Thanks to these videos I finally ACTUALLY understand how auth flow is supposed to work. About 3 years ago I thought it was as simple as sending post requests, hashing passwords, then sending back a session cookie (all done manually in poorly written PHP). I now understand when and why you should use certain levels of auth management and how to properly implement it (or when you shouldn't).
This is great video. I needed some guidance in its use cases. I'll watch it again to fully absorb it. Since I'm a visual person, can you please create videos like this using some diagrams? Diagrams would be immensely helpful in understanding topics like this. Thank you!
Jeez, finally a simple explanation of this holly mess of auth options! You helped me a lot to make make an informed decision on what I actually need for my app
I dont understand why this type of thinking is not more common in software development. Everyone always says "it depends" but never says what it depends on, they never seem to expand on why you should not use something.
"need identity server" and "need an identity server" is quite confusing, as Identity Server is a product, but have a service/server for managing identity is a good idea always as it can be given it's own infrastructure that is more resilient and secure than the rest of your application, so even if you are doing simple email and a password hash for authentication, this should be compartmentalized and regardless of what technology you are doing authentication with
great. spent a full day researching and copy-pasting tutorial code, repeatedly asking myself "do i even need this". i'm deving a spa app with a single database backend and probably some rest api in the future. guess this falls into the "no" category. thanks for this video :)
In my point of view. I think that the problem comes from net. I think there aren't a simple solution in order to implement a sso into spa and the team of Microsoft have to do more effort. No I don't need a identity server but what other settings exists in order to have a secure jwt into a web app with sso?
Thank you, this is exactly what I needed! I just have a question regarding sso for multiple apps in different subdomains. The apps are owned and developed by the same company, they are under the same domain but different subdomains. You mentioned that since it's not cut by domain its easy to implement sso without IdentityServer. Could you share how that could be done? Every solution I came up seemed like it involved a lot of custom implementation and I was wondering if I missed something.
1) share data protection key's between identity and other apps: docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-6.0#setapplicationname 2) issue cookie to main domain on identity broker component services.ConfigureApplicationCookie(o => { o.Cookie.Name = "cookiename"; o.Cookie.Domain = ".mydomain.com"; }); 3) configure to accept said cookie on the app side services.AddAuthentication("anything") .AddCookie("anything", options => { options.Cookie.Name ="cookiename"; });
I got to say I almost got sea seek from watching how you rock left and right almost as if on the boat. Did any one tried to put some rap music to your videos? Otherwise great explanation, thank you so much.
Unless you need go be a fancy Auth Provider that store your own data, then you don’t need one. Identity Server is hard to wrap your head around since there are so many use case mainly for bigger applications.
Around 04:10 he says "Asp .Net Core has its own jwt management API you dont need Identity Server" something along these lines. So I believe he talks about Identity Server from duende when he says Identity Server and he started his speech calling it "Identity Server 4"
Hi, What about solutions where you have one frontend and multiple backend services that this frontend consumes in which every service requires a user to be authenticated? Frontend X make requests to: Service A: Authenticating users and managing roles and permissions. (Authentication can be database, azure AD, etc.) Management of roles and permissions is custom Service B: Products service (only authenticated users from Service A can access) Service C: Orders service (only authenticated users from Service A can access) Service C communicates with Service B (validating product stock, etc.), so Firewall infrastructure can be suitable instead of client credentials flow. So, would I need Identity server for this scenario? If no, what can we use/do in such scenario?
i started your authentication and authorization series. i still didn't got what is the best case to use identity server 4. Just wondering have you correctly use in one your series
Hi Great video. Just one question. If i have 3 services in .Net, Java and python. And Java and python need to validate jwt produced by .Net. Then do i need Identity server 4 as it can get public certificate from {domain-name}/.well-known/openid-configuration/jwks and can validate token or we implement our self. What are your thoughts on this
IMHO I think it would be perfect to use if you have multiple clients(e.g. Bank with multiple branches, e.g. Assume you own Google or Facebook ,etc xD), otherwise no need to add more complexity to your project,
So if I have a WebAPI and Blazor ServerSide application, and only the frontend is public, I can use only .NET Identity for user authentication and that's it? Because the frontend fill communicate with API through local network only.
Exactly, David fowler has an example that shows how to do it with JWT tokens, and it’s way too complex you don’t need it. Service to service just use firewall
Omg thank you, please explain this more.. if you Google API authentication, jwt pops up. my question is, if we are using jwt do we need refresh tokens? Do we write our own implementation of refresh tokens? Writing refresh token implementation is fishy because everyone implements it differently and I don't know what to believe anymore
So my thinking be like : if refresh token implementation is not very clear, then we use identify server to do it for us ! Right? Wrong according to what you said Then we just implement our own fishy refresh token implementation?
If you are using JWT, you do not need a refresh token. datatracker.ietf.org/doc/html/rfc6749#section-1.5 > Issuing a refresh token is optional at the discretion of the authorization server. If the authorization server issues a refresh token, it is included when issuing an access token > A refresh token is a string representing the authorization granted to the client by the resource owner. The string is usually opaque to the client. The token denotes an identifier used to retrieve the authorization information. Unlike access tokens, refresh tokens are intended for use only with authorization servers and are never sent to resource servers. a refresh token is a string with an expiry value in the database.
@@RawCoding thanks for response, if I'm not using refresh token instead long lived JWT and someone changes their password, how do I invalidate their active session with the old password?
A database record of jwt which you invalidate if password is changed, or a hash claim based on the user password hash, if that changes token becomes invalid.
Thank you! I have a question. I need to implement microservices app(back-end). I also have angular app(front-end). And i need to authenticate and authorize users. My mentor says me, that i need to implement authentication logic using IS4. But i dont see any sence to do that. My application will not allows third party application be integrated. How should i implemet authentication and authorization logic? (I want to use JWT)
it's like walking into a tech store. Do i need to buy this thing? No! Am i GOING to buy this thing? Yepp! So what has I learned? That I am going to use IDP. Not because I need it, but because i want it. So weak minded...
What about sticky sessions problem with Cookie authentication. If we scale up application then cookie auth creates problem. Because session data stored on one server and problem comes client request passed to other server.
I have an web api backend and blazor server on frontend. I have used jwt which works fine. However due to having blazor server at frontend it is impossible for me to have jwt refresh token working on the blazor server. If I had chosen identity server I wouldn't be in t this situation.
@@RawCoding I wanna create a .net web api microservice for authorization purposes. But I don't know how to make it properly using public key and asymmetric algorythm
I was wondering if maybe he's done one already and would link to it in the video. And include a mobile app too. It would be great to see these pieces without IdentityServer because I too came to believe that as soon as you throw in web api and some client then you need some dedicated identity provider.
The problem is everywhere I worked they have spa and webapi are on different domain. Therefore do not know how cookie would ever work from webapi, as they except it to be stateless.
Well, if *your* company needs an identity server, I think it is safe to say that at that point, you'll have a security expert employee, so *you* don't need to learn identity server 😉 On a more serious note, those videos helped me a quite a bit, since a lot of the things apply to the Azure's identity framework, which probably uses identity server in the background.
No
spoiler alert
Thanks to these videos I finally ACTUALLY understand how auth flow is supposed to work. About 3 years ago I thought it was as simple as sending post requests, hashing passwords, then sending back a session cookie (all done manually in poorly written PHP). I now understand when and why you should use certain levels of auth management and how to properly implement it (or when you shouldn't).
Thank you … not introducing unnecessary complexity into the stack is a skill I’m trying to improve. All the tools … All the shiny things
Not all that shines is gold...
This is great video. I needed some guidance in its use cases. I'll watch it again to fully absorb it.
Since I'm a visual person, can you please create videos like this using some diagrams? Diagrams would be immensely helpful in understanding topics like this.
Thank you!
Jeez, finally a simple explanation of this holly mess of auth options! You helped me a lot to make make an informed decision on what I actually need for my app
Glad you liked it, if you want more auth videos check out my recent playlist
is he dancing i feel like he is dancing 😅😅
it's hard not to dance when I stand
@@RawCoding i feel you most people tell me to stop moving or set down when i'm talking to them because i keep moving in place
I dont understand why this type of thinking is not more common in software development. Everyone always says "it depends" but never says what it depends on, they never seem to expand on why you should not use something.
thanks, you've just talked about my frustrations, thanks for clarifying it
Nice video, nicer wall tag!
Cheers)
Very useful summary!
Thank you
Nice to see you again, have to join the streams again ^^
Hey man, you’re always welcome )
"need identity server" and "need an identity server" is quite confusing, as Identity Server is a product, but have a service/server for managing identity is a good idea always as it can be given it's own infrastructure that is more resilient and secure than the rest of your application, so even if you are doing simple email and a password hash for authentication, this should be compartmentalized and regardless of what technology you are doing authentication with
Really useful explanation Anton. Thanks!
Nice to see your videos again
great. spent a full day researching and copy-pasting tutorial code, repeatedly asking myself "do i even need this". i'm deving a spa app with a single database backend and probably some rest api in the future. guess this falls into the "no" category. thanks for this video :)
Exactly glad I could spare the pain
its good to see you posting regularly. As always great content, very informative.
Great video, thanks for making it :) Btw what country is your accent from?
I like this new format, happy to see you uploading regularily again! Couldn't agree more on the content
Damn, you got a new camera man? Looks dope. Been missing hanging on with you on twitch though. Cheers!
Thank you, I'll stream more been busy with the course
In my point of view. I think that the problem comes from net. I think there aren't a simple solution in order to implement a sso into spa and the team of Microsoft have to do more effort. No I don't need a identity server but what other settings exists in order to have a secure jwt into a web app with sso?
Great Explanation!!! Thank you
Thank you, this is exactly what I needed!
I just have a question regarding sso for multiple apps in different subdomains. The apps are owned and developed by the same company, they are under the same domain but different subdomains. You mentioned that since it's not cut by domain its easy to implement sso without IdentityServer.
Could you share how that could be done? Every solution I came up seemed like it involved a lot of custom implementation and I was wondering if I missed something.
1) share data protection key's between identity and other apps: docs.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-6.0#setapplicationname
2) issue cookie to main domain on identity broker component
services.ConfigureApplicationCookie(o =>
{
o.Cookie.Name = "cookiename";
o.Cookie.Domain = ".mydomain.com";
});
3) configure to accept said cookie on the app side
services.AddAuthentication("anything")
.AddCookie("anything", options =>
{
options.Cookie.Name ="cookiename";
});
Thanks!
@@RawCoding This explanation is great. With simple cookie configuration it is possible to obtain sso easily under such a scenario
I got to say I almost got sea seek from watching how you rock left and right almost as if on the boat. Did any one tried to put some rap music to your videos? Otherwise great explanation, thank you so much.
Unless you need go be a fancy Auth Provider that store your own data, then you don’t need one.
Identity Server is hard to wrap your head around since there are so many use case mainly for bigger applications.
Exactly
When you talk about Identity Server, do you mean the one from duende software? Or just the regular Identity Core library?
Around 04:10 he says "Asp .Net Core has its own jwt management API you dont need Identity Server" something along these lines. So I believe he talks about Identity Server from duende when he says Identity Server and he started his speech calling it "Identity Server 4"
Hi,
What about solutions where you have one frontend and multiple backend services that this frontend consumes in which every service requires a user to be authenticated?
Frontend X make requests to:
Service A: Authenticating users and managing roles and permissions. (Authentication can be database, azure AD, etc.) Management of roles and permissions is custom
Service B: Products service (only authenticated users from Service A can access)
Service C: Orders service (only authenticated users from Service A can access)
Service C communicates with Service B (validating product stock, etc.), so Firewall infrastructure can be suitable instead of client credentials flow.
So, would I need Identity server for this scenario? If no, what can we use/do in such scenario?
Instant like for dancing
pasib
bro, i like your wall😆
i started your authentication and authorization series. i still didn't got what is the best case to use identity server 4. Just wondering have you correctly use in one your series
when clients have a many to many relationships with the api's
or
your application is being extended by other apps.
Thank you!!!
Hello, I'm happy to see you
Hi
Great video. Just one question. If i have 3 services in .Net, Java and python. And Java and python need to validate jwt produced by .Net. Then do i need Identity server 4 as it can get public certificate from {domain-name}/.well-known/openid-configuration/jwks and can validate token or we implement our self. What are your thoughts on this
Well you got the public key, you got the algo in the jwt header, slap the 2 together against the token and you should be able to validate it.
Хорошо разложил. Жопа на стене тоже хорошая.
Жопа вообще лучшая
The recent trend especially with ID5 is to move away from client side jwt due to token exfiltration and use server side cookie when possible.
yesir
what about using jwt token in cookies in a secure mode
as I know it is the safest approach
That works
IMHO I think it would be perfect to use if you have multiple clients(e.g. Bank with multiple branches, e.g. Assume you own Google or Facebook ,etc xD), otherwise no need to add more complexity to your project,
Exactly
this is gold
Ta
So if I have a WebAPI and Blazor ServerSide application, and only the frontend is public, I can use only .NET Identity for user authentication and that's it? Because the frontend fill communicate with API through local network only.
Exactly, David fowler has an example that shows how to do it with JWT tokens, and it’s way too complex you don’t need it. Service to service just use firewall
@@RawCoding ok thanks!
Openiddict is another option. it's free OpenID Connect server library
tisis
The life of IS4 support seems to be running out. IS5 is a paid solution. Do you see any alternative of a similar format? Azure B2C? Auth0?
Did you not watch the video? It’s free while you earn less than a mil
How are you? We missed you.
Thank you
Omg thank you, please explain this more..
if you Google API authentication, jwt pops up. my question is, if we are using jwt do we need refresh tokens? Do we write our own implementation of refresh tokens? Writing refresh token implementation is fishy because everyone implements it differently and I don't know what to believe anymore
So my thinking be like : if refresh token implementation is not very clear, then we use identify server to do it for us ! Right? Wrong according to what you said
Then we just implement our own fishy refresh token implementation?
If you are using JWT, you do not need a refresh token.
datatracker.ietf.org/doc/html/rfc6749#section-1.5
> Issuing a refresh token is optional at the discretion of the
authorization server. If the authorization server issues a refresh
token, it is included when issuing an access token
> A refresh token is a string representing the authorization granted to
the client by the resource owner. The string is usually opaque to
the client. The token denotes an identifier used to retrieve the
authorization information. Unlike access tokens, refresh tokens are
intended for use only with authorization servers and are never sent
to resource servers.
a refresh token is a string with an expiry value in the database.
@@RawCoding thanks for response, if I'm not using refresh token instead long lived JWT and someone changes their password, how do I invalidate their active session with the old password?
A database record of jwt which you invalidate if password is changed, or a hash claim based on the user password hash, if that changes token becomes invalid.
Can you provide sso without indentity server examples video?
Thank you! I have a question. I need to implement microservices app(back-end). I also have angular app(front-end). And i need to authenticate and authorize users. My mentor says me, that i need to implement authentication logic using IS4. But i dont see any sence to do that. My application will not allows third party application be integrated. How should i implemet authentication and authorization logic? (I want to use JWT)
Create a jwt token and return it in a header or body.
it's like walking into a tech store. Do i need to buy this thing? No! Am i GOING to buy this thing? Yepp! So what has I learned? That I am going to use IDP. Not because I need it, but because i want it. So weak minded...
What about sticky sessions problem with Cookie authentication. If we scale up application then cookie auth creates problem. Because session data stored on one server and problem comes client request passed to other server.
Cookies are stateless
@@RawCoding what is the difference between stateless cookies from jwt tokens?
Cookies get handled automatically by the browser.
What about csrf attack?
I have an web api backend and blazor server on frontend. I have used jwt which works fine. However due to having blazor server at frontend it is impossible for me to have jwt refresh token working on the blazor server. If I had chosen identity server I wouldn't be in t this situation.
are you alive dude? do we need to make a standalone api microservice for authantication ?
Yea, and whats a microservice?
@@RawCoding I wanna create a .net web api microservice for authorization purposes. But I don't know how to make it properly using public key and asymmetric algorythm
Sounds like you have a lot of learning to do!
@@RawCoding maybe... Gonna teach me?
Can you do a series on cookie authentication with webapi and spa?
I was wondering if maybe he's done one already and would link to it in the video. And include a mobile app too. It would be great to see these pieces without IdentityServer because I too came to believe that as soon as you throw in web api and some client then you need some dedicated identity provider.
authentication series from cookie to identity server
th-cam.com/play/PLOeFnOV9YBa7dnrjpOG6lMpcyd7Wn7E8V.html
otherwise you do:
fetch("/login", { method: 'POST', body: JSON.stringify({u:"username", p:"password"})})
The problem is everywhere I worked they have spa and webapi are on different domain. Therefore do not know how cookie would ever work from webapi, as they except it to be stateless.
Cookie is just a value in the header ;)
Add dentityServer just in case :D
I'm only sure that the subtitles you don't write will help a lot of people.
Azure has out of the box OAuth solution.
Ok, so how do I get rid of my Identity Server? lol
RIP
Anton cool dawg 🦾🥰
👍🏽
Am I only see C# Rap Stand-up?..
Well, if *your* company needs an identity server, I think it is safe to say that at that point, you'll have a security expert employee, so *you* don't need to learn identity server 😉
On a more serious note, those videos helped me a quite a bit, since a lot of the things apply to the Azure's identity framework, which probably uses identity server in the background.
> I think it is safe to say that at that point, you'll have a security expert employee
couldn't be further from the truth, unfortunately.
@@RawCoding Then I assume that's how you've learned it. Thrown into the fire eh?
10 minutes stand up