Coding Short: Using Bearer Tokens in .NET 8 Identity

แชร์
ฝัง
  • เผยแพร่เมื่อ 2 ม.ค. 2025

ความคิดเห็น • 118

  • @zitronenmelisse3
    @zitronenmelisse3 ปีที่แล้ว +30

    I recently discovered your account. I must say I just absolutely love how calm, factual and to the point your videos are.

  • @user-bf6sk3gu5u
    @user-bf6sk3gu5u 4 หลายเดือนก่อน

    Thank you! Explaining how to deal with razor page/ui vs. API was very helpful.

  • @CarrigansGuitarClub
    @CarrigansGuitarClub 10 หลายเดือนก่อน

    Been reading your blogs\books for decades...grew up on your code...great content as always :)

  • @tonybaker8971
    @tonybaker8971 11 หลายเดือนก่อน +1

    like other users i have taken a few of your courses as well - glad i came across you here on TH-cam - subscribed with a thumbs up

  • @samuelketels919
    @samuelketels919 11 หลายเดือนก่อน

    I took a few of your courses on Pluralsight and I'm happy to see you here too. Great approach on explaining this clearly.

  • @harleyAtdk
    @harleyAtdk ปีที่แล้ว +2

    Really helpful for me, thanks so much. So appreciate you doing these videos and being so gracious with your time and energy - you're awesome.

  • @robdevoer1
    @robdevoer1 ปีที่แล้ว

    I just noticed I wasn't subscribed yet; that is now fixed! It is great to see your subscribers increase further over the last weeks. Your videos deserve a large audience.

    • @robdevoer1
      @robdevoer1 ปีที่แล้ว

      I really enjoy your presentation style and the value that your explanations add to every topic that you cover. A big thanks for all that you do. This video was precious since it addressed something that I am currently working on, so your ESP is in working order.

  • @patannetube
    @patannetube ปีที่แล้ว +1

    Great video. Simple and short. True to the channel name. You mentioned possibly doing another video for Identity using Windows. I would welcome that.

  • @leonardvanonselen
    @leonardvanonselen ปีที่แล้ว

    Great video. I've been looking for a simplified way of logging in via the API, to then use the API... I'm certainly going to give this a whirl.

  • @SiberHavoc
    @SiberHavoc ปีที่แล้ว

    An amazing and pragmatic approach to teach these subjects!

  • @abdeslamhidan5814
    @abdeslamhidan5814 ปีที่แล้ว +1

    Great video from a great It educator. Looking forward for a similar video on AAD B2C in .NET 8.0. And, if it is on Blazor web app would be perfect.

  • @ZimTachyon
    @ZimTachyon ปีที่แล้ว +1

    Forgive me if I missed it in your library of videos (I'm still looking,) but it would be very cool if you could do a video on oauth 2.0 pkce with .Net and Angular where your API endpoints include /authorize, /oauth/token, etc.
    Keep up the awesome job you do. I would not be the person I am today without you.

  • @mekbeb
    @mekbeb 3 หลายเดือนก่อน

    Excellent explanation

    • @swildermuth
      @swildermuth  3 หลายเดือนก่อน

      I appreciate it!

  • @waynehawkins654
    @waynehawkins654 ปีที่แล้ว +3

    Great video but I wish you had shown on a full API Swagger project and then say a Blazor page doing a check that it's authenticated, if not then make a API call to do a refresh token or no joy, to then take them to a signin page. Plenty of video doing this on .net 7, but yet to see a current update from start to finish doing this with .net 8. Hopefully soon once release.

  • @Octopie18
    @Octopie18 ปีที่แล้ว +1

    congrats on 10k!

  • @pqners
    @pqners ปีที่แล้ว +1

    I subscribed. Cool video helps me a lot in my actual project!

  • @CScottEdwardsScottGeek
    @CScottEdwardsScottGeek ปีที่แล้ว

    Indeed yes, always great explanations and guidance from you!

  • @neilranada
    @neilranada ปีที่แล้ว

    Great walkthrough. Thanks Shawn!

  • @rockycaballero5676
    @rockycaballero5676 ปีที่แล้ว +1

    Hi Shawn! I'm glad you have made TH-cam channel, I always follow and watch your video on Pluralsight but sadly you teach on Angular subject which not my direction. I hope you also make videos about Blazor sir. anyway hats off to you always, may you have a pleasant day ahead.

    • @swildermuth
      @swildermuth  ปีที่แล้ว +1

      Thanks for the support. I'm not well versed in Blazor, so likely won't be making any content for us. But I appreciate the thought!

    • @swildermuth
      @swildermuth  ปีที่แล้ว +1

      I've redone my big ASP.NET Core course on Pluralsight, and switched it up to Vue. But I suspect if you are doing Blazor that Vue isn't of interest.

  • @stoched
    @stoched ปีที่แล้ว

    Nice video! One recommendation I have is maybe when editing set the microphone audio to mono just because when you turn your head it pans the audio into the R channel and back which I find a little distracting.
    EDIT: Oops looked at some of your more recent videos and noticed you changed to mono, disregard! haha

    • @swildermuth
      @swildermuth  ปีที่แล้ว

      Yeah, I shoot with two mics, but now I'm just mixing the channels.

  • @samkimmel4643
    @samkimmel4643 10 หลายเดือนก่อน

    Was following along and ran into an error at the 11:52 mark: *Failed to read parameter "LoginRequest login" from the request body as JSON*. 'Microsoft.AspNetCore.Identity.Data.LoginRequest' was missing required properties, including the following: email. I changed the property from "username" to "email", then it worked as shown in the video.

  • @erik9035
    @erik9035 3 หลายเดือนก่อน

    Thanks for the help!

  • @allannielsen4752
    @allannielsen4752 10 หลายเดือนก่อน

    Great intro, but still looking forward to the Entra integration video you said you might do ;)

    • @swildermuth
      @swildermuth  10 หลายเดือนก่อน

      It's coming. I'm doing a new demo with Aspire where I'm using Entra, so in building that - you'll get a that video, I promise.

  • @skywalker.b
    @skywalker.b 11 หลายเดือนก่อน

    How is Launch Profiles opened at 2:56? Some kind of shortcut?

    • @swildermuth
      @swildermuth  11 หลายเดือนก่อน

      I had to set a shortcut key for it (in Options/Keyboard). So, yes, I used a shortcut (ctrl-alt-shift-d) but I set that on my machine.

  • @kimutaifelix9092
    @kimutaifelix9092 หลายเดือนก่อน

    "I've been in the software engineering field since 1985...." I still have a long way to go. Thank you.

  • @andrejcarstens
    @andrejcarstens 9 หลายเดือนก่อน

    Thank you for the super clear way that you describe these topics. This is a useful feature that has just saved hours of work. Nice video Sean. I am struggling to use the token that is being created though. I added an api controller and set the Authorize decorator to use the "api" policy name. In postman I am making a GET request with the access_token embedded in the header as bearer. I keep getting 401 though. I tried playing around with sending the token as a JWT but the same thing happens. Can you elaborate how to use the token once it has been created? I would have expected it to be simple enough, perhaps I am just missing something w.r.t implementing the auth in my other controllers? Do you maybe have another video that demonstrates using the JWT? Thank you again, you are an absolute legend, please keep the content coming.

    • @swildermuth
      @swildermuth  9 หลายเดือนก่อน

      If you're using the new .NET 8 Identity, just know that the built-in Identity provider supplies a Bearer Token, but it is not a JWT token. So if you are trying to mix .NET 8 identity plus the developer JWT tokens, they aren't compable.

  • @borisgomiunik7960
    @borisgomiunik7960 9 หลายเดือนก่อน

    Thank you for making these shorts. Short and to the point. I hope you don't mind me asking if there is any solution also for using OIDC providers like keycloak or similar?

    • @swildermuth
      @swildermuth  9 หลายเดือนก่อน +1

      Not that familiar, do you mean something like this? medium.com/@ahmed.gaduo_93938/how-to-implement-keycloak-authentication-in-a-net-core-application-ce8603698f24

    • @borisgomiunik7960
      @borisgomiunik7960 9 หลายเดือนก่อน

      @@swildermuththank you. Something just like that. Only to have it applied to SPA.

  • @predigr
    @predigr 11 หลายเดือนก่อน

    Great video!! Thanks for sharing. What if you don't use Identity?

  • @AshrafSada
    @AshrafSada 10 หลายเดือนก่อน

    Thanks, great information

  • @aaqilansari5702
    @aaqilansari5702 6 หลายเดือนก่อน

    Shawn, everything works fine except for the identity default api endpoints which are protected e.g. manage/info doesn’t work with the bearer token and it works only with the generated cookie.
    Login endpoint is working fine. But once we are logged in and get the bearer token then all the identity api endpoints should be accessible with that bearer token. But the protected ones aren’t working.
    Any suggestions how to get it working with that bearer token and not the cookies which are http only tokens

  • @aron-gx9mh
    @aron-gx9mh 6 หลายเดือนก่อน +1

    i understand all this but how do i add this to my project? i want to run a website that gets data from an Api. unfortunately, this didn't help me

  • @josephizang6187
    @josephizang6187 หลายเดือนก่อน

    Can this solution be used for small to medium sized apps in prod?

  • @adamoneil7435
    @adamoneil7435 ปีที่แล้ว +1

    good stuff, thank you

  • @der-otto
    @der-otto ปีที่แล้ว +2

    I love your videos. One Question:
    How to work with claims and roles?

    • @swildermuth
      @swildermuth  ปีที่แล้ว

      You can configure the claims and roles to be put in the bearer token. I am not sure this exposes an API to *manage* the roles and claims, but you can embed the roles and claims in the bearer by configuring IdentyBearer to include claims.

  • @StefanoLabate
    @StefanoLabate ปีที่แล้ว

    very useful my friend, thank you!

  • @aah134-K
    @aah134-K ปีที่แล้ว +1

    Very nice,
    I remember i had to do alot of things to wire jwt and identity things, very straightforward,
    But if I have a customed databas it will not wire correctly i think withoit extra work

    • @swildermuth
      @swildermuth  ปีที่แล้ว +1

      The database doesn't matter. However you configure identity, it's just passing this to the UserManager.

  • @HugRunner
    @HugRunner ปีที่แล้ว

    Really nice video! Thanks a lot!
    I'm wondering a bit about when you actually get the token from the API in a SPA. Where and how would you store this for future requests, and how to handle and use the refresh token as well? In a browser I guess you could store it in local storage or perhaps a cookie?, but for some remote application like MAUI or a phone app, where would you store it safely? Would be awesome with a follow up video on that topic :)

    • @swildermuth
      @swildermuth  ปีที่แล้ว +1

      Depends on the provider. If you're using a 3rd Party (e.g. Azure AD), then they will handle it for you. Otherwise, I'd keep both in local storage. The safety of the JWT is about it's short life and that it has been unchanged, so you can store it. But don't be reckless.

    • @HugRunner
      @HugRunner ปีที่แล้ว

      @@swildermuthThanks for a quick response! I'm thinking about the inbuilt solution here, not 3rd party, so I guess local storage then, but is there any simplification on that part as well for .NET 8 or we have to write our own middleware or auth-handler that reads from local storage and appends to every request? I remember seeing an example on that from a video on auth for like .NET 6 or something. Would be nice to see a proper/good solution for that in similar style to this video, but I'm sure I can find a solution somewhere if I search for a while.

  • @marceloleoncaceres6826
    @marceloleoncaceres6826 10 หลายเดือนก่อน

    Thanks for the video,

  • @fredrickamoako
    @fredrickamoako ปีที่แล้ว

    very insightful, is there a way that the endpoints can be modified for extra data, for example if there's a requirement that a user provides several other details for registration alone

    • @swildermuth
      @swildermuth  ปีที่แล้ว +1

      I believe so, the identity stuff has hooks to expand Registration. Not sure what happens when you add to it for the endpoint.

  • @RickGraner
    @RickGraner ปีที่แล้ว

    you used a minimal api to RequireAuthorization("api") so if I wanted to make an api controller, would I decorate that controller with the same RequireAuthorization("api")? I'll test this of course but wondering if it needs to be different at all in case it doesn't work

    • @swildermuth
      @swildermuth  ปีที่แล้ว +1

      [Authorize("api")] would work (if you create the policy)

  • @cjt9150
    @cjt9150 11 หลายเดือนก่อน

    Good work. Can you please create a video for custom authentication with cookie/local storage/session storage & without identity

  • @WelcomeToMyLife888
    @WelcomeToMyLife888 ปีที่แล้ว

    awesome content! subscribed!

  • @Schnickalodeon
    @Schnickalodeon ปีที่แล้ว

    Awesome video. Thank you!
    Unfortunately you cannot use this approach with bearer token, when you want to implement the authorization with as a separate microservice (and JWT), right?
    If I have e.g. my Products API (microservice) which requires authorization with a token from my AuthApi that won't work because the Products API cannot validate the token.
    Then I will have to integrate all Endpoints manually (the old way)

    • @swildermuth
      @swildermuth  ปีที่แล้ว

      Yeah, this is specifically for extending Identity for JWTs. If you're using a separate microservice, your JWT would need to include all the audiences - though it's common to move auth to something external (e.g. Azure AD, AWS, Auth0, Duende) to remove the need for user management entirely.
      Unless, your microservice is using Identity, then the MapIdentityEndpoints would work fine.

  • @MrJimmaguire
    @MrJimmaguire ปีที่แล้ว

    Very helpful, thanks 😊

  • @1972vid
    @1972vid ปีที่แล้ว

    How does this work when using ASP.Net.core MVC

  • @MohammadKomaei
    @MohammadKomaei ปีที่แล้ว

    What is the launch profile window shortcut?

    • @swildermuth
      @swildermuth  ปีที่แล้ว

      I assigned it to CTRL-SHIFT-ALT-D but I don't think there is one by default.

  • @peteroganwu951
    @peteroganwu951 ปีที่แล้ว

    Hi Shawn. Thanks for this tutorial. Not sure if changes were made in since this videos. I am running .NEt 8 RC2. I am getting a 400 error calling the login endpoint.

    • @swildermuth
      @swildermuth  ปีที่แล้ว

      Shouldn't be different. Can you share the code (github or gist)?

    • @Windmerica
      @Windmerica ปีที่แล้ว

      @peteroganwu951 When POSTing the JSON to /api/auth/login at 11:25 try replacing "username" with "email" instead.
      Your 400 BadHttpRequestException might have an inner JsonException like "JSON deserialization for type 'Microsoft.AspNetCore.Identity.Data.LoginRequest' was missing required properties, including the following: email"

  • @Steve-Fallon
    @Steve-Fallon ปีที่แล้ว

    Does this support external logins like Google and Facebook? I know the old razor-based auth flow does.

    • @swildermuth
      @swildermuth  ปีที่แล้ว

      Not really, but the external logins supply their own Bearer tokens. The client-side flow is different.

  • @tinylittleanj2
    @tinylittleanj2 11 หลายเดือนก่อน

    how do I pass a token between a blazor front end app and a web API back end (separate solutions)?
    they both have access to the same database (for testing purposes), I am going to swap it out with OAuth2.0 but I want a proof of concept so I can work out what to do..
    do you have any videos on something a bit more in depth?
    this was great by the way, loving .NET 8 :)

    • @swildermuth
      @swildermuth  11 หลายเดือนก่อน

      Not sure how Blazor works in that case.

  • @teckyify
    @teckyify ปีที่แล้ว

    Does this also work with Keycloak? 🤔

  • @nelsonrivers8546
    @nelsonrivers8546 5 หลายเดือนก่อน

    Can you add a video that shows how to do "Refresh Token" while using Identity with Web API 8 ?

    • @swildermuth
      @swildermuth  5 หลายเดือนก่อน

      It's on the list to create. Not sure how long until I get to it.

  • @christianrazvan
    @christianrazvan ปีที่แล้ว

    So in .NET 6.0 Identity didn't know about jwt tokens? What is the equivalent of this presentation in .NET 6.0?

    • @swildermuth
      @swildermuth  ปีที่แล้ว

      Not exactly, Identity has been much simplified so that you don't necessarily have to handle the validation of the JWT for yourself.

  • @Daviddsjh
    @Daviddsjh ปีที่แล้ว

    Hi, great video! Unfortunately the link to your example code is broken :(

  • @techreviews-j1o
    @techreviews-j1o 11 หลายเดือนก่อน

    Hi , i like what you are doing ,
    Please i have a question ,
    i have a APi that handle generating authentication with jwt access token , and all my logic is in this API , i want to use blazor as frontend with rendermodeAuto, how to use the JWT in this case?
    for WASM si I have no probleme , but with Blazor RenderModeAutho i am lost
    Thank you

    • @swildermuth
      @swildermuth  11 หลายเดือนก่อน

      I don't know Blazor, sorry.

  • @softw.netcore7521
    @softw.netcore7521 10 หลายเดือนก่อน +1

    👍👍👍👍👍👍

  • @Denis-nq1nc
    @Denis-nq1nc 3 หลายเดือนก่อน

    Is it actually JWT?
    As I know it's not, you can't really decode it using any means from web
    It's actually just a Bearer token, not JWT

  • @ArmanOssiLoko
    @ArmanOssiLoko 11 หลายเดือนก่อน

    To be honest, I am bothered by the fact that I can't opt out of some endpoints and that I cannot change the registration model and stuff like that.

    • @swildermuth
      @swildermuth  11 หลายเดือนก่อน +1

      You don't have to use the middleware, you can just use Identity instead of adding the endpoints manually. If you scaffold identity, you can manually change anything you want.

    • @ArmanOssiLoko
      @ArmanOssiLoko 11 หลายเดือนก่อน

      @@swildermuth That's what I ended up doing. Funnily enough, I tried to use the SignInManager.PasswordSignInAsync() within a controller action named /login and then when I try to do return Ok(), it throws an exception because it tries to write to the HTTP Response twice - the first time within the PasswordSignInAsync and the second time after my return Ok(). lol I am really unsure why their approach to this, because if the PasswordSignInAsync succeeds, the method internally writes the token and everything else to the Response body, but if it fails, it doesn't do anything, so you have to handle it manually. That's how the MapIdentityApi() works at least and I dislike it quite a lot.

    • @ArmanOssiLoko
      @ArmanOssiLoko 11 หลายเดือนก่อน

      ​@@swildermuthI ended up doing that, but the funny thing is that when I tried to move the Identity logic from the MapIdentityApi to a controller, I had to make the login method return a Task instead of an IActionResult, because the SignInManager.PasswordSignInAsync returns a result without any proper data (no token, nothing, just returns the state).

  • @heididaniels277
    @heididaniels277 5 หลายเดือนก่อน

    I love your videos. Unfortunately, the database update failed for me.

    • @swildermuth
      @swildermuth  5 หลายเดือนก่อน

      What's the error?

  • @jameshancock
    @jameshancock ปีที่แล้ว

    The major issue is that this is ripped off openidconnect without doing openidconnect correctly.
    It should have been full openidconnect with well known endpoints and standards compliance.
    Now we have multiple messes for no reason.

    • @swildermuth
      @swildermuth  ปีที่แล้ว +1

      I don't think this is about openid at all? Can you explain what I'm missing?

    • @jameshancock
      @jameshancock ปีที่แล้ว

      @@swildermuth it’s a knock off of password flow from openidconnect.
      Except it doesn’t generate the metadata and doesn’t follow the token endpoint pattern.
      So it sounds the same, acts similar but isn’t at all. They made a mess of it instead of just implementing password flow openidconnect and providing standard endpoints with metadata which would have been just as easy and standards compliant in the process.

    • @geraldmaale
      @geraldmaale ปีที่แล้ว

      @@jameshancock According to the Microsoft folks, if you want the full power of openidconnect and other complex scenarios, they recommend you use DuendeIdentity. This is just a minimalistic approach for people who just want username and password integrated in their apps.

  • @jessecalato4677
    @jessecalato4677 11 หลายเดือนก่อน +2

    This is not JWT

  • @sertunc-k5o
    @sertunc-k5o 9 หลายเดือนก่อน +1

    I wasted half a day because I added the wrong library. Be careful when adding libraries!!!

    • @swildermuth
      @swildermuth  9 หลายเดือนก่อน

      that has been an issue with so many libs with similar names.

    • @sertunc-k5o
      @sertunc-k5o 9 หลายเดือนก่อน

      We must definitely be very careful.@@swildermuth

  • @minimalstory
    @minimalstory ปีที่แล้ว +1

    there is not a valid jwt token, Microsoft, as always, did not do what the developers asked. .net swims against the tide with every version

    • @swildermuth
      @swildermuth  ปีที่แล้ว +1

      How isn't it a valid jwt token?

  • @dmzone64
    @dmzone64 ปีที่แล้ว

    This is too much of a good thing turned bad. Rarely, you will need a barebones authentication. You will always need to extend it and then this is a nice nicety.