I just noticed I wasn't subscribed yet; that is now fixed! It is great to see your subscribers increase further over the last weeks. Your videos deserve a large audience.
I really enjoy your presentation style and the value that your explanations add to every topic that you cover. A big thanks for all that you do. This video was precious since it addressed something that I am currently working on, so your ESP is in working order.
Forgive me if I missed it in your library of videos (I'm still looking,) but it would be very cool if you could do a video on oauth 2.0 pkce with .Net and Angular where your API endpoints include /authorize, /oauth/token, etc. Keep up the awesome job you do. I would not be the person I am today without you.
Great video but I wish you had shown on a full API Swagger project and then say a Blazor page doing a check that it's authenticated, if not then make a API call to do a refresh token or no joy, to then take them to a signin page. Plenty of video doing this on .net 7, but yet to see a current update from start to finish doing this with .net 8. Hopefully soon once release.
Hi Shawn! I'm glad you have made UA-cam channel, I always follow and watch your video on Pluralsight but sadly you teach on Angular subject which not my direction. I hope you also make videos about Blazor sir. anyway hats off to you always, may you have a pleasant day ahead.
Nice video! One recommendation I have is maybe when editing set the microphone audio to mono just because when you turn your head it pans the audio into the R channel and back which I find a little distracting. EDIT: Oops looked at some of your more recent videos and noticed you changed to mono, disregard! haha
Thank you for making these shorts. Short and to the point. I hope you don't mind me asking if there is any solution also for using OIDC providers like keycloak or similar?
Not that familiar, do you mean something like this? medium.com/@ahmed.gaduo_93938/how-to-implement-keycloak-authentication-in-a-net-core-application-ce8603698f24
Thank you for the super clear way that you describe these topics. This is a useful feature that has just saved hours of work. Nice video Sean. I am struggling to use the token that is being created though. I added an api controller and set the Authorize decorator to use the "api" policy name. In postman I am making a GET request with the access_token embedded in the header as bearer. I keep getting 401 though. I tried playing around with sending the token as a JWT but the same thing happens. Can you elaborate how to use the token once it has been created? I would have expected it to be simple enough, perhaps I am just missing something w.r.t implementing the auth in my other controllers? Do you maybe have another video that demonstrates using the JWT? Thank you again, you are an absolute legend, please keep the content coming.
If you're using the new .NET 8 Identity, just know that the built-in Identity provider supplies a Bearer Token, but it is not a JWT token. So if you are trying to mix .NET 8 identity plus the developer JWT tokens, they aren't compable.
Very nice, I remember i had to do alot of things to wire jwt and identity things, very straightforward, But if I have a customed databas it will not wire correctly i think withoit extra work
Really nice video! Thanks a lot! I'm wondering a bit about when you actually get the token from the API in a SPA. Where and how would you store this for future requests, and how to handle and use the refresh token as well? In a browser I guess you could store it in local storage or perhaps a cookie?, but for some remote application like MAUI or a phone app, where would you store it safely? Would be awesome with a follow up video on that topic :)
Depends on the provider. If you're using a 3rd Party (e.g. Azure AD), then they will handle it for you. Otherwise, I'd keep both in local storage. The safety of the JWT is about it's short life and that it has been unchanged, so you can store it. But don't be reckless.
@@swildermuthThanks for a quick response! I'm thinking about the inbuilt solution here, not 3rd party, so I guess local storage then, but is there any simplification on that part as well for .NET 8 or we have to write our own middleware or auth-handler that reads from local storage and appends to every request? I remember seeing an example on that from a video on auth for like .NET 6 or something. Would be nice to see a proper/good solution for that in similar style to this video, but I'm sure I can find a solution somewhere if I search for a while.
You can configure the claims and roles to be put in the bearer token. I am not sure this exposes an API to *manage* the roles and claims, but you can embed the roles and claims in the bearer by configuring IdentyBearer to include claims.
Awesome video. Thank you! Unfortunately you cannot use this approach with bearer token, when you want to implement the authorization with as a separate microservice (and JWT), right? If I have e.g. my Products API (microservice) which requires authorization with a token from my AuthApi that won't work because the Products API cannot validate the token. Then I will have to integrate all Endpoints manually (the old way)
Yeah, this is specifically for extending Identity for JWTs. If you're using a separate microservice, your JWT would need to include all the audiences - though it's common to move auth to something external (e.g. Azure AD, AWS, Auth0, Duende) to remove the need for user management entirely. Unless, your microservice is using Identity, then the MapIdentityEndpoints would work fine.
very insightful, is there a way that the endpoints can be modified for extra data, for example if there's a requirement that a user provides several other details for registration alone
Was following along and ran into an error at the 11:52 mark: *Failed to read parameter "LoginRequest login" from the request body as JSON*. 'Microsoft.AspNetCore.Identity.Data.LoginRequest' was missing required properties, including the following: email. I changed the property from "username" to "email", then it worked as shown in the video.
Shawn, everything works fine except for the identity default api endpoints which are protected e.g. manage/info doesn’t work with the bearer token and it works only with the generated cookie. Login endpoint is working fine. But once we are logged in and get the bearer token then all the identity api endpoints should be accessible with that bearer token. But the protected ones aren’t working. Any suggestions how to get it working with that bearer token and not the cookies which are http only tokens
Hi Shawn. Thanks for this tutorial. Not sure if changes were made in since this videos. I am running .NEt 8 RC2. I am getting a 400 error calling the login endpoint.
@peteroganwu951 When POSTing the JSON to /api/auth/login at 11:25 try replacing "username" with "email" instead. Your 400 BadHttpRequestException might have an inner JsonException like "JSON deserialization for type 'Microsoft.AspNetCore.Identity.Data.LoginRequest' was missing required properties, including the following: email"
you used a minimal api to RequireAuthorization("api") so if I wanted to make an api controller, would I decorate that controller with the same RequireAuthorization("api")? I'll test this of course but wondering if it needs to be different at all in case it doesn't work
how do I pass a token between a blazor front end app and a web API back end (separate solutions)? they both have access to the same database (for testing purposes), I am going to swap it out with OAuth2.0 but I want a proof of concept so I can work out what to do.. do you have any videos on something a bit more in depth? this was great by the way, loving .NET 8 :)
Hi , i like what you are doing , Please i have a question , i have a APi that handle generating authentication with jwt access token , and all my logic is in this API , i want to use blazor as frontend with rendermodeAuto, how to use the JWT in this case? for WASM si I have no probleme , but with Blazor RenderModeAutho i am lost Thank you
You don't have to use the middleware, you can just use Identity instead of adding the endpoints manually. If you scaffold identity, you can manually change anything you want.
@@swildermuth That's what I ended up doing. Funnily enough, I tried to use the SignInManager.PasswordSignInAsync() within a controller action named /login and then when I try to do return Ok(), it throws an exception because it tries to write to the HTTP Response twice - the first time within the PasswordSignInAsync and the second time after my return Ok(). lol I am really unsure why their approach to this, because if the PasswordSignInAsync succeeds, the method internally writes the token and everything else to the Response body, but if it fails, it doesn't do anything, so you have to handle it manually. That's how the MapIdentityApi() works at least and I dislike it quite a lot.
@@swildermuthI ended up doing that, but the funny thing is that when I tried to move the Identity logic from the MapIdentityApi to a controller, I had to make the login method return a Task instead of an IActionResult, because the SignInManager.PasswordSignInAsync returns a result without any proper data (no token, nothing, just returns the state).
The major issue is that this is ripped off openidconnect without doing openidconnect correctly. It should have been full openidconnect with well known endpoints and standards compliance. Now we have multiple messes for no reason.
@@swildermuth it’s a knock off of password flow from openidconnect. Except it doesn’t generate the metadata and doesn’t follow the token endpoint pattern. So it sounds the same, acts similar but isn’t at all. They made a mess of it instead of just implementing password flow openidconnect and providing standard endpoints with metadata which would have been just as easy and standards compliant in the process.
@@jameshancock According to the Microsoft folks, if you want the full power of openidconnect and other complex scenarios, they recommend you use DuendeIdentity. This is just a minimalistic approach for people who just want username and password integrated in their apps.
This is too much of a good thing turned bad. Rarely, you will need a barebones authentication. You will always need to extend it and then this is a nice nicety.
I recently discovered your account. I must say I just absolutely love how calm, factual and to the point your videos are.
Thanks!
Thank you! Explaining how to deal with razor page/ui vs. API was very helpful.
Been reading your blogs\books for decades...grew up on your code...great content as always :)
like other users i have taken a few of your courses as well - glad i came across you here on UA-cam - subscribed with a thumbs up
Really helpful for me, thanks so much. So appreciate you doing these videos and being so gracious with your time and energy - you're awesome.
Happy to help!
I just noticed I wasn't subscribed yet; that is now fixed! It is great to see your subscribers increase further over the last weeks. Your videos deserve a large audience.
I really enjoy your presentation style and the value that your explanations add to every topic that you cover. A big thanks for all that you do. This video was precious since it addressed something that I am currently working on, so your ESP is in working order.
I took a few of your courses on Pluralsight and I'm happy to see you here too. Great approach on explaining this clearly.
Great video from a great It educator. Looking forward for a similar video on AAD B2C in .NET 8.0. And, if it is on Blazor web app would be perfect.
Great video. Simple and short. True to the channel name. You mentioned possibly doing another video for Identity using Windows. I would welcome that.
Great suggestion!
Indeed yes, always great explanations and guidance from you!
Thank you kindly!
An amazing and pragmatic approach to teach these subjects!
Great video. I've been looking for a simplified way of logging in via the API, to then use the API... I'm certainly going to give this a whirl.
Great to hear!
I subscribed. Cool video helps me a lot in my actual project!
Forgive me if I missed it in your library of videos (I'm still looking,) but it would be very cool if you could do a video on oauth 2.0 pkce with .Net and Angular where your API endpoints include /authorize, /oauth/token, etc.
Keep up the awesome job you do. I would not be the person I am today without you.
Excellent explanation
I appreciate it!
Great walkthrough. Thanks Shawn!
You bet!
Great video but I wish you had shown on a full API Swagger project and then say a Blazor page doing a check that it's authenticated, if not then make a API call to do a refresh token or no joy, to then take them to a signin page. Plenty of video doing this on .net 7, but yet to see a current update from start to finish doing this with .net 8. Hopefully soon once release.
Thanks for the help!
Hi Shawn! I'm glad you have made UA-cam channel, I always follow and watch your video on Pluralsight but sadly you teach on Angular subject which not my direction. I hope you also make videos about Blazor sir. anyway hats off to you always, may you have a pleasant day ahead.
Thanks for the support. I'm not well versed in Blazor, so likely won't be making any content for us. But I appreciate the thought!
I've redone my big ASP.NET Core course on Pluralsight, and switched it up to Vue. But I suspect if you are doing Blazor that Vue isn't of interest.
Great intro, but still looking forward to the Entra integration video you said you might do ;)
It's coming. I'm doing a new demo with Aspire where I'm using Entra, so in building that - you'll get a that video, I promise.
Nice video! One recommendation I have is maybe when editing set the microphone audio to mono just because when you turn your head it pans the audio into the R channel and back which I find a little distracting.
EDIT: Oops looked at some of your more recent videos and noticed you changed to mono, disregard! haha
Yeah, I shoot with two mics, but now I'm just mixing the channels.
congrats on 10k!
🎉
very useful my friend, thank you!
Glad it was helpful!
Thank you for making these shorts. Short and to the point. I hope you don't mind me asking if there is any solution also for using OIDC providers like keycloak or similar?
Not that familiar, do you mean something like this? medium.com/@ahmed.gaduo_93938/how-to-implement-keycloak-authentication-in-a-net-core-application-ce8603698f24
@@swildermuththank you. Something just like that. Only to have it applied to SPA.
Thanks, great information
Thank you for the super clear way that you describe these topics. This is a useful feature that has just saved hours of work. Nice video Sean. I am struggling to use the token that is being created though. I added an api controller and set the Authorize decorator to use the "api" policy name. In postman I am making a GET request with the access_token embedded in the header as bearer. I keep getting 401 though. I tried playing around with sending the token as a JWT but the same thing happens. Can you elaborate how to use the token once it has been created? I would have expected it to be simple enough, perhaps I am just missing something w.r.t implementing the auth in my other controllers? Do you maybe have another video that demonstrates using the JWT? Thank you again, you are an absolute legend, please keep the content coming.
If you're using the new .NET 8 Identity, just know that the built-in Identity provider supplies a Bearer Token, but it is not a JWT token. So if you are trying to mix .NET 8 identity plus the developer JWT tokens, they aren't compable.
Very nice,
I remember i had to do alot of things to wire jwt and identity things, very straightforward,
But if I have a customed databas it will not wire correctly i think withoit extra work
The database doesn't matter. However you configure identity, it's just passing this to the UserManager.
Great video!! Thanks for sharing. What if you don't use Identity?
Really nice video! Thanks a lot!
I'm wondering a bit about when you actually get the token from the API in a SPA. Where and how would you store this for future requests, and how to handle and use the refresh token as well? In a browser I guess you could store it in local storage or perhaps a cookie?, but for some remote application like MAUI or a phone app, where would you store it safely? Would be awesome with a follow up video on that topic :)
Depends on the provider. If you're using a 3rd Party (e.g. Azure AD), then they will handle it for you. Otherwise, I'd keep both in local storage. The safety of the JWT is about it's short life and that it has been unchanged, so you can store it. But don't be reckless.
@@swildermuthThanks for a quick response! I'm thinking about the inbuilt solution here, not 3rd party, so I guess local storage then, but is there any simplification on that part as well for .NET 8 or we have to write our own middleware or auth-handler that reads from local storage and appends to every request? I remember seeing an example on that from a video on auth for like .NET 6 or something. Would be nice to see a proper/good solution for that in similar style to this video, but I'm sure I can find a solution somewhere if I search for a while.
I love your videos. One Question:
How to work with claims and roles?
You can configure the claims and roles to be put in the bearer token. I am not sure this exposes an API to *manage* the roles and claims, but you can embed the roles and claims in the bearer by configuring IdentyBearer to include claims.
Good work. Can you please create a video for custom authentication with cookie/local storage/session storage & without identity
good stuff, thank you
Glad you enjoyed it
Very helpful, thanks 😊
You're welcome 😊
Thanks for the video,
Awesome video. Thank you!
Unfortunately you cannot use this approach with bearer token, when you want to implement the authorization with as a separate microservice (and JWT), right?
If I have e.g. my Products API (microservice) which requires authorization with a token from my AuthApi that won't work because the Products API cannot validate the token.
Then I will have to integrate all Endpoints manually (the old way)
Yeah, this is specifically for extending Identity for JWTs. If you're using a separate microservice, your JWT would need to include all the audiences - though it's common to move auth to something external (e.g. Azure AD, AWS, Auth0, Duende) to remove the need for user management entirely.
Unless, your microservice is using Identity, then the MapIdentityEndpoints would work fine.
i understand all this but how do i add this to my project? i want to run a website that gets data from an Api. unfortunately, this didn't help me
awesome content! subscribed!
Welcome aboard!
very insightful, is there a way that the endpoints can be modified for extra data, for example if there's a requirement that a user provides several other details for registration alone
I believe so, the identity stuff has hooks to expand Registration. Not sure what happens when you add to it for the endpoint.
👍👍👍👍👍👍
Was following along and ran into an error at the 11:52 mark: *Failed to read parameter "LoginRequest login" from the request body as JSON*. 'Microsoft.AspNetCore.Identity.Data.LoginRequest' was missing required properties, including the following: email. I changed the property from "username" to "email", then it worked as shown in the video.
Shawn, everything works fine except for the identity default api endpoints which are protected e.g. manage/info doesn’t work with the bearer token and it works only with the generated cookie.
Login endpoint is working fine. But once we are logged in and get the bearer token then all the identity api endpoints should be accessible with that bearer token. But the protected ones aren’t working.
Any suggestions how to get it working with that bearer token and not the cookies which are http only tokens
Hi Shawn. Thanks for this tutorial. Not sure if changes were made in since this videos. I am running .NEt 8 RC2. I am getting a 400 error calling the login endpoint.
Shouldn't be different. Can you share the code (github or gist)?
@peteroganwu951 When POSTing the JSON to /api/auth/login at 11:25 try replacing "username" with "email" instead.
Your 400 BadHttpRequestException might have an inner JsonException like "JSON deserialization for type 'Microsoft.AspNetCore.Identity.Data.LoginRequest' was missing required properties, including the following: email"
you used a minimal api to RequireAuthorization("api") so if I wanted to make an api controller, would I decorate that controller with the same RequireAuthorization("api")? I'll test this of course but wondering if it needs to be different at all in case it doesn't work
[Authorize("api")] would work (if you create the policy)
how do I pass a token between a blazor front end app and a web API back end (separate solutions)?
they both have access to the same database (for testing purposes), I am going to swap it out with OAuth2.0 but I want a proof of concept so I can work out what to do..
do you have any videos on something a bit more in depth?
this was great by the way, loving .NET 8 :)
Not sure how Blazor works in that case.
Can you add a video that shows how to do "Refresh Token" while using Identity with Web API 8 ?
It's on the list to create. Not sure how long until I get to it.
How is Launch Profiles opened at 2:56? Some kind of shortcut?
I had to set a shortcut key for it (in Options/Keyboard). So, yes, I used a shortcut (ctrl-alt-shift-d) but I set that on my machine.
Hi, great video! Unfortunately the link to your example code is broken :(
Let me check
Try again!
@@swildermuth works, thanks!
How does this work when using ASP.Net.core MVC
I love your videos. Unfortunately, the database update failed for me.
What's the error?
So in .NET 6.0 Identity didn't know about jwt tokens? What is the equivalent of this presentation in .NET 6.0?
Not exactly, Identity has been much simplified so that you don't necessarily have to handle the validation of the JWT for yourself.
Does this support external logins like Google and Facebook? I know the old razor-based auth flow does.
Not really, but the external logins supply their own Bearer tokens. The client-side flow is different.
Hi , i like what you are doing ,
Please i have a question ,
i have a APi that handle generating authentication with jwt access token , and all my logic is in this API , i want to use blazor as frontend with rendermodeAuto, how to use the JWT in this case?
for WASM si I have no probleme , but with Blazor RenderModeAutho i am lost
Thank you
I don't know Blazor, sorry.
What is the launch profile window shortcut?
I assigned it to CTRL-SHIFT-ALT-D but I don't think there is one by default.
Is it actually JWT?
As I know it's not, you can't really decode it using any means from web
It's actually just a Bearer token, not JWT
To be honest, I am bothered by the fact that I can't opt out of some endpoints and that I cannot change the registration model and stuff like that.
You don't have to use the middleware, you can just use Identity instead of adding the endpoints manually. If you scaffold identity, you can manually change anything you want.
@@swildermuth That's what I ended up doing. Funnily enough, I tried to use the SignInManager.PasswordSignInAsync() within a controller action named /login and then when I try to do return Ok(), it throws an exception because it tries to write to the HTTP Response twice - the first time within the PasswordSignInAsync and the second time after my return Ok(). lol I am really unsure why their approach to this, because if the PasswordSignInAsync succeeds, the method internally writes the token and everything else to the Response body, but if it fails, it doesn't do anything, so you have to handle it manually. That's how the MapIdentityApi() works at least and I dislike it quite a lot.
@@swildermuthI ended up doing that, but the funny thing is that when I tried to move the Identity logic from the MapIdentityApi to a controller, I had to make the login method return a Task instead of an IActionResult, because the SignInManager.PasswordSignInAsync returns a result without any proper data (no token, nothing, just returns the state).
Does this also work with Keycloak? 🤔
What is Keycloak?
I wasted half a day because I added the wrong library. Be careful when adding libraries!!!
that has been an issue with so many libs with similar names.
We must definitely be very careful.@@swildermuth
The major issue is that this is ripped off openidconnect without doing openidconnect correctly.
It should have been full openidconnect with well known endpoints and standards compliance.
Now we have multiple messes for no reason.
I don't think this is about openid at all? Can you explain what I'm missing?
@@swildermuth it’s a knock off of password flow from openidconnect.
Except it doesn’t generate the metadata and doesn’t follow the token endpoint pattern.
So it sounds the same, acts similar but isn’t at all. They made a mess of it instead of just implementing password flow openidconnect and providing standard endpoints with metadata which would have been just as easy and standards compliant in the process.
@@jameshancock According to the Microsoft folks, if you want the full power of openidconnect and other complex scenarios, they recommend you use DuendeIdentity. This is just a minimalistic approach for people who just want username and password integrated in their apps.
This is not JWT
This is too much of a good thing turned bad. Rarely, you will need a barebones authentication. You will always need to extend it and then this is a nice nicety.
there is not a valid jwt token, Microsoft, as always, did not do what the developers asked. .net swims against the tide with every version
How isn't it a valid jwt token?