Hi Milan, I hope you show us how to use commands and queries to write and read from database using different contexts for better performance for enterprise projects like e-commerce for example Command write to SQL database Queries read using Elastic Search
Can you please explain how this can be added as custom authentication handler which can be added in startup woth its own custom scheme name in addition to inbuilt jwtbeater or cookie authenticators so that an api endpoint can be authenticated either through jwt token or api key? Thank you!
Your tweet said the video would cover: - Great at limiting access to an API - Tracking usage and billing I don’t see those topics listed in the chapters. Which chapters cover them? Or is there another video? Thanks in advance.
Oh, sorry if it was a little misleading. I kind of shared in the Tweet "what I learned", while the video is more focused on "how to implement authentication" only
@@MilanJovanovicTech thanks! I have no problem to implement JWT tokens into a web app and save it in the cookie but I can't really find too much information and clean solution how to do it in desktop and mobile application.
Would it be worth it to have the API key in the header hashed and then check the hash with a hashed version of any valid API keys you have in order to increase security?
Milan what about an episode where you explain message metadata? For example: -Authentication token / API key -Correlation Id -Causation id -UTC Timestamp -Culture / Localization of the client -Message version -Message unique id -others? What do you think is necessary?
At least Correlation Id is always MUST BE for my APIs. How can you solve issues on production without it? At my current job we use Authorization token and Culture as well. When some problem arises I really would like to have all of them.
Hey, one question, what are u doing in case if mulptiple commands using the same logic partually, it can contains request to database, or just logic without requests to database. Where do u store common code like that? Or u just repeat same code in both commands because the idea of commands that they are independent
Hi Milan, how do you secure this key with your users when you hand them the key? Do you recomend some key rotation mechanism? How would you handle revocation of a stolen key and hand a new key to the customer? I hope to hear your approch for those scenarios.
You can't really secure it once you hand it over to the users. Same with user passwords. If they're compromised, there is nothing you can do about it. With API keys, revocation is easy. Create a new key, hand it to the customer, and give them a grace period to switch to the new key.
Yes, you'll just need more API Keys. One for each tenant. And also, based on the API Key provided in the request, you'll have to extract the Tenant ID information.
Unfortunately you've mixed up Authentication and Authorization. If it is about Authentication like you've mentioned in your title and folder, you should've set a valid Principal like ClaimsPrincipal to the context - nothing more. If it is about Authorization like you've mentioned in your filter and the controller interface, the filter is correct if it returns a Unauthorized result 😉
I wouldn't agree - try to detach the naming conventions from what I'm actually doing. Authentication - who is calling the API. Authorization - what can the caller do (roles, permissions) It's an unfortunate circumstance that the HTTP Status code is 401 Unauthorized, which represents a not-authenticated user. And 403 Forbidden for a user without permissions. You'll notice that the name of the attribute in MVC is Authorize - which tackles Authentication - but is called so to match the respective status code.
@@MilanJovanovicTech Oh yeah, true! Absolutely forgot about the 403. It is rarely used in our applications because we don't want to expose api internals to the client. (security reasons)
Hello brother, whats the difference of using IAsyncFilter or IAuthorization filter, most of the examples im looking are using IAsyncFilter? Also do i need to .UseAuthentication() and .UseAuthorization() on program.cs?
@@MilanJovanovicTech So i've just checked, and in summary, IAsyncFilter executes code before and after, so you can call the next delegate and execute code after it aswell isApiValid(); ... await next(); .. doSomethingElse();
Want to master Clean Architecture? Go here: bit.ly/3PupkOJ
Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt
Nice, easy clean explaination, will definetly use in my next minimal API project.
Glad it was helpful!
It was very useful Milan, Thanks a lot!
Glad it was helpful!
Thank you @Milan for your great content
You're very welcome!
Looks good for the beginner. Thanks.
No problem!
Thank you for this introduction man. God bless 💪
My pleasure!
Hi Milan, I hope you show us how to use commands and queries to write and read from database using different contexts for better performance for enterprise projects like e-commerce
for example
Command write to SQL database
Queries read using Elastic Search
That would be such an interesting video 😁😁 Definitely planning more stuff around distributed systems.
Thanks for your awesome content and simplified explaination keep it up ❤️👏
My pleasure 😊
Can you please explain how this can be added as custom authentication handler which can be added in startup woth its own custom scheme name in addition to inbuilt jwtbeater or cookie authenticators so that an api endpoint can be authenticated either through jwt token or api key? Thank you!
Hmm, could make for an interesting video
Great explanation as usual. Would you please share with us the theme you are using in Visual Studio. Thanks. Keep it up.
ReSharper
This is absolutely beautiful thank you
You are so welcome
Your tweet said the video would cover:
- Great at limiting access to an API
- Tracking usage and billing
I don’t see those topics listed in the chapters. Which chapters cover them? Or is there another video? Thanks in advance.
Oh, sorry if it was a little misleading. I kind of shared in the Tweet "what I learned", while the video is more focused on "how to implement authentication" only
I'll see to tackle tracking/billing in a future video, it's a nice topic
Hi! Can you show us an implementation about how to use this or JWT in a MAUI or WPF application (even with refresh token)?
Sounds fun, I'll add it to my content list
@@MilanJovanovicTech thanks! I have no problem to implement JWT tokens into a web app and save it in the cookie but I can't really find too much information and clean solution how to do it in desktop and mobile application.
Thanks Milan, you awesome 👍
Thanks a lot for watching 😁
Would it be worth it to have the API key in the header hashed and then check the hash with a hashed version of any valid API keys you have in order to increase security?
Probably, it makes a lot of sense
Milan what about an episode where you explain message metadata?
For example:
-Authentication token / API key
-Correlation Id
-Causation id
-UTC Timestamp
-Culture / Localization of the client
-Message version
-Message unique id
-others?
What do you think is necessary?
At least Correlation Id is always MUST BE for my APIs. How can you solve issues on production without it? At my current job we use Authorization token and Culture as well. When some problem arises I really would like to have all of them.
I like the idea, I'll see what I can come up with!
What are your thoughts on using middleware to check for the key, this is something I have done previously
Works just fine 😁
Hey, one question, what are u doing in case if mulptiple commands using the same logic partually, it can contains request to database, or just logic without requests to database. Where do u store common code like that? Or u just repeat same code in both commands because the idea of commands that they are independent
I would either:
- repeat same code in both commands if it is 2 situations
- store common code in a service if it's more than that
@@MilanJovanovicTech thanks!
👍👍 Thx for share !!
You're welcome :)
Hi Milan, how do you secure this key with your users when you hand them the key? Do you recomend some key rotation mechanism? How would you handle revocation of a stolen key and hand a new key to the customer? I hope to hear your approch for those scenarios.
You can't really secure it once you hand it over to the users. Same with user passwords. If they're compromised, there is nothing you can do about it. With API keys, revocation is easy. Create a new key, hand it to the customer, and give them a grace period to switch to the new key.
@@MilanJovanovicTech thanks for taking the time to answer it
Milan, how to implement support for multiple authentication methods in Swagger, including Bearer Token and API Key?
I'm not sure honestly, Swagger is a bit tricky
// add JWT Authentication
var securityScheme = new OpenApiSecurityScheme
{
Name = "JWT Authentication",
Description = "Enter JWT Bearer token **Bearer token**",
In = ParameterLocation.Header,
Type = SecuritySchemeType.ApiKey,
Scheme = "bearer", // must be lower case
BearerFormat = "JWT",
Reference = new OpenApiReference
{
Id = JwtBearerDefaults.AuthenticationScheme,
Type = ReferenceType.SecurityScheme
}
};
x.AddSecurityDefinition(securityScheme.Reference.Id, securityScheme);
x.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{securityScheme, Array.Empty()}
});
// add Basic Authentication
var basicSecurityScheme = new OpenApiSecurityScheme
{
Type = SecuritySchemeType.ApiKey,
In = ParameterLocation.Header,
Name = "X-API-KEY",
Reference = new OpenApiReference { Id = "ApiKey", Type = ReferenceType.SecurityScheme }
};
x.AddSecurityDefinition(basicSecurityScheme.Reference.Id, basicSecurityScheme);
x.AddSecurityRequirement(new OpenApiSecurityRequirement
{
{basicSecurityScheme, Array.Empty()}
});
Very nice explanation as always. Is there any chance you can do a video on user impersonation using JWT/Identity please.
I don't find that feature compelling enough to dedicate a video to it, for now
Best!
Thanks!
Can the Implement API Key Authentication be used for a multi-tenant structure?
Yes, you'll just need more API Keys. One for each tenant. And also, based on the API Key provided in the request, you'll have to extract the Tenant ID information.
@@MilanJovanovicTech Thank you for video is good resource.
THANK YOU SIR
Most welcome
from saudi arabia
👋 from Serbia
@@MilanJovanovicTech best people from Serbia And Russia
Unfortunately you've mixed up Authentication and Authorization.
If it is about Authentication like you've mentioned in your title and folder, you should've set a valid Principal like ClaimsPrincipal to the context - nothing more.
If it is about Authorization like you've mentioned in your filter and the controller interface, the filter is correct if it returns a Unauthorized result 😉
I wouldn't agree - try to detach the naming conventions from what I'm actually doing.
Authentication - who is calling the API.
Authorization - what can the caller do (roles, permissions)
It's an unfortunate circumstance that the HTTP Status code is 401 Unauthorized, which represents a not-authenticated user.
And 403 Forbidden for a user without permissions.
You'll notice that the name of the attribute in MVC is Authorize - which tackles Authentication - but is called so to match the respective status code.
@@MilanJovanovicTech Oh yeah, true! Absolutely forgot about the 403. It is rarely used in our applications because we don't want to expose api internals to the client. (security reasons)
Hello brother, whats the difference of using IAsyncFilter or IAuthorization filter, most of the examples im looking are using IAsyncFilter? Also do i need to .UseAuthentication() and .UseAuthorization() on program.cs?
I'm not sure, will have to check this
@@MilanJovanovicTech So i've just checked, and in summary, IAsyncFilter executes code before and after, so you can call the next delegate and execute code after it aswell
isApiValid();
...
await next();
..
doSomethingElse();