim, how do we make this work with windows Auth, so it will just check the users AD user name and do some custom auth checking in another app database?
if you find any helpful video share it please,I am facing the same requirement as yours
Thanks Tim for the tutorial
I have few questions:
What role I can apply for learning this new course somehing like WebAPI developer?
Is WebAPI independent of C#(which means without C#, can you develop WebAPI app)?
WebAPI is tied directly to C# (technically .NET so you could use VB.NET but I don't recommend it). APIs can be built by anything but WebAPI is Microsoft's tool for building APIs with C#.
Tim Thanks for the reply
Did you use Visual Studio 2017 in this video?
2019
Sir - Very informative and helpful video Sir, Thank you for your help.
I would like to view entire series which you have mentioned at the start - can you please let me know where I can find the entire series of this video so that I can go through the same. Thank you.
Don't know why that is missing from Tim's playlists, but here you go - ua-cam.com/video/Xtt6mS0p2_c/v-deo.html
Tim,is it possible to start this course although it is for 3 years ago? It seems great course but I'm little bit concerned about the technologies that been used in this project
Yes it is. The source code is no longer on Patreon, but you can get it by following along or you can purchase the entire course ( www.iamtimcorey.com/p/timco-app-series ). The reason why we used the technologies that we did was to simulate the real world. In the real world, you will find a LOT of organizations that are still using the .NET Framework. So, I intentionally started there. Once we built a simulation of a full application, we upgraded the application to .NET Core 3.1. Then, after adding CI/CD and more, we upgraded again to .NET 5. The purpose of this application was to show how older systems were built and to give you experience upgrading them to modern versions. The code you will use even in older systems is still relevant to modern development, so even that is good training both on older systems and newer ones.
@@IAmTimCorey thanks . I'll start this course by using dot net framework.
Hi IAmTimCorey
Thanks for the great sources and your efforts.
How would you add this token authentication to existing database? How would you wire it up? Would you create the necessary table in the database and change the connectionString from localdb to your database or how? Thanks once again.
Br.
Very good video....really appreciate your efforts
Thanks a lot
Thanks for a nice video-tutorial.
You are welcome.
Hello, can I somehow specify that the tables AspNetusers etc. during the registration process should be created under my specific database and not create their own one? I want to keep it together under one project database.
Yes, you can. However, then you are going to run into potential issues in that the authentication database is automatically created with Entity Framework. If you try to modify it, you will have two different systems that both have control over making changes to the database. That's not ideal. That's just one of the reasons why I prefer to keep them separated.
@@IAmTimCorey ok thx I will try to explain to our server admin, that you said its not a good idea :)
my bootstrap was already on 4.2.1. should be all good, I've got a little bit of experience with bootstrap 4
Interesting. Did you do .NET Core or .NET Framework?
Aren't your rolling your own authentication by doing this? Would it be easier to just add an identity provider on azure where the app is likely to be hosted?
It is the Microsoft-provided authentication system, but it is local. So, no, I'm not rolling my own (that would be bad), but I am using local authentication instead of a service. A service is a great option, but there are enough out there that you get a lot of fragmentation (and possible expenses). For instance, if you want users with permission levels, you could use Azure Active Directory (if you are using Azure and not AWS or another cloud provider), but then if you wanted to allow users to register, you would need to add Azure Active Directory B2C.
Another good one, thanks.
Glad you enjoyed it.
Apparently VS 2019 enforces https once you select authentication now.
That's great!
Hi Tim. Thanx for the videos. Very informative. Can you please discuss refresh tokens more? Would the bearer token expire every 30mins and refresh token be a long-lived token like 2 weeks? What would you recommend? Since most companies already have a database with a user table, how would you add token authentication with refresh token in dotnetcore webapi? Thanx
I can add that to the suggestion list of future topics.
Hi Tim, I loved your video and was able to follow the steps on my machine. Only thing, I could only make the web application in VB and not in C#. Visual Studio is not giving me an option to create a web application with Dotnet Framework in VB... ideas?
It sounds like you might have the filter on the new project dialog to only show VB project types. See if clearing the filters fixes the issue.