I hope this video helps demystify authentication & authorization in ASP.NET! Want to dive deeper? Check out the relevant ASP.NET source code 👇🏼 AuthenticationMiddleware: github.com/dotnet/aspnetcore/blob/c85baf8db0c72ae8e68643029d514b2e737c9fae/src/Security/Authentication/Core/src/AuthenticationMiddleware.cs AuthorizationMiddleware: github.com/dotnet/aspnetcore/blob/525705fef408fce01ec339c99b617ac7b64e9c16/src/Security/Authorization/Policy/src/AuthorizationMiddleware.cs JwtBearerHandler: github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs Default AuthorizationPolicty: github.com/dotnet/aspnetcore/blob/4db440dbe61d390aaa215a609ab59c28989fc595/src/Security/Authorization/Core/src/AuthorizationOptions.cs#L31
One of the best video series about programming I have ever seen. I hope you will release DDD videos as soon as possible. Thanks for all the knowledge you share with us 🧑🎓👏
One of the best explanations about step-by-step how to set up JWT Bearer authentication & authorization , thank you, Amichai to make this amazing video !🙂
I found this video, very easy to watch, and also, been loving how you have been providing this type of content.. I keep questioning myself, what tool do you use to design those architectures(with the folders and files inside etc...)? another great video, would be you going trough design a system architecture Keep it up!
Wasn't able to get this into a working state inside of a minimal API. I always got an error on the auhentication. The signing key could not be validated. I even wrote a method to check if my token is corrupted but my own method always told me my key is correct. Super confused
I have a question regaring the AddAuthentication method placement. Shouldn't have been considered as part of the presentation layer? The AddAuthentication works by parsing http requests and getting the token from the header, which I'm assuming, is all related to the presentation layer.
I think its part of infrastructure only, the kind of authentication you want to use can be jwt or other methods. Presentation is responsible to see the user is authorized to access the resource or not
Great series of videos so far, With the contracts project, is its intention to share models / data transfer objects between layers? If so, for other microservices or a frontend which deal with the same contracts (thinking for enum values which may also be used in db persistence in an API), would they also reference the contracts project or create their own representation of the contract to work with?
can you tell me how to invalidate jwt token? Means when i logout from the app the token should invalidate for next requests. How can i achieve this. Can you make a small video for me?
You still haven't shown authorization at all (checking access rights for the user). In both cases, you are only showing authentication. The ASP.NET [Authorize] etc. is misnamed.
Hi, Amichai! I was wondering from where we are binding the config(appsettings.json) keys? -- var JwtSettings = new JwtSettings(); -- configuration.Bind(JwtSettings.SectionName, JwtSettings); Are these fields injected previously? or is something native from the ConfigurationManager? I'm following all your videos by the way
The bind method populates the `jwtSettings` object. You can look at it like deserializing the appsettings section called `JwtSettings` into the `jwtSettings` object. Does that make sense?
Thanks a lot for you awesome videos? How to host multiple React apps "Frontend for Users & Backend for Admin" on this project? The default React Template in VS supports only single SPA app
If you are following this video and using Minimal API, and .NET 8 dot not install the Authorization or Authentication Microsoft Extensions, it will not recognize the UseAuthentication or UseAuthorization middleware despite their order, I spent like 5 hours figuring it out :(
I wonder if you are going to cover oauth scopes and resource owner or client credential flows where you might allow a user to authenticate a 3rd party app to access the API as them, but limited to what's allowed in a scope.
I have a fun video planned "abusing" GitHub's contribution grid that is a good demonstration of using the GitHub's oauth authorization flow, limited to specific scopes
Great Video! Thanks for all your guides! I have learnt a lot! Is there a way to have in my API 2 authentication methods? I wish I could have JWT just like on the video + Azure AD auth. But finding simple to understand documentation is impossible... Also, if it is not much to ask, can you make a video about specification pattern with complex EF Linq to SQL querys? I have a project that has a ton of querys and some reuse the same IQueryable to filter using the same join that is kind of standard for all major querys. Sorry for the long ask.
Thanks, Gerardo! Yes, it's widespread to have different policies for different endpoints or different AuthenticationHandlers for different authentication schemes. Perhaps I'll dive deeper into this in the future as I'm curious about investigating the frameworks’ code for this 👀
I hope this video helps demystify authentication & authorization in ASP.NET!
Want to dive deeper? Check out the relevant ASP.NET source code 👇🏼
AuthenticationMiddleware: github.com/dotnet/aspnetcore/blob/c85baf8db0c72ae8e68643029d514b2e737c9fae/src/Security/Authentication/Core/src/AuthenticationMiddleware.cs
AuthorizationMiddleware: github.com/dotnet/aspnetcore/blob/525705fef408fce01ec339c99b617ac7b64e9c16/src/Security/Authorization/Policy/src/AuthorizationMiddleware.cs
JwtBearerHandler: github.com/dotnet/aspnetcore/blob/main/src/Security/Authentication/JwtBearer/src/JwtBearerHandler.cs
Default AuthorizationPolicty: github.com/dotnet/aspnetcore/blob/4db440dbe61d390aaa215a609ab59c28989fc595/src/Security/Authorization/Core/src/AuthorizationOptions.cs#L31
Looking forward to that DDD series 😁😁
Spent the last 2 days trying to wrap my head around this... thank you.
Very clear and straightforward. I love the pacing of you videos. Can't wait for the DDD stuff!
One of the best video series about programming I have ever seen. I hope you will release DDD videos as soon as possible. Thanks for all the knowledge you share with us 🧑🎓👏
One of the best explanations about step-by-step how to set up JWT Bearer authentication & authorization , thank you, Amichai to make this amazing video !🙂
I love this video. You opened my brain and allowed to resolve my problem with authorization in microservices.
Excellent once again!
I'm looking forward for the DDD one.
Thanks, Guil 🫶🏼
Clear and Concise ....Excellent stuff...
this video was insightful and easy to follow along with you
Looking forward to DDD video series!
Love you man, just when I am starting to work on authentication in my personal project :) Thank you, great job
🫶
hi! Magnificent your videos, I loved everything, I also look forward to DDD
I found this video, very easy to watch, and also, been loving how you have been providing this type of content..
I keep questioning myself, what tool do you use to design those architectures(with the folders and files inside etc...)?
another great video, would be you going trough design a system architecture
Keep it up!
Thanks, Filipe! I use Figma :)
simple and clear, thanks!
Fantastic as always. Thank you. Oh btw I hate Azure AD B2C custom policies!!! 👊
Wasn't able to get this into a working state inside of a minimal API. I always got an error on the auhentication. The signing key could not be validated. I even wrote a method to check if my token is corrupted but my own method always told me my key is correct.
Super confused
Really good video, thanks for sharing!
Keep the great videos coming!
Thanks, Kyle, and thanks for becoming a patron! 🫶
One thing I really haven’t figured out is how to return proper messages when an authorization fails. Is there no way to override the default?
Why did you put the DateTime in the infrastructure layer?
I have a question regaring the AddAuthentication method placement. Shouldn't have been considered as part of the presentation layer? The AddAuthentication works by parsing http requests and getting the token from the header, which I'm assuming, is all related to the presentation layer.
I think its part of infrastructure only, the kind of authentication you want to use can be jwt or other methods. Presentation is responsible to see the user is authorized to access the resource or not
Muito bom, acompanhando aqui do Brasil
Great series of videos so far,
With the contracts project, is its intention to share models / data transfer objects between layers?
If so, for other microservices or a frontend which deal with the same contracts (thinking for enum values which may also be used in db persistence in an API), would they also reference the contracts project or create their own representation of the contract to work with?
This is gold. Thank you
Excellent tutorial. This video should be embedded in MS docs. Btw I hope your wrist is ok
Thanks, Jeffry 🙏🏼
💪💪, Thank you, great job
can you tell me how to invalidate jwt token? Means when i logout from the app the token should invalidate for next requests. How can i achieve this. Can you make a small video for me?
You still haven't shown authorization at all (checking access rights for the user). In both cases, you are only showing authentication. The ASP.NET [Authorize] etc. is misnamed.
Hi, Amichai!
I was wondering from where we are binding the config(appsettings.json) keys?
-- var JwtSettings = new JwtSettings();
-- configuration.Bind(JwtSettings.SectionName, JwtSettings);
Are these fields injected previously? or is something native from the ConfigurationManager?
I'm following all your videos by the way
The bind method populates the `jwtSettings` object. You can look at it like deserializing the appsettings section called `JwtSettings` into the `jwtSettings` object. Does that make sense?
@@amantinband It does!
thank you very much
Hello Amichai, i can't get enough of your video, but im wondering why in infrastructure ? this configuration is related to the presentation !
No it's not, authentication is an Infra concern if you think about it.
Haha thanks, Ahmad! Identity related concerns are typically regarded as an infra concern but there are many interesting thoughts on the topic.
Thanks a lot for you awesome videos?
How to host multiple React apps "Frontend for Users & Backend for Admin" on this project?
The default React Template in VS supports only single SPA app
Check this out: stackoverflow.com/questions/66780717/how-do-i-setup-routes-for-two-react-apps-using-dotnet-core-3-1
Thank you a lot, and could you make a video to share your config or something else related to Vim you are using?
Yeah I'll definitely cover VIM in future videos
Hi Amichai, thanks you for this video! Can you also make a video for your VIM + Code set up? Thanks!
Hey! I have a video all about vscode for .NET: th-cam.com/video/m9HvsB1-hAo/w-d-xo.html
In the future I'll dive into VIM as well :)
If you are following this video and using Minimal API, and .NET 8 dot not install the Authorization or Authentication Microsoft Extensions, it will not recognize the UseAuthentication or UseAuthorization middleware despite their order, I spent like 5 hours figuring it out :(
Thank you
I wonder if you are going to cover oauth scopes and resource owner or client credential flows where you might allow a user to authenticate a 3rd party app to access the API as them, but limited to what's allowed in a scope.
I have a fun video planned "abusing" GitHub's contribution grid that is a good demonstration of using the GitHub's oauth authorization flow, limited to specific scopes
@@amantinband Was hoping to see the provider side, not the client side. :) But thanks, loving your videos.
Great Video! Thanks for all your guides! I have learnt a lot! Is there a way to have in my API 2 authentication methods? I wish I could have JWT just like on the video + Azure AD auth. But finding simple to understand documentation is impossible...
Also, if it is not much to ask, can you make a video about specification pattern with complex EF Linq to SQL querys? I have a project that has a ton of querys and some reuse the same IQueryable to filter using the same join that is kind of standard for all major querys. Sorry for the long ask.
Thanks, Gerardo! Yes, it's widespread to have different policies for different endpoints or different AuthenticationHandlers for different authentication schemes. Perhaps I'll dive deeper into this in the future as I'm curious about investigating the frameworks’ code for this 👀
And yes, I'm planning a video in the future on the specifications pattern 🤙
Great video! What about refresh token? And how make it one time using only without saving in db?
Thanks, Nurzhan! I'll cover refresh tokens in a future video. Not sure if part of this series though
could you be in your videos more often, for this playlist at least
very nice!
What is your terminal theme?
All the details you need are here: www.hanselman.com/blog/my-ultimate-powershell-prompt-with-oh-my-posh-and-the-windows-terminal
Waiting for next videos in this series ❤❤
great!!!!
what is the .http file type ?
The vscode’s REST client extension uses it to define HTTP requests. I cover it in this video:
th-cam.com/video/m9HvsB1-hAo/w-d-xo.html
Hii, please make a detailed video about jwt for beginners. And also can we connect on LinkedIn
Sure, hit me up ✌🏼