Get the source code for this video for FREE → the-dotnet-weekly.ck.page/gateway-auth Want to master Clean Architecture? Go here: bit.ly/3PupkOJ Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt
Milon, I thank you very much because you provide the source code for free. I have never seen anyone do that. You are a dedicated person who loves others, and this reflects the love of others for you. Thank you, Milon, for all this hard work.
Nice one, haven't actually had the change to look at YARP much due to NGINX and AGIC, with our apps being monolithic in nature. Have you considered doing a video on Keycloak from .NET dev point of view. For work I'm stuck with Entra Id, but been using keycloak on my own cluster. Great piece of software imo. Might not be in high demand due to everyone being stuck with Okta, Entra Id or similar, but then again I still, from time to time, see identity server 4 mentioned, so might be the lack of content about it? Then again I know atleast some government agencies are using Keycloak so there is usage but not much content.
Does the internal apis have some kind of authentication? Or does they trust the api gateway? Maybe it is more interesting to secure the internal apis because gateway is exposed to users and is more security risk imo. What do you think?
How should we approach implementing zero trust in an API gateway architecture? While an API gateway can centralize access control and minimize the attack surface, is it advisable to forward the complete JWT to downstream services for validation against the authority again?
@@MilanJovanovicTech Great video Milan ! Is limiting network access to services by exposing them only to the API Gateway or via the server's internal network rather than validating JWT tokens a second time in downstream services a potential solution in your opinion? I'm aware that the ZTA principle wouldn't be respected, but I was wondering about this for small infrastructures. Maybe mTLS service-to-service authentication could be a good topic for a video 😜 Thanks!
Hi Milan, I have been researching for a few days on developing a route-based retry and circuit breaker for my .NET application using Yarp.ReverseProxy. How can we do this using the Polly library? I couldn't find a source on this subject, can you make a UA-cam video? Thanks
Check out this: www.milanjovanovic.tech/blog/building-resilient-cloud-applications-with-dotnet But I'm not sure if we can apply these policies with YARP 🤔
Hi Milan, which of your paid courses can you recommend which cover DDD and clean architecture, authentication and authorisation end to end, I feel like it will help me gain confidence as a dotnet developer 😊
Pragmatic Clean Architecture sounds like a good fit for what you're looking for. Check the full curriculum here to see if it's aligned with your goals: www.milanjovanovic.tech/pragmatic-clean-architecture#curriculum
Thank you for the video. Is it possible to have .NET generate an accessToken which is JWT that could be refreshed by the refreshToken that is already shared in the login endpoint?
I am using asynchronous communication in microservices but i need user information in request or response form , how i can do it because it is synchronization communication
We'd be comparing a cloud API Gateway vs a self-managed one. Does that comparison make sense? Azure APIM is a much more robust product. Definitely use it if you're on Azure.
@@MilanJovanovicTechMan really you are the best kind hearted youtuber❤ and you just replied very fast love from india brother🇮🇳 and the link is working now
@@MilanJovanovicTech The approach is to authorize in api gateway. Imagine that we have many services and we need to config a bunch of endpoints, and each endpoint has its own policy. Is it a good way? Or maybe we just authen in apigateway and we pass token to downstream service, they will authorize it by themselve.
Get the source code for this video for FREE → the-dotnet-weekly.ck.page/gateway-auth
Want to master Clean Architecture? Go here: bit.ly/3PupkOJ
Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt
Milon, I thank you very much because you provide the source code for free. I have never seen anyone do that. You are a dedicated person who loves others, and this reflects the love of others for you. Thank you, Milon, for all this hard work.
Thanks!
Nice one, haven't actually had the change to look at YARP much due to NGINX and AGIC, with our apps being monolithic in nature.
Have you considered doing a video on Keycloak from .NET dev point of view. For work I'm stuck with Entra Id, but been using keycloak on my own cluster. Great piece of software imo. Might not be in high demand due to everyone being stuck with Okta, Entra Id or similar, but then again I still, from time to time, see identity server 4 mentioned, so might be the lack of content about it? Then again I know atleast some government agencies are using Keycloak so there is usage but not much content.
I'm planning a nice content series about it soon! :)
@@MilanJovanovicTech Awesome! Looking forward to it! :)
This is awesome and useful content for devs!
Glad to hear it!
Great video, i'm a fan now
Welcome aboard!
Thanks Milan for the video.
You're welcome! :)
Hi Milan, Thanks for this video...please can you use KeyCloak for the YARP API Gateway Authentication
Just watch my Keycloak video and integrate it into YARP, not too difficult
Does the internal apis have some kind of authentication? Or does they trust the api gateway? Maybe it is more interesting to secure the internal apis because gateway is exposed to users and is more security risk imo. What do you think?
Typically they do, you can also setup JWT auth on the APIs (and you will in 99.99% cases).
How should we approach implementing zero trust in an API gateway architecture? While an API gateway can centralize access control and minimize the attack surface, is it advisable to forward the complete JWT to downstream services for validation against the authority again?
Yes, definitely. In reality you'll also have auth in downstream services.
@@MilanJovanovicTech Great video Milan !
Is limiting network access to services by exposing them only to the API Gateway or via the server's internal network rather than validating JWT tokens a second time in downstream services a potential solution in your opinion?
I'm aware that the ZTA principle wouldn't be respected, but I was wondering about this for small infrastructures.
Maybe mTLS service-to-service authentication could be a good topic for a video 😜
Thanks!
Hi Milan,
I have been researching for a few days on developing a route-based retry and circuit breaker for my .NET application using Yarp.ReverseProxy.
How can we do this using the Polly library?
I couldn't find a source on this subject, can you make a UA-cam video?
Thanks
Check out this: www.milanjovanovic.tech/blog/building-resilient-cloud-applications-with-dotnet
But I'm not sure if we can apply these policies with YARP 🤔
Nice tutorial.
Milan, what other API gateways did you use except YARP ?
Out of open source ones, I used Ocelot. Also cloud gateways on AWS/Azure.
Hi Milan, which of your paid courses can you recommend which cover DDD and clean architecture, authentication and authorisation end to end, I feel like it will help me gain confidence as a dotnet developer 😊
Pragmatic Clean Architecture sounds like a good fit for what you're looking for. Check the full curriculum here to see if it's aligned with your goals: www.milanjovanovic.tech/pragmatic-clean-architecture#curriculum
@@MilanJovanovicTech Thanks Milan
Thank you for the video. Is it possible to have .NET generate an accessToken which is JWT that could be refreshed by the refreshToken that is already shared in the login endpoint?
Oh yes, there's nothing magical about it. I'll see if I can do a video dedicated to that.
This is awesome
Glad you think so 😁
I am using asynchronous communication in microservices but i need user information in request or response form , how i can do it because it is synchronization communication
Send an HTTP request? Or do messaging request-response
Thanks for the video.
Can YARP replace Azure APIM?
What is the difference between them?
We'd be comparing a cloud API Gateway vs a self-managed one. Does that comparison make sense? Azure APIM is a much more robust product. Definitely use it if you're on Azure.
How to pass the token to the inner APIs?
It'll be automatically forwarded. You'd just need to use a real JWT to be able to decode it in the downstream APIs.
Is it also posible the change the authentication type towards the backend api. Eg api Gateway incoming jwt auth but backend uses client certificate
Probably, but you'll need to implement that yourself on the gateway
@@MilanJovanovicTech but the gateway calls the backend service? So it has to change the authorization
@@MilanJovanovicTech probably custom forwarder?
Could you please make a video on implementing resiliency on yarp gateway? Thanks :)
Yes!
@@MilanJovanovicTech Thanks a lot :)
Can we use cloud api gateway instead?
Yes, definitely
Can you make one tutorial on full microservices and api gateway
Maybe
@Milan Jovanović Bro the source code link is not working please give a valid link it's my kind request.
Fixed it. Can you try again?
@@MilanJovanovicTechMan really you are the best kind hearted youtuber❤ and you just replied very fast love from india brother🇮🇳 and the link is working now
Consul ,kubernates ? Is there a plan😋
Maybe there's something coming today 👀
Yeah
👈
@@MilanJovanovicTech The approach is to authorize in api gateway. Imagine that we have many services and we need to config a bunch of endpoints, and each endpoint has its own policy. Is it a good way?
Or maybe we just authen in apigateway and we pass token to downstream service, they will authorize it by themselve.
good :)
Thank you! Cheers!
I'm the first viewer :D
Congrats 🏆🏆