Nice video , But I feel it would have been been great for beginners like me , if you had spent some time explaining the usage of each line while configuring authentication in startup and controller class files .
Excellent video, I have shared with my whole team to watch. Thank you. One question, at 15:56 you add the JwtTokenAuthenticationManager to services with the key, but what if you wanted to pass in the DbContext and also maybe the ILogger so the JwtTokenAuthenticationManager can confirm the credentials against the Db. How do you configure the services for the JwtTokenAuthenticationManager in startup to inject those into the class?
your tutorial is amazing, the IT community needs more people like you! however, MICROSOFT SUCKS for implementing a million different classes and ways to implement authentication /authorization classes then those classes get deprecated and then the developer will be scrambling for answers to solutions that new core version/framework is trying to introduce! For MS, there is no one universal, non-complex, non-confusing way to create a simple web API with basic authentication, it's like each authentication scheme is created by one developer that is trying to out-do the other developer within their team that has implemented a recent class/code! I hope, I really, really hope, that MS should one day be overtaken by another company or that incoming new developers will instead switch to open source and other tech stacks for web api-related stuff! I will be the first to rejoice if MS will file for bankrupcy one day, or get bought by Apple!
Hi, thanks for the tutorial! You keep the content simple and easy wich is great, but for future improvement you could add a real front end, just a login page, 1 or 2 authorized pages and a logout. this way we could see the complete workflow of the jwt and how is stored in page transitions.
I am able to generate the token. I am also getting the data without authorisation. But when I give the Authorize for the get method I get unauthorised. Could you please help me solve this issue.
its a good practice to send token as part of header, but nothing stops you from sending token in query string, there are use cases like websocket where you might need to pass it in query string
Great video, i request you to explain the token validation parameter , and token descriptor class properties significance and what situation what value we should set may help great if you do some short video on that portion
Hi, I see that the AuthenticationHandler class comes under two namespaces. - Microsoft.AspNetCore.Authentication - Microsoft.Owin.Security.Infrastructure could you please explain what factors decide the namespace I need to use.
@sanjay varma, Microsoft.Owin.Security.Infrastructure is the legacy namespace. If you are using ASP.Net Core 3.1 you should be using Microsoft.AspNetCore.Authentication .
Thanks for the Awesome Video. But I have a question. If I need to create a Custom Unathorized return message from any POST or GET api, what should I do ?
@Deepjyoty Roy, thanks for watching! In your scenario, you can remove the Authorize attribute and inside of each method check for User.Identity.IsAuthenticated, and based on that throw Unauthorised with you custom messages per method.
Very nice explanation !!! Just one query I have in simple asp.net api we used Owin and OAuth to generate and validate token but I dint see OAuth implementation in Core is there any reason ?
OAuth can be implemented by a middleware. I do not see any reason why it cannot be. I will give it a try. I did not have the need yet, hence I did not try it yet. I will post my video after I try it out. Thanks for the question.
@Jamie Bowman, refresh token comes to play when as an app you want to extend the token lifetime of the user without asking the user to enter id/pwd again for a new token after the initial token expired. The classic example will be a mobile application.
Hi thank you for posting this video. I find it very helpful. I have one question regarding the authentication step though. After receiving the token with a valid username + password combination and entering it as Authorization : Bearer[whitespace]token, the Get step still throws a 401 error. Any idea of what may cause this? Thanks!
Thank you for your well explained video. If possible, could you please make another video to show, secure an api with azure active directory and consume it from AAD secured react app.
Hi, why did you uncheck the "Configure for HTTPS" and check "Docker enabled" option while creating the project? It'll be really helpful info if you tell us.
@@STUPIDUA-cam_HIDINGMSGS problem is they ask for example how would you implement "JwtSecurityTokenHandler" and if you are a junior, unexperienced you can't give a straight asnwer, so the solution is to research about all those classes used and have an idea how they are implemented because in interviews they need one reason to not hire you.
@@ZnSstr This implementation and those classes are hard, even for mid-level and senior, unless they've memorized it or have coded that same code a few hundred times over and over. But who will remember those stuff now that everything changes and there's no one fixed implementation of JWT security? I think I've watched like 10 JWT security videos here in YT and every one of them is coded differently so it's very hard to remember which one works on certain implementation! I missed the times when there's not much security on web services and there's no REST or Web Api and WCF, just plain ASMX services.
Hi Thaks for the video, I have a couple of questions . can you please clarify this? 1. I got a token from the server. I just passed it to someone to use this token. he could able to access the API with the token until it expires. How can we restrict this? 2. I got a token from the server with an expiry time of 15 min. before 15 min I hit token controller and got another token with an expiry time of 15 min. Now I have two tokens with valid time. will the two tokens work? or only the latest one? if so how can we validate?
@Chandu Subhakara Reddy Satti 1. If you pass the token to someone else purposefully, there is nothing that can be done here right. Until the token expires that person will have access to your API unless you keep all tokens in storage and check against that, in which case you can flag the token. 2. It depends if you are keeping the tokens in storage, in that case, you can have an implementation of invalidating older tokens when you send out new tokens. Otherwise, both will be valid.
@Ramesh Kumar, in the controller you will need to do this: if (!User.Identity.IsAuthenticated) return Unauthorized(); Rest will be taken care of by the middleware.
Thanks for the video. I followed exactly like you said. The token expiry I set as : Expires = DateTime.UtcNow.AddMinutes(Convert.ToDouble("20")); So, as you see I have set 20 minutes. I submit Authenticate request -> I get access_token, thats great! Now, I submit other API request with this access_token as bearer, I get the response as expected. Now, after 20 minutes, I try hitting the same endpoint, I still get response, even though 20 minutes have passed already. What am I missing? Please help.
Thanks for the tutorial. You are explaining the concepts very well. Could you please give some suggestions on this? What are the ways to store a JWT token securely on client side. We can use cookies or local storage. But, however someone/ anonymous will able to see the token by using some debugging tools and they can mock the same request and use it in outside of the application. How we can avoid it? Thanks.
Saravana Kumar I’m afraid there is not many choices for storing token securely on client side. Your best bet is local storage. But in terms of avoiding security threats keep your token expiry shorter. So that even if it’s stolen it cannot be used for a longer period.
Hi, At timeline of 10:23 in this video, I have two questions here. 1) Why you used SecurityTokenDescriptor (from Microsoft.IdentityModel.Tokens); why not JwtSecurityToken (from System.IdentityModel.Tokens.Jwt)? 2) What is the difference between Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor and System.IdentityModel.Tokens.Jwt.JwtSecurityToken classes? When to use which?.
@Ravindranath S, JwtSecurityTokenHandler expects SecurityTokenDescriptor from Microsoft.IdentityModel.Tokens, hence. You can use JwtSecurityToken to create token, in that case, you will need to call WriteToken, instead of CreateToken on the JwtSecurityTokenHandler instance.
@@DotNetCoreCentral sorry not what i meant to ask. How do I send the header with each call in my api. After i get my token out of my api login. How to I send that token with another call to get authorized?
Hi, at timeline of 11:26 in this video, you added 1 hour as expiration. I tried with 1 min. But, after 2 min also, I could able to use same token and get the data. Means: token is not expired. Could you please help me on this.
@Thegeektoendallgeeks, thanks for watching! The JWTAuthenticationManager class is responsible for validating credentials and generate tokens. In a real-world scenario, this class might be just a proxy to an external authentication service for credentials validation, or it might interact with a data store for credentials. I hope this answers your question.
@@DotNetCoreCentral that helps thank you, on a separate note. I have a asp.net core web app (MVC) with authentication individual user accounts project I want to add JWT authentication similar to this, but I can't seem to figure out where to start regarding getting the user credentials to apply all of this to.
@@Thegeektoendallgeeks it should be the same as this demo since ASP.NET MVC also shares the same middleware pipeline as Web API. If you are facing any specific issue, and if you can share the code in GitHub, I can definitely take a look.
That's how a tutorial should look like! Straight to point with a working example. Love it! 😎🤩
Thanks!
Easy and great setup of how to add authorization to a web application. Well done!
@Francois Smit, thanks for watching!
Add my voice to the chorus. Insanely helpful and well-done video, thank you.
Thanks!
Love the video. I urge you to create video on OAuth with JWT implementation. Complete details on OAuth.
Thanks, will do!
Why wasn't I able to find this channel earlier 😭 🤣🤣
I've shared your content with all my colleagues 🙏
@The Red Baron, thanks for watching. I hope everyone you have shared with will find it useful.
Dude!! Thx for the video! It really helped me out. Right know I'm just reading your blog to understand better the whole code.
@Carlos Daza, thanks!
Nice video , But I feel it would have been been great for beginners like me , if you had spent some time explaining the usage of each line while configuring authentication in startup and controller class files .
@Kiran BS, thanks for watching, and thanks for your valuable feedback, I will surely keep this in mind.
This worked like a charm. Exactly what I was looking for..., Confused with various online material, but this was most clear of all of them...
@Ra m, thanks for watching the video, and glad this video helped you!
Awsome way of teaching. And working with real scenario.
@Avtar Sashia, thanks for watching!
This is the most simple way of doing JWT , thanks so much
@junaid m, thanks for watching!
Awsm Explanation, Easy to understand
Thank you so much for taking the time to make this video and share your knowledge! Excellent. Subscribed :)
@Monica S, thanks for watching!
Great tutorial, easy to follow and understand. Thanks a lot!
@gh057k33p3r, thanks for watching the video!
Excellent video, I have shared with my whole team to watch. Thank you. One question, at 15:56 you add the JwtTokenAuthenticationManager to services with the key, but what if you wanted to pass in the DbContext and also maybe the ILogger so the JwtTokenAuthenticationManager can confirm the credentials against the Db. How do you configure the services for the JwtTokenAuthenticationManager in startup to inject those into the class?
good help full, if you want to add more things then add authorization with multiple roles, multi-tenant application authentication.
Thanks for the suggestion!
A heartly thanks to you for teaching the tokenization in simple way.
@Yashas Gowda, thanks for watching!
your tutorial is amazing, the IT community needs more people like you!
however, MICROSOFT SUCKS for implementing a million different classes and ways to implement authentication /authorization classes then those classes get deprecated and then the developer will be scrambling for answers to solutions that new core version/framework is trying to introduce!
For MS, there is no one universal, non-complex, non-confusing way to create a simple web API with basic authentication, it's like each authentication scheme is created by one developer that is trying to out-do the other developer within their team that has implemented a recent class/code! I hope, I really, really hope, that MS should one day be overtaken by another company or that incoming new developers will instead switch to open source and other tech stacks for web api-related stuff!
I will be the first to rejoice if MS will file for bankrupcy one day, or get bought by Apple!
Excellent video brother.. I have been looking for this.. Thank you so much 🙏🙌👏👏
@Praveen Kumar, thanks for watching!
Amazing video thank you! So clear and concise!
@Brett Gregory, thanks for watching!
Thank you Nirjhar. Great explanation.I have implemented with your example
@Rahul Sharma, thanks for watching!
Nice explanation 👌
@Funny Toddler, thanks!
really nice explanation to the point and explained every point thanks alot
God bless you my friend for this video
@DAVID EMMANUEL, thanks for watching!
Very quality content. It very helped me to understand this important theme !:)
@Eva Apperson, thanks for watching!
Guys I am confused here that the implementation of JWT here is working on O Auth 2.0 mechanism or not?
Excellent content.. very straight forward
Thanks!
Simple and clear example, thank you 👍
Thanks for watching!
Hi, thanks for the tutorial! You keep the content simple and easy wich is great, but for future improvement you could add a real front end, just a login page, 1 or 2 authorized pages and a logout. this way we could see the complete workflow of the jwt and how is stored in page transitions.
Pedro Moura thanks for the suggestions. I’ll definitely work on that. Thanks again for watching the video.
@@DotNetCoreCentral Did you ever make this video?
@@DotNetCoreCentral Did you ever make this video?
@@lengoctuan5217 no, I never got to it.
@@DotNetCoreCentral Thanks brother for the reply. Your video is very helpful.
Thank you for this very helpful video and sharing your knowledge! Subscribed!
@Rehan Alibux, thanks for watching the video and subscribing to my channel!
Thanks You. Great... very neat and clean explanation given by you.
@Pritam Deokule, thanks for watching!
So satisfying keyboard typing.))))
@Roman Doskoch, thanks!
Hi. Good video. But what is the purpose of audience nd issuerence?
really helpful to understand the jwt authentication. please make a video on refresh token also
@Sudip Jash, thanks for watching. I already have a video on refresh token on my channel.
Very good explanation.
thank you .
May I know the use of having the AuthenticationManager interface instead of just having a solid Class? thanks
Thanks for your video, a Very Good explanation. I have a suggestion. if you can list out all the dependencies that will be great.
@jvv (vvj), thanks for watching and the suggestion!
Nice and simple video
@Yogesh Tripathi, thanks for watching!
Very well explained. Thanks for your effort.
@Sohail Sarwar, thanks for watching!
i am big fan of your videos .
@Ashutosh Mishra, thanks for watching!
Excellent work explaining this!
@Knightmare RIP, thanks for watching!
I am able to generate the token. I am also getting the data without authorisation. But when I give the Authorize for the get method I get unauthorised. Could you please help me solve this issue.
Very good video
@Raj Raj, thanks for watching!
Very useful information. Thank you sir...
@Vinayak Katti, thanks for watching!
In this JWT is authorized when sent as header in the request. May I know how can the access token be validate as part of query string ?
its a good practice to send token as part of header, but nothing stops you from sending token in query string, there are use cases like websocket where you might need to pass it in query string
Great video, i request you to explain the token validation parameter , and token descriptor class properties significance and what situation what value we should set may help great if you do some short video on that portion
@Web Samurai, thanks for watching, I will try to do a video for that.
Excellent... keep up the good work
@Abc Xyz, thanks for watching!
Thank you for all of your tutorial
@Monsieur Bobel, thanks for watching!
Thank you for this helpful video. Keep doing the good work.
@Hinda Chokri, thanks for watching and taking the time to provide a comment!
very well explained
Thanks!
Excellent Show, thanks much.
@Stephen Viswaraj, thanks for watching!
Thanks a lot for such content. I respect and really admire your huge efforts, for such incredible content. God bless mate.
Thanks a ton
Great video. Truly helped me out!
Great video. Keep doing the good work
Gautam Saraswat thanks for watching!
Thank you for making it easy understanding.
@Ajith Chanaka, thanks for watching!
Very nicely done. Thank you.
Thank you for the knowledge you shared. What are the headers that I should be using with Postman?
In header you have to put “bearer token”
Hi, I see that the AuthenticationHandler class comes under two namespaces.
- Microsoft.AspNetCore.Authentication
- Microsoft.Owin.Security.Infrastructure
could you please explain what factors decide the namespace I need to use.
@sanjay varma, Microsoft.Owin.Security.Infrastructure
is the legacy namespace. If you are using ASP.Net Core 3.1 you should be using Microsoft.AspNetCore.Authentication
.
How we can achieve same thing in MVC and pass token after authentication?
Great video brother. If you could explain why we are using each commend and its benefits would have been really helpful.
@Kishor Kadavil, thanks for watching and great feedback, I will work on this.
Thanks for the Awesome Video. But I have a question. If I need to create a Custom Unathorized return message from any POST or GET api, what should I do ?
@Deepjyoty Roy, thanks for watching!
In your scenario, you can remove the Authorize attribute and inside of each method check for User.Identity.IsAuthenticated, and based on that throw Unauthorised with you custom messages per method.
Thank you very much! very well explained
@Julian GZR
, thanks for watching!
Great content 👏👏 , Thank you
Thanks . Perfect video
You're welcome!
Great video, nicely explained
@Shivendra P. Singh, thanks for watching!
Thanks....good explanation
@Shsik zuhair, thanks!
Very nice explanation !!! Just one query I have in simple asp.net api we used Owin and OAuth to generate and validate token but I dint see OAuth implementation in Core is there any reason ?
OAuth can be implemented by a middleware. I do not see any reason why it cannot be. I will give it a try. I did not have the need yet, hence I did not try it yet. I will post my video after I try it out. Thanks for the question.
@@DotNetCoreCentral Thank you so much.
Can you please provide the second part of this tutorial. It is very nice video. Awesome.
@Nafees Khan, thanks for watching! What are you expecting in the second part?
This is great and I was able to replicate this. However, I'm wondering.. where do refresh tokens come into play?
@Jamie Bowman, refresh token comes to play when as an app you want to extend the token lifetime of the user without asking the user to enter id/pwd again for a new token after the initial token expired. The classic example will be a mobile application.
Hi thank you for posting this video. I find it very helpful. I have one question regarding the authentication step though. After receiving the token with a valid username + password combination and entering it as Authorization : Bearer[whitespace]token, the Get step still throws a 401 error. Any idea of what may cause this? Thanks!
you can raise the logging level in the config and you can see the exact issue resulting in 401
Thank you for your well explained video. If possible, could you please make another video to show, secure an api with azure active directory and consume it from AAD secured react app.
majichayan I’ll definitely try. Thanks for the suggestion and thanks for watching.
Thank you so much for this video! it's really helpful..
@sachin deshmukh, thanks for watching!
Hi, why did you uncheck the "Configure for HTTPS" and check "Docker enabled" option while creating the project? It'll be really helpful info if you tell us.
@Shubham Shaw, there is no particular reason. You can keep both enabled.
If you configure https you will need SSL certificate. While running in localhost you can do with http.
Awesome keep up the good work
@Rahul Mathew, thanks for watching!
Thank you man, that is what i sought for
@Marco Taliente, thanks for watching, and glad this video helped you!
Very cool man but how the heck I explain all those classes in an interview lmao, this is like +4 h to learn how to talk about these things.
yeah, tha's the problem, right? we can't explain those complicated classes and a simple missed class then the authentication won't work!
@@STUPIDUA-cam_HIDINGMSGS problem is they ask for example how would you implement "JwtSecurityTokenHandler" and if you are a junior, unexperienced you can't give a straight asnwer, so the solution is to research about all those classes used and have an idea how they are implemented because in interviews they need one reason to not hire you.
@@ZnSstr This implementation and those classes are hard, even for mid-level and senior, unless they've memorized it or have coded that same code a few hundred times over and over. But who will remember those stuff now that everything changes and there's no one fixed implementation of JWT security? I think I've watched like 10 JWT security videos here in YT and every one of them is coded differently so it's very hard to remember which one works on certain implementation! I missed the times when there's not much security on web services and there's no REST or Web Api and WCF, just plain ASMX services.
This is really good. Thanks..
@Bhanushka Ekanayake, thanks for watching!
how would i get user data from token such as username ?
Hi Thaks for the video, I have a couple of questions . can you please clarify this?
1. I got a token from the server. I just passed it to someone to use this token. he could able to access the API with the token until it expires. How can we restrict this?
2. I got a token from the server with an expiry time of 15 min. before 15 min I hit token controller and got another token with an expiry time of 15 min. Now I have two tokens with valid time. will the two tokens work? or only the latest one?
if so how can we validate?
@Chandu Subhakara Reddy Satti
1. If you pass the token to someone else purposefully, there is nothing that can be done here right. Until the token expires that person will have access to your API unless you keep all tokens in storage and check against that, in which case you can flag the token.
2. It depends if you are keeping the tokens in storage, in that case, you can have an implementation of invalidating older tokens when you send out new tokens. Otherwise, both will be valid.
v good video really helped me
Thanks!
Thanks, great video
@hdjfgt, thanks for watching!
Thank you this is an awesome video
@Aj Botha, thanks for watching!
how to validate bearer token - if you put post man bearer token its allow to hit the method i want to how to validate bearer token and the method
@Ramesh Kumar, in the controller you will need to do this:
if (!User.Identity.IsAuthenticated)
return Unauthorized();
Rest will be taken care of by the middleware.
Thanks for the video. I followed exactly like you said. The token expiry I set as :
Expires = DateTime.UtcNow.AddMinutes(Convert.ToDouble("20"));
So, as you see I have set 20 minutes.
I submit Authenticate request -> I get access_token, thats great!
Now, I submit other API request with this access_token as bearer, I get the response as expected.
Now, after 20 minutes, I try hitting the same endpoint, I still get response, even though 20 minutes have passed already. What am I missing? Please help.
@Sid N, thanks for watching. I will take a look and let you know.
Thanks for the tutorial. You are explaining the concepts very well.
Could you please give some suggestions on this?
What are the ways to store a JWT token securely on client side. We can use cookies or local storage. But, however someone/ anonymous will able to see the token by using some debugging tools and they can mock the same request and use it in outside of the application. How we can avoid it?
Thanks.
Saravana Kumar I’m afraid there is not many choices for storing token securely on client side. Your best bet is local storage. But in terms of avoiding security threats keep your token expiry shorter. So that even if it’s stolen it cannot be used for a longer period.
@@DotNetCoreCentral Thank you so much for replying me.
Will we use refresh token to overcome this issue?
@@SaravanaKumar-bt5xn yes, that's usually better.
My Authorization header is missing IDK why but I don't have problems with other headers, is there a way to change the header name?
@tertulianeo, how are you passing the header? can you share the code?
@@DotNetCoreCentral ty, it was a problem with my cloud front
@@tertulianeo great to hear your issue is resolved!
Hi, At timeline of 10:23 in this video, I have two questions here.
1) Why you used SecurityTokenDescriptor (from Microsoft.IdentityModel.Tokens); why not JwtSecurityToken (from System.IdentityModel.Tokens.Jwt)?
2) What is the difference between Microsoft.IdentityModel.Tokens.SecurityTokenDescriptor and System.IdentityModel.Tokens.Jwt.JwtSecurityToken classes? When to use which?.
@Ravindranath S, JwtSecurityTokenHandler expects SecurityTokenDescriptor from Microsoft.IdentityModel.Tokens, hence. You can use JwtSecurityToken to create token, in that case, you will need to call WriteToken, instead of CreateToken on the JwtSecurityTokenHandler instance.
thank you.
thank you very much
@bergurmg, thanks for watching!
im getting 404 not found in get when im trying to get values1 and values 2
@shashi vishw, if you can share your code in GitHub I can take a look, thanks.
why do we need to "var tokenKey = Encoding.ASCII.GetBytes(key); "
@Furkan D, thanks for watching! We need to pass byte array for the key, hence we need to get bytes from the string.
Nice!
Really helpful !
@Marian Kurtov, thank you for watching!
Hi , Have you used ever redis cache in identity server 4 to improve the preformation
@vivek Gowda, no, I have never used it. But it's a good idea I would guess. I might give it a try.
@@DotNetCoreCentral thank you 😀
Awesome !!
@habeeb afvan, thanks!
how to send the authentication header with each call. like what you did in postman?
you set it in the header section of the Postman with Authorization header
@@DotNetCoreCentral sorry not what i meant to ask. How do I send the header with each call in my api. After i get my token out of my api login. How to I send that token with another call to get authorized?
@@rivaldovola9896 Postman has concept of environment variable which you can use to save the token and pass it along to rest of the calls
this is awesome.. thanks a lot!
@ayush singh, thanks for watching!
Hi, at timeline of 11:26 in this video, you added 1 hour as expiration. I tried with 1 min.
But, after 2 min also, I could able to use same token and get the data. Means: token is not expired.
Could you please help me on this.
@Ravindranath S, I will try it out and let you know.
@@DotNetCoreCentral we have to use UseExpirationValidation in AddJwtBearer configuation
@@umairghouri1718 thanks for the suggestion!
Thank You!
@John Magnetron, thanks for watching!
Good job 👍 .. what about refresh token?
@
Ali Haydar, thanks for watching! ua-cam.com/video/7JP7V59X1sk/v-deo.html
why is making the IJwtAuthenticationManager necessary?
@Thegeektoendallgeeks, thanks for watching! The JWTAuthenticationManager class is responsible for validating credentials and generate tokens. In a real-world scenario, this class might be just a proxy to an external authentication service for credentials validation, or it might interact with a data store for credentials. I hope this answers your question.
@@DotNetCoreCentral that helps thank you, on a separate note. I have a asp.net core web app (MVC) with authentication individual user accounts project I want to add JWT authentication similar to this, but I can't seem to figure out where to start regarding getting the user credentials to apply all of this to.
@@Thegeektoendallgeeks it should be the same as this demo since ASP.NET MVC also shares the same middleware pipeline as Web API. If you are facing any specific issue, and if you can share the code in GitHub, I can definitely take a look.