Hi Patrick, how are you? I hope all is well with you and your baby! I'm from Brazil and thanks to your tutorials, I got my job as a Junior programmer, I thank you from the bottom of my heart and I hope one day to thank you in person. my dream is to visit the USA. and once again thank you very much God bless you!
Hey Mauricio, thanks for the awesome feedback! I'm really glad to hear my tutorials helped you get a job. That's amazing! Congratulations! I'd love to chat. Feel free to email me at mail@patrickgod.com. Good luck with your programming journey! Take care, Patrick
Thank you! That was the best one I've seen yet on this topic. All of the others are either impossible to follow or just fly though it so fast, they skip over their boilerplate code that we're supposed to have or type something so quickly and jump off the screen, we have no idea what they just did. There is ALWAYS something they have pre-installed and just assume we have it too. You are the first one that didn't do that.
One video that I haven't come across but which would be useful to many is an elegant way to handle cross-cutting concerns in WebAPIs, for example, without having a ton of code in, or called by, the controller. I don't think that the decorator pattern applies well to Web APIs, unfortunately. The cross-cutting concerns I can think of (I am sure there are more) which might apply to a web API include: - Logging - Caching (memory, Redis...) - Performance timing - Authorization - Authentication - Validation - Exception handling - Auditing (e.g. Log the jsonified parameter object) - Debounce - Rate limiting - Duplicate detection - Retry - i18n? - Transactional processing - Fault tolerance (e.g. Circuit Breaker pattern) - Persistence - Real-time constraints - Synchronization
▶ [Part 1/4] .NET 6 Web API 🔒 Create JSON Web Tokens (JWT) - User Registration / Login / Authentication: th-cam.com/video/v7q3pEK1EA0/w-d-xo.html ▶ [Part 2/4] .NET 6 Web API 🔒 Role-Based Authorization with JSON Web Tokens (JWT): th-cam.com/video/TDY_DtTEkes/w-d-xo.html ▶ [Part 3/4] .NET 6 Web API 🔒 Read JWT Authorization Claims of a User (from a JSON Web Token): th-cam.com/video/fhWIkbF18lM/w-d-xo.html ▶ [Part 4/4] Refresh Tokens with a .NET 6 Web API 🚀: th-cam.com/video/HGIdAn2h8BA/w-d-xo.html
Great stuff. I am working my way through your Web API Authorization series, and I am learning a lot. I really like that you break down the different parts to use JWT, so we really come to understand how it works. Best wishes to you and your family. Nice thing to get a little peek into your life too.
Binge-watched these two vids this morning for breakfast, think it was this one where you weren't too happy with the new intellisense. Me, sometimes it's bad, sometimes it's right on, sometimes it's half on. it's annoying when it's half on because me, wanting to save keystrokes, i have to do a mental calculation between tabbing into it then correcting it (e.g. it's suggesting IF(ENTITY != NULL) when i want == ) overall, with my typing style, it seems neutral as far as keystroke/time saving, so am putting up with it because i know MS will fine tune it. also, the great escape!! Lol, if it's annoying you, you can always hit the "esc" key and it will let you do your thing without offering unsolicited advice. Lol, that's what it is right? That annoying friend hopping around your feet that, halfway through your statement of intent, eagerly interrupts you with, "you know what you should do right?" (Then the annoying friend clouds your mind with a bunch of grey letters, lol) anyway, i thank you for these vids because as of .net 6, when one creates a new ASP.NET Core hosted Blazor Webassembly app and enables "Individual Accounts", it pushes in this... not gonna look it up, the point is, it comes with a license agreement that it is free for small-time schmucks like me--FOR A YEAR. Then what? since 2008 when i started with the MS tech stack, security was always an annoyance for me--though an annoyance i had to get right. (They've changed it so much... gah, that in itself...) i wanted to focus on my intent, not implementation details of system.yadaYada.cryptography! now i must, which is where you come in hoss. i don't like spending good money on sh*t that i could have googled myself. With your upcoming .NET 6 Blazor WEBASSEMBLY (I hope) course, will the solution begin with a standalone blazor webassembly app, a back-end web api app, and how to connect them along with how to do authentication/authorization WITHOUT using any third party middleware that might want to charge money? gotta admit, i'm hesitant to spend money on "courses" because i've generally found them disappointing. I'm self-taught (and yes, brain-dead), but often the courses are beginner's sh*t, no real-world examples, and overall, gah! I feel like i got screwed out of the first month's subscription (which of course i promptly cancelled) i just might do your Ko-Fi thinga-McJigger for these youtube vids, but constant (sometimes annoyingly so) references to your course... i'm hesitant. Not because of you, but because of your progenitors. with love and support, me
Anyway, thank you for this tutorial, it worked very well! Just one more question: is there any way to decouple, let's say, the token role claims from the role names? What do I mean, for example, instead of a string value for role, the User table might have a foreign key RoleId, with the roles specified in a separate table; so, the JWT token might have only that number, with the server then doing the mapping between the role strings specified in the attributes and those role IDs. Or is it not really a common practice in actual systems and I might be better off just, as here, fetching the role name from the database and just putting it into the token?
Fantastic video. Now for a question: If i have an endpoint that takes the role "CalendarParticipants". This endpoint allows a Calendarowner to remove a user from the calendar. How can i check that the Calendarowner is in fact ... the calendar owner. Cause the parameters are "CalendarID" and "UserID". So even though i validate that the CalendarOwner is of the role CalendarOwner it doesn't ensure that he is the owner of that specific calendar.
Firstly, excellent tutorial, u are the best ! but Let me ask something , if a do not need the role based authentication , i can simple jump this video to part3, or i need to watch until the Add SwaggerUI Authorization?
Thank you Sir to sharing knowledge with us. I have a question, just maybe my knowledge just not to good, but why you put the roles inside that get weather method? The roles get from registration process, in registration page maybe and that on client side and the roles is from what the admin gives. Why not Just put [Authorized] above the [Route("[controller]")] and that just enough?
Thanks for asking! I added roles in the 'get weather' method to make sure only certain people can see that info. While [Authorize] checks if someone is logged in, roles check if they have the right to see the data. It's like a double-check for safety. Hope this helps!
That's an amazing video! One question please, You mentioned on a comment that the Token is signed with the servers private key(taken from app settings/token). That means that if the same key is used in multiple servers, the same token can be used and will be valid independently of the server handling the request. Is that correct?
Thank you so much ! I have a question: in Claim properties can we set any prop without MS boilerplate inside token ? sorry if my eng is not good enought :P
Wonderful video. Great content. I have a concern though, if it is possible to decode and view the role, what stops the client, or in this case an attacker to edit the role to lets say 'admin' and get access to endpoints they are not authorized to see.
The token is signed with the server's private key ("AppSettings:Token" in this case), so an attacker cannot change it without invalidating the signature.
@@isnakolah Yes, you can't edit issued token because signature is part of JWT and signature(old data, key) != signature(edited data, key). User haven't access to key to forge new signature. The token can be stolen. So you need to transfer it over a secure connection, even if it cannot be edited.
As always well explained. 😉 You did show how to add that JWT Bearer token in the header of the HTTP request using Swagger. Can you also make a video (if the video is already there where can I find it?) demonstrating how to add that JWT Bearer token to the HTTP request using code? For example using a Handler etc. Thanks.👍
Hey friend! Thanks for your feedback. Sure, that's a good idea for another video. In fact, we do exactly that in the Blazor Bootcamp (th-cam.com/video/In7YSYisMh4/w-d-xo.html) within that Blazor WebAssembly App. But, do you mean, making another call in the Web API and setting the Authorization Header there? For instance, with the HttpClient instance? Take care, Patrick
@@PatrickGod I meant the Web API on the server being called by a (Blazor Web Assembly) client. And the client uses for that an HttpClient instance and puts the JWT Token in the header of the HTTP-request for the Web API on the server. In this video it is Swagger that acts as the client (I presume).
Hello Mr. God, thanks for sharing. The question is, can you please provide a tutorial about authentication in the Console Application? Thanks in advance.
Thanks a lot Patrick for clearly explaining each concept with practical solution. It really helps us understand the concepts in depth, Much Appreciated Efforts. Bible for Interested Developers
After watching video. I have question. When I register - I always get 'admin' role? How can I add at least one more role? So that admin can do all, and guest or noob can just read. This for API with CRUD functionality. Thanks.
Probably stupid question. But in your .net 7 tutorial you set up authentication and login, and in the end you linked this video, which is .net 6 roles. Is it relevant between .net 6 and 7?
does anyone know where in the microsoft docs they explain what needs to be done in the program file? I can't find any mention of exact steps to introduce authorization.
Hi i still dont understand after watching 15 videos what is ValidIssuer and ValidAudience, you you put to false both... is that fine?? if not, how do I know what to put in both string???? my API is in Auzre with swagger, i dont get it
I have a question, if my Authentication API discuss with another Server, the Server must have his proper role ? Or that's not the best way to send messages between my 2 applications API & Server ?
Hi! We do exactly that in the Blazor Bootcamp (th-cam.com/video/In7YSYisMh4/w-d-xo.html). But, yeah, maybe I can create a quick and dirty tutorial for that. 😉
🚀 Join the .NET Web Academy with a 30% discount - closing soon!
👉 www.dotnetwebacademy.com/courses/academy?coupon=dnwas23yt
Hi Patrick, how are you? I hope all is well with you and your baby! I'm from Brazil and thanks to your tutorials, I got my job as a Junior programmer, I thank you from the bottom of my heart and I hope one day to thank you in person. my dream is to visit the USA. and once again thank you very much God bless you!
Hey Mauricio, thanks for the awesome feedback! I'm really glad to hear my tutorials helped you get a job. That's amazing! Congratulations! I'd love to chat. Feel free to email me at mail@patrickgod.com. Good luck with your programming journey! Take care, Patrick
Thank you! That was the best one I've seen yet on this topic. All of the others are either impossible to follow or just fly though it so fast, they skip over their boilerplate code that we're supposed to have or type something so quickly and jump off the screen, we have no idea what they just did. There is ALWAYS something they have pre-installed and just assume we have it too. You are the first one that didn't do that.
One video that I haven't come across but which would be useful to many is an elegant way to handle cross-cutting concerns in WebAPIs, for example, without having a ton of code in, or called by, the controller. I don't think that the decorator pattern applies well to Web APIs, unfortunately.
The cross-cutting concerns I can think of (I am sure there are more) which might apply to a web API include:
- Logging
- Caching (memory, Redis...)
- Performance timing
- Authorization
- Authentication
- Validation
- Exception handling
- Auditing (e.g. Log the jsonified parameter object)
- Debounce
- Rate limiting
- Duplicate detection
- Retry
- i18n?
- Transactional processing
- Fault tolerance (e.g. Circuit Breaker pattern)
- Persistence
- Real-time constraints
- Synchronization
You are my .Net 6 Web Api teacher!! Thank you Patrick 👍
Wow, thank you so much! 😊
Thank you Patrick, Waiting for the policy based also
▶ [Part 1/4] .NET 6 Web API 🔒 Create JSON Web Tokens (JWT) - User Registration / Login / Authentication: th-cam.com/video/v7q3pEK1EA0/w-d-xo.html
▶ [Part 2/4] .NET 6 Web API 🔒 Role-Based Authorization with JSON Web Tokens (JWT): th-cam.com/video/TDY_DtTEkes/w-d-xo.html
▶ [Part 3/4] .NET 6 Web API 🔒 Read JWT Authorization Claims of a User (from a JSON Web Token): th-cam.com/video/fhWIkbF18lM/w-d-xo.html
▶ [Part 4/4] Refresh Tokens with a .NET 6 Web API 🚀: th-cam.com/video/HGIdAn2h8BA/w-d-xo.html
Patrick, your videos are REALLY clarifying! Very nice job.
Happy to help! Thank you so much for your feedback! 😊
Great stuff. I am working my way through your Web API Authorization series, and I am learning a lot. I really like that you break down the different parts to use JWT, so we really come to understand how it works. Best wishes to you and your family. Nice thing to get a little peek into your life too.
Thank you so much for your kind words, Rune! Appreciate it. 😊
Thanks. This video really helped me out at work when documentation was failing me
Binge-watched these two vids this morning for breakfast, think it was this one where you weren't too happy with the new intellisense. Me, sometimes it's bad, sometimes it's right on, sometimes it's half on.
it's annoying when it's half on because me, wanting to save keystrokes, i have to do a mental calculation between tabbing into it then correcting it (e.g. it's suggesting IF(ENTITY != NULL) when i want == )
overall, with my typing style, it seems neutral as far as keystroke/time saving, so am putting up with it because i know MS will fine tune it.
also, the great escape!! Lol, if it's annoying you, you can always hit the "esc" key and it will let you do your thing without offering unsolicited advice. Lol, that's what it is right? That annoying friend hopping around your feet that, halfway through your statement of intent, eagerly interrupts you with, "you know what you should do right?" (Then the annoying friend clouds your mind with a bunch of grey letters, lol)
anyway, i thank you for these vids because as of .net 6, when one creates a new ASP.NET Core hosted Blazor Webassembly app and enables "Individual Accounts", it pushes in this... not gonna look it up, the point is, it comes with a license agreement that it is free for small-time schmucks like me--FOR A YEAR. Then what?
since 2008 when i started with the MS tech stack, security was always an annoyance for me--though an annoyance i had to get right. (They've changed it so much... gah, that in itself...)
i wanted to focus on my intent, not implementation details of system.yadaYada.cryptography!
now i must, which is where you come in hoss.
i don't like spending good money on sh*t that i could have googled myself. With your upcoming .NET 6 Blazor WEBASSEMBLY (I hope) course, will the solution begin with a standalone blazor webassembly app, a back-end web api app, and how to connect them along with how to do authentication/authorization WITHOUT using any third party middleware that might want to charge money?
gotta admit, i'm hesitant to spend money on "courses" because i've generally found them disappointing. I'm self-taught (and yes, brain-dead), but often the courses are beginner's sh*t, no real-world examples, and overall, gah! I feel like i got screwed out of the first month's subscription (which of course i promptly cancelled)
i just might do your Ko-Fi thinga-McJigger for these youtube vids, but constant (sometimes annoyingly so) references to your course... i'm hesitant. Not because of you, but because of your progenitors.
with love and support,
me
ABSOLUTE PURE GOLD!!!!! Thank you for this video!
Thanks so much for much for your feedback, Rodrigo! Happy to help! 😊
Great video, but how can I implement this if the role comes from a database? and it is not in the bearer token
Hi Patrick,
Looking forward to your next course.
Thank you!! 😊
25:45 - said like a true developer 😆. Stay curious!
Great series on JWT Auth Patrick, thanks!
Well, sometimes you gotta do what you gotta do. Would have checked it anyways after the recording. 😄 Thanks for your feedback!
Anyway, thank you for this tutorial, it worked very well! Just one more question: is there any way to decouple, let's say, the token role claims from the role names? What do I mean, for example, instead of a string value for role, the User table might have a foreign key RoleId, with the roles specified in a separate table; so, the JWT token might have only that number, with the server then doing the mapping between the role strings specified in the attributes and those role IDs. Or is it not really a common practice in actual systems and I might be better off just, as here, fetching the role name from the database and just putting it into the token?
Ok i am getting ready for some international job, more to practice, thanks to this God
My .NET power is now over 9000!!!!
This is amazing, thank you! 😂 The Dragonball reference is actually a really great idea for another tutorial. 😁
Fantastic video. Now for a question: If i have an endpoint that takes the role "CalendarParticipants". This endpoint allows a Calendarowner to remove a user from the calendar. How can i check that the Calendarowner is in fact ... the calendar owner. Cause the parameters are "CalendarID" and "UserID". So even though i validate that the CalendarOwner is of the role CalendarOwner it doesn't ensure that he is the owner of that specific calendar.
why i do the same as you but i always get 401 error, anyone like me?
I was struggling with that kind of authorization. Thanks for it. You are coding Thor... 👍👍👍
Your oAuth tutorials have been extremely helpful. Thank you very much :)
die jwt reihe ist super hilfreich. vielen dank für deine mühen!
Ein weiteres tolles Video, vielen Dank dafür :-)
Firstly, excellent tutorial, u are the best ! but Let me ask something , if a do not need the role based authentication , i can simple jump this video to part3, or i need to watch until the Add SwaggerUI Authorization?
Hey Patrick! I'm from India, its really helpful lecture. Thanks a lot.
Glad I could help! Thanks for the feedback! 😊
Well demonstrated, thank your for taking the time to explain it 👍
Thank you so much for your feedback, Daniel! Glad you like it. 😊
Man, you just became my netflix, i watch more of your content then any other thing haahahahaha great stuff, congrats for such a good job
Wow, thank you so much! Means a lot to me! 😀
Your videos are always my go to, thank you!
Thanks for all the Blazor!
Any time! Thanks for your feedback! 😊
I think I will write the whole project thanks to your videos 😅
U R a great Teacher
Thank you Sir to sharing knowledge with us. I have a question, just maybe my knowledge just not to good, but why you put the roles inside that get weather method? The roles get from registration process, in registration page maybe and that on client side and the roles is from what the admin gives. Why not Just put [Authorized] above the [Route("[controller]")] and that just enough?
Thanks for asking! I added roles in the 'get weather' method to make sure only certain people can see that info. While [Authorize] checks if someone is logged in, roles check if they have the right to see the data. It's like a double-check for safety. Hope this helps!
maan I love ur channel and tutorials, very thanks for the lessons!! u'r great
Happy to hear that! Thank you so much!
Thanks Patrick, Awesome
Glad you enjoyed it! 😊
You are awesome Patrick.
YOU are awesome! 😁 Thank you very much. 😊
Great content i have followed your JWT token and this video both are amazing
Thanks Patrick, great video but what if I want to authorize an endpoint for more than one role?
Thank you Felipe! You can use multiple roles separated by a comma. Hope this helps!
Hey. Nice tutorial! Is there any way to put in a variable in the Authorize attribute or do I have always have to put in a string manualy?
This was really good! Thanks for making it
Glad you liked it! Thanks a lot for your feedback! 😊
Very clear thx for uploading,👍👍👍
Most welcome 😊 Thanks for your feedback!
You're the best Patrick :) Thank you
Appreciate it. Thank you so much! 😊
That's an amazing video!
One question please,
You mentioned on a comment that the Token is signed with the servers private key(taken from app settings/token).
That means that if the same key is used in multiple servers, the same token can be used and will be valid independently of the server handling the request.
Is that correct?
Thank you so much ! I have a question: in Claim properties can we set any prop without MS boilerplate inside token ? sorry if my eng is not good enought :P
Wonderful video. Great content. I have a concern though, if it is possible to decode and view the role, what stops the client, or in this case an attacker to edit the role to lets say 'admin' and get access to endpoints they are not authorized to see.
The token is signed with the server's private key ("AppSettings:Token" in this case), so an attacker cannot change it without invalidating the signature.
@@romanvostrikov6578 So, if I am getting you correctly, once signed it cannot be edited? How do signatures work then.
@@isnakolah Yes, you can't edit issued token because signature is part of JWT and signature(old data, key) != signature(edited data, key). User haven't access to key to forge new signature. The token can be stolen. So you need to transfer it over a secure connection, even if it cannot be edited.
Thanks for the video, greetings from Brazil.
Thanks for the great videos, exactly what I needed to configure JWT for my new API
Glad to help! Thanks for your feedback! 😊
As always well explained. 😉 You did show how to add that JWT Bearer token in the header of the HTTP request using Swagger. Can you also make a video (if the video is already there where can I find it?) demonstrating how to add that JWT Bearer token to the HTTP request using code? For example using a Handler etc. Thanks.👍
Hey friend! Thanks for your feedback. Sure, that's a good idea for another video. In fact, we do exactly that in the Blazor Bootcamp (th-cam.com/video/In7YSYisMh4/w-d-xo.html) within that Blazor WebAssembly App. But, do you mean, making another call in the Web API and setting the Authorization Header there? For instance, with the HttpClient instance? Take care, Patrick
@@PatrickGod I meant the Web API on the server being called by a (Blazor Web Assembly) client. And the client uses for that an HttpClient instance and puts the JWT Token in the header of the HTTP-request for the Web API on the server. In this video it is Swagger that acts as the client (I presume).
Hello Mr. God, thanks for sharing.
The question is, can you please provide a tutorial about authentication in the Console Application?
Thanks in advance.
Thanks a lot Patrick for clearly explaining each concept with practical solution. It really helps us understand the concepts in depth, Much Appreciated Efforts. Bible for Interested Developers
After watching video. I have question. When I register - I always get 'admin' role?
How can I add at least one more role? So that admin can do all, and guest or noob can just read.
This for API with CRUD functionality.
Thanks.
Can you make a video about Authorization with one-time password (OTP)?
We have an Active DIrectory shop. Is there a way to do this with AD without any tokens?
Thank you for this video. This helped me a lot. Actually I was given a task exactly on this topic, and I found this tutorial helpful 😊👍
Thank you
why don't use Postman ?
It would be also great to see you explaining how to store passwords on Azure Vault or a similar system. Thank you!! keep up the great videos.
Probably stupid question. But in your .net 7 tutorial you set up authentication and login, and in the end you linked this video, which is .net 6 roles. Is it relevant between .net 6 and 7?
thanks Patrick, u have a new suscriptor.
Awesome, thank you!
Thanks for the great video..! 😍
You're welcome 😊 Thanks a lot for your feedback!
Really great video. Thank you so much.
You're very welcome! Thanks for your feedback! 😊
Another great course !! Weil explaîned
Thank you so much! 😀
So complicated just to add some security lol, good video btw.
Great stuff, thanks 👍😊
You're creating awesome Videos. Love coding alongside :-)
hi Patrick, good tutorial. How to implement multiple roles ?
yeah, I was wondering that too...
Saved my life!
Damn Impressive!
Amazing video. It help me a lot. Keep it up!!!
Thank you brother!! could you please make a video on Code First Approach Web Api Please ?
Hi! We do this already in this video: th-cam.com/video/FHx6AGVF_IE/w-d-xo.html Enjoy! 😃
Thanks for this video!
My pleasure! Glad it was helpful!
Great Content!
Hey, just wanna ask if I should add a property call Role in my user model then use that in ClaimTypes.Role?
That's totally a way to do it! 😊
Thankyou Sir! hw to implement jwt auth for controller?
Hey there! Just add the [Authorize] attribute on top of the controller class. Take care, Patrick
@@PatrickGod i mean that controller that return View (), not ApiController
does anyone know where in the microsoft docs they explain what needs to be done in the program file? I can't find any mention of exact steps to introduce authorization.
So cool
Thanx, i finaly understand why my AutZ is not working )
Glad I could help! Thanks for your feedback. 😊
isn't that static user at the top a problem? how is that will work with multiple requests
¡Gracias!
Thank YOU so much! Really appreciate it! 😁
How about RBAC that role can have permissions?
Hi i still dont understand after watching 15 videos what is ValidIssuer and ValidAudience, you you put to false both... is that fine?? if not, how do I know what to put in both string???? my API is in Auzre with swagger, i dont get it
Thank Patrick ;-)
Can you do a video on permissions?
Great video
Great video, thank you very much !!!!
I have a question, if my Authentication API discuss with another Server, the Server must have his proper role ? Or that's not the best way to send messages between my 2 applications API & Server ?
Can you create function base authorization?
Thank you
Welcome! 😊
completed!
amazing
Great Video. Can you do a .Net web api with sqlite tutorial?
Hey man,what to do if it says that your token is invalid when you want to the get request of the weathercontroller api?
i want to use auth plugin , vue frontend, .net core , mssql for backend, Can you suggest please.
Hey, bro! You are cool!!!
Thank you very much! Appreciate it. And you, too!! 😊
Thanks for your video. I appreciate your explanation but I added addAuthentication, but still get the response 200, any hint for that?
Can you give me any hint for this asap? I got stuck :(
Resolved this one, but why do i get 401 all the time? can you help me with this?
Initially take a thanks
How program.cs webapplication came?
can you make a tutorial on how to make this role based authorization in blazor wasm?
Hi! We do exactly that in the Blazor Bootcamp (th-cam.com/video/In7YSYisMh4/w-d-xo.html). But, yeah, maybe I can create a quick and dirty tutorial for that. 😉
hello sir , I'll request for authorization middleware for all Api's
thanks a lot !!!!!
Just subscribed your channel....