Very helpful tutorial. I want to ask one thing about this sample application that when we send 'token' to get data. how webApi came to know that this token is valid? means how and where it checks it?. Is server has a copy of that token or what?
Many many thanks for creating this superb video... one suggestion here, it would be nice for a starter to get more details about the classes/references you have added in this project.
You are saying client sends user id and password to Authentication server, so what is mean by Authentication server? which Authentication server you are saying about?
Hello Sourav, Thank you for your video. I follow you video. but, I use not HandleUnauthorizedRequest Method in AuthorizeAttribute.cs, so I use OnAuthorization method and I have only return true for IsAuthenticated. I get 403. How can I to do
Hi, how we can get 403 forbidden error status in authenticating using oauth2?! It is a token based authentication where we pass client id, client secret and grant type as client credentials...after generation of access token to access to the protected resources one should get which status?! Can you clarify on this?!
Sourav, why does not anyone show the client in CSharp, making the call to the Berear generator and the other calls? I can not use PostMan inside the ASP.NET MVC 5 system! Did you happen to have a link to an article that shows the client side (in c #) accessing the web api that generates and validates the berear token?
Good video, It would have been even better if you'd explained things a little more like AuthServerProvider class and its functions, what are all other methods, when to use what. How to setup it with SSL because that's what we will use in the real world.
Thank you so much this worked perfectly for me, but I'm blocked on how to use this method using data retrieved from a Login View that i created instead of using Postman. I really hope you can explain that part
HI Sourav..That was a great tutorial about Token based authentication. i tried out the way you have explained. but when i create the token and try to access the Authenication , the response i get is forbidden.So i removed the ! in "HttpContext.Current.User.Identity.IsAuthenticated" and i get the response as hello "dev". Is the the corrrect way of doing? and one more question i created a token for the admin user and tried to access the "Authenitcate" Method.Should it access or not? For me i was able to access? Correct me if am wrong?
Getting error while running on shared hosting.403 - Forbidden: Access is denied. You do not have permission to view this directory or page using the credentials that you supplied.
When a password is passed like this 40:28 but in a regular form on a web page, is there anything preventing a sniffer from getting the password? If not, are there any known solutions for this problem (like encrypting the password in the form and decrypting later in the WebAPI when needed)?
I want to authenticate using SAML request with an identity provider to be initiated from an .Net Framework Web API. Do you have any article or tutorial for this?
It's great... thank you so much, Actually I am new for ASP.Net identity, and I want to know that in above demo where the users identity details like roles, claims etc are stored ? in memory, database or somewhere else ? And one more thing I want to refresh token after token get expired then what I have to do? Any reference for refreshing token.
Is this kind of token base authentication secure against replay attack? I am assuming because the token is valid for a certain time the request can be replayed by attacker within that time frame as it does not have nonce.
Awesome Mr. Sourav........This is really nice tutorial....But I have one point ...Please let me know why we use grant_type= password. Is there any reason behind it. Thank you in advance buddy.
Works like a charm. However, I have a problem. We are integrating Help Pages into our application (docs.microsoft.com/en-us/aspnet/web-api/overview/getting-started-with-aspnet-web-api/creating-api-help-pages). We need to be able to restrict access to the help page to only logged in users. I added ASP.NET Identity to accomplish this. But it seems that the ASP.NET Identity classes (ApplicationUserManager, ApplicationSigninManager etc.) don't play nice with Owin classes in this tutorial. To see what I mean, add a webapi help page using the above link, then try to lock down that controller with [Authorize].
This video is what I'm looking for. Just a quick question, in 40:35 (grant_type) where did you set the value in the code (cs file) before calling the method
+sourav mondal in the js file you can see this code I have used for login fac.login = function (user) { var obj = { 'username': user.username, 'password': user.password, 'grant_type': 'password' }; Object.toparams = function ObjectsToParams(obj) { var p = []; for (var key in obj) { p.push(key + '=' + encodeURIComponent(obj[key])); } return p.join('&'); }........ Here we have added grant_type
I needed to add the two lines at the bottom of the function to get it to return the token public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { var identity = new ClaimsIdentity(context.Options.AuthenticationType); if (context.UserName == "admin" && context.Password == "123") { identity.AddClaim(new Claim(ClaimTypes.Role, "admin")); identity.AddClaim(new Claim("username", "admin")); identity.AddClaim(new Claim(ClaimTypes.Name, "Malcolm Swaine")); } else if (context.UserName == "test" && context.Password == "123") { identity.AddClaim(new Claim(ClaimTypes.Role, "test")); identity.AddClaim(new Claim("username", "test")); identity.AddClaim(new Claim(ClaimTypes.Name, "test user")); } else { context.SetError("invalid grant", "credentials are invalid"); } var ticket = new AuthenticationTicket(identity, null); context.Validated(ticket); }
It is very helpful for me. But can you guide for me how to built a form Login use Token based authentication and only jquery because my boss do not want to use postman and AngularJS. Thank you so much
mistake at 38:42 returns 401 Unauthorized not 403 because you created Aurthorize attribute with the same of framework, so it consider it as framework of default behaviour...you should change the different name for your CustomAuthorize inheritance form Authorize attribute. update it as early as atleast patch video
When I tried to implement Google sign on in aap.net Web API and angular frontend framework am getting redirect uri mismatch as error can you please help me to resolve this issue
hello can we give error code with error message in all cases , if we pass wrong token ten only one JSON response will with message parameter. but we need error code, if token is expire then we need an other response and error code. please update me sir
Super video sourav, i have a doubt , when i hit from my apicontroller as specified in below code, var tokenresponse = await objhttpclient.PostAsync(baseurl + "/token", new FormUrlEncodedContent(form)); whether it wll hit Applicationoauthprovider class grantresourceownercredentials()? Anybody has idea to solve the above myth?
In OAuth there is no option for signout. we can Delete the access token on the client. But 1 more option we have... that is if you want then you can save the token in a database table and check with that table data when a request come.
same code implement and testing postman on authorization to get token given username,password and grant_type but getting error "Invalid client" please any suggestion to slove
{ "Message": "No HTTP resource was found that matches the request URI 'localhost:54473/token'.", "MessageDetail": "No type was found that matches the controller named 'token'." } getting this error while do post further things work properly can you solve this issue
Thanks for the video! I was receiving {invalid-grant} even after auth success. At 40: 13 I needed to add var ticket = new AuthenticationTicket(identity, null); context.Validated(ticket); at the end of the GrantResourceOwnerCredentials method to get it to return a token
Hi, Tussi gr8 simple & gr8 ho btw, what overall I understood that if you are applying 3 leg authentication than this part (of authentication and providing the access token) will be with 3rd party authorization provider like gmail or facebook. Correct?
Hlw Jyoti, U can use a third party STS(authentication server) app like "identityserver3" to urs project. "identityserver3" supports other social logins like FB, GMAIL. Pls chk the web link below www.scottbrady91.com/Identity-Server/Identity-Server-3-Standalone-Implementation-Part-1
watching in 2020 for understanding the basics of token-based authentication. It helps me a lot. thank you love from Bangladesh
Finally a comprehensive tutorial to understand how Web API token generation works. Very valuable for me!!
Its Really Helpful for creating Token Based Web API. Thanks for creating this content.
Searching stop here for token based authentication.😓😓 very Helpful video. Thanks a lot.
Good work mate, thanks a ton, I tried this in Janauary but couldn't undertand, but today I have done this.
Thank You, i was trying to make this for 2 days and thanks to your video it is finally working!
Very Helpful and I fully understood the process of Token Authentication
Very good and well explained tutorial for everybody which needs helps with TOKEN authentication. Step by step explained. Thank You!
I really do no know . why dislikes :( . Its really nice article... It worked like charm... Thank you very much
Thank you very much Sourav. I was researching on this and your video has everything I'm looking for to get a start.
Thank you so much for this awesome video. I was having a hard time implementing this but now everything makes perfect sense. Highly appreciated sir!
Very helpful tutorial. I want to ask one thing about this sample application that when we send 'token' to get data. how webApi came to know that this token is valid? means how and where it checks it?. Is server has a copy of that token or what?
Thanks for this straightforward example. I've learnt a lot.
Excellent Job. I am waiting for the PART 2 of this series
th-cam.com/video/i2NvQrO75no/w-d-xo.html
Thank you so much for the valuable information, with your help I solved a difficult situation.
Many many thanks for creating this superb video... one suggestion here, it would be nice for a starter to get more details about the classes/references you have added in this project.
How can I validate the users in SQL Database?
Very helpful!!! Thanks so much for going through the whole process in detail.
Thank you for such a great tutorial! It really helped me to understand all this complex things
Awesome video bro
Token path does not bind correctly in current ASP.NET Web API 2 so no token can be generated
good knowledge you have shared.thanks
Perfect! simple and direct, thanks my friend!
Hello from the UK, nice video, step by step, very useful :)
Thanks Sir, my question is where webapi stores the token in server side?
You are saying client sends user id and password to Authentication server, so what is mean by Authentication server? which Authentication server you are saying about?
People saying jwt token is containing 3 parts.
Seperated by . Dots. But in the tutorial token generated without dot. Can you explain about it.
Thanks so much .u good teach .Every one understand easily.good job sir
Hello Sourav, Thank you for your video. I follow you video. but, I use not HandleUnauthorizedRequest Method in AuthorizeAttribute.cs, so I use OnAuthorization method and I have only return true for IsAuthenticated. I get 403. How can I to do
Great Tutorial.Explanation was upto the mark.
How do send my token to my api consuming web application so it can authorize and have access to functions with [Authorize] above them?
Hi, how we can get 403 forbidden error status in authenticating using oauth2?!
It is a token based authentication where we pass client id, client secret and grant type as client credentials...after generation of access token to access to the protected resources one should get which status?!
Can you clarify on this?!
Sourav, why does not anyone show the client in CSharp, making the call to the Berear generator and the other calls? I can not use PostMan inside the ASP.NET MVC 5 system! Did you happen to have a link to an article that shows the client side (in c #) accessing the web api that generates and validates the berear token?
Gr8 SirJee ! really appreciated.
Thanks Mondal ji...
I can hit the controller even without the bearer token. What have I missed?
i am not getting where are you generating token. I suppose you must be using Azure AD.. but not passing any client secret key
Very good explanation. Thanks
How to implement ADFS SAML Assertion Consumer with Redirct binding in .net core razor pages application? Please help
Good video, It would have been even better if you'd explained things a little more like AuthServerProvider class and its functions, what are all other methods, when to use what. How to setup it with SSL because that's what we will use in the real world.
The best and simple tutorial of the theme, thx
Thank you so much. Make vdo about refresh Token please!
this is not working in Asp.Net Core 2.0 WebAPI ,could you please suggest how can we achieve this using Asp.netCore 2.0
Great presentation and illustration.
Thank you so much this worked perfectly for me, but I'm blocked on how to use this method using data retrieved from a Login View that i created instead of using Postman. I really hope you can explain that part
HI Sourav..That was a great tutorial about Token based authentication. i tried out the way you have explained. but when i create the token and try to access the Authenication , the response i get is forbidden.So i removed the ! in "HttpContext.Current.User.Identity.IsAuthenticated" and i get the response as hello "dev". Is the the corrrect way of doing?
and one more question i created a token for the admin user and tried to access the "Authenitcate" Method.Should it access or not? For me i was able to access?
Correct me if am wrong?
Sourav thanks for video.Can u add refresh token part ?
can i use these api as 3rd party login api?
Getting error while running on shared hosting.403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.
When a password is passed like this 40:28 but in a regular form on a web page, is there anything preventing a sniffer from getting the password? If not, are there any known solutions for this problem (like encrypting the password in the form and decrypting later in the WebAPI when needed)?
I want to authenticate using SAML request with an identity provider to be initiated from an .Net Framework Web API. Do you have any article or tutorial for this?
It's great... thank you so much,
Actually I am new for ASP.Net identity, and I want to know that in above demo where the users identity details like roles, claims etc are stored ? in memory, database or somewhere else ?
And one more thing I want to refresh token after token get expired then what I have to do?
Any reference for refreshing token.
Is this kind of token base authentication secure against replay attack? I am assuming because the token is valid for a certain time the request can be replayed by attacker within that time frame as it does not have nonce.
I have generated access token for both "user" and "admin". For both of them, access_token is same. Can it happen like that?
Thanks Sourav, A neat and clear tutorial on Web API token based authentication
Awesome Mr. Sourav........This is really nice tutorial....But I have one point ...Please let me know why we use grant_type= password. Is there any reason behind it. Thank you in advance buddy.
Please share video for refresh token in OAuth 2.0 token implementation in c#, if you have any.
Good work! Keep it up!
Saurav,, post any wcf videos, plzz
Awesome vedio and The way of explanation is good and ... Thanks for your time Sourav
I would like to host this in IIS and access through JQuery AJAX... is that possible? I can't find the OWIN startup class.
Hello Sourav Mondal
plz explain when we enter username and password,then token generate,where this token is stored, to validate the next request
I am follow ur process (this video /article) also
Token value not came
In postman 404 not found error r come
How to fix it ?????
Works like a charm. However, I have a problem. We are integrating Help Pages into our application (docs.microsoft.com/en-us/aspnet/web-api/overview/getting-started-with-aspnet-web-api/creating-api-help-pages). We need to be able to restrict access to the help page to only logged in users. I added ASP.NET Identity to accomplish this. But it seems that the ASP.NET Identity classes (ApplicationUserManager, ApplicationSigninManager etc.) don't play nice with Owin classes in this tutorial. To see what I mean, add a webapi help page using the above link, then try to lock down that controller with [Authorize].
This video is what I'm looking for. Just a quick question, in 40:35 (grant_type) where did you set the value in the code (cs file) before calling the method
Also wondering the same
+Christian Gajo where I have set username and password. Here I have sent username password and grant type.
+sourav mondal in the js file you can see this code I have used for login
fac.login = function (user) { var obj = { 'username': user.username, 'password': user.password, 'grant_type': 'password' }; Object.toparams = function ObjectsToParams(obj) { var p = []; for (var key in obj) { p.push(key + '=' + encodeURIComponent(obj[key])); } return p.join('&'); }........
Here we have added grant_type
I needed to add the two lines at the bottom of the function to get it to return the token
public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
{
var identity = new ClaimsIdentity(context.Options.AuthenticationType);
if (context.UserName == "admin" && context.Password == "123")
{
identity.AddClaim(new Claim(ClaimTypes.Role, "admin"));
identity.AddClaim(new Claim("username", "admin"));
identity.AddClaim(new Claim(ClaimTypes.Name, "Malcolm Swaine"));
}
else if (context.UserName == "test" && context.Password == "123")
{
identity.AddClaim(new Claim(ClaimTypes.Role, "test"));
identity.AddClaim(new Claim("username", "test"));
identity.AddClaim(new Claim(ClaimTypes.Name, "test user"));
}
else
{
context.SetError("invalid grant", "credentials are invalid");
}
var ticket = new AuthenticationTicket(identity, null);
context.Validated(ticket);
}
Hello Sourav. I have a question. I need implement Two-Factor Authentication into Authentication logic. How could I do it???
I need a lot of ideas....
Nice way of presentation and very good content Sourav, Thanks.
Thanks
looks like you are reading it from paper... but it was helpful thanks..
Well explained.
It is very helpful for me. But can you guide for me how to built a form Login use Token based authentication and only jquery because my boss do not want to use postman and AngularJS.
Thank you so much
mistake at 38:42 returns 401 Unauthorized not 403 because you created Aurthorize attribute with the same of framework, so it consider it as framework of default behaviour...you should change the different name for your CustomAuthorize inheritance form Authorize attribute. update it as early as atleast patch video
getting error unsupported grant type even in the demo code also. :(
Good Information Thanks Sourav
Very useful , thank you
When I tried to implement Google sign on in aap.net Web API and angular frontend framework am getting redirect uri mismatch as error can you please help me to resolve this issue
hello can we give error code with error message in all cases , if we pass wrong token ten only one JSON response will with message parameter. but we need error code, if token is expire then we need an other response and error code. please update me sir
When I try to generate token after all this process
I am getting 404 error.
localhost:44383/token.
it returns 404
Super video sourav, i have a doubt , when i hit from my apicontroller as specified in below code,
var tokenresponse = await objhttpclient.PostAsync(baseurl + "/token", new FormUrlEncodedContent(form));
whether it wll hit Applicationoauthprovider class
grantresourceownercredentials()?
Anybody has idea to solve the above myth?
very nice explanation, please provide 2nd part asap.
th-cam.com/video/i2NvQrO75no/w-d-xo.html
Great video Sourav, thank you!
How to authenticate two different types of user like admin and customers
Thank you so much. excellent tutorial!
Works like a charm! Thanks!!!
Hey, great tute! thanks! How would the "logout" mechanism work? Or do we have to rely on token expiration?
In OAuth there is no option for signout. we can Delete the access token on the client.
But 1 more option we have... that is if you want then you can save the token in a database table and check with that table data when a request come.
Thanks Man. it really helped alot.
I also enjoyed the trains passing by :)
+Ahsan muzafar :)
Good teaching but request to u, zoom screen for better visibility.. keep it up
very good!
i liked your learning !
Please make a client app and call all the methods from client app. Because when i tried to call token method it's throwing me error of cors.
same code implement and testing postman on authorization to get token given username,password and grant_type but getting error "Invalid client" please any suggestion to slove
getting the same error for me too.!! any suggestion to solve please
very help full video
Thank you for a great Tutorial :)
Microsoft.Owin 3.1.0 is not compatible with netcoreapp1.0
Good job sourav, it helpful to me
{
"Message": "No HTTP resource was found that matches the request URI 'localhost:54473/token'.",
"MessageDetail": "No type was found that matches the controller named 'token'."
}
getting this error while do post further things work properly can you solve this issue
I am waiting for AngularJs2 with same autnetication implementation.
Sarju Kabariya me too
where the user tokens are stored ??
Thanks for the video! I was receiving {invalid-grant} even after auth success. At 40: 13 I needed to add
var ticket = new AuthenticationTicket(identity, null);
context.Validated(ticket);
at the end of the GrantResourceOwnerCredentials method to get it to return a token
I am getting 404 error. Could you please help
Hello! how to send token from mvc?
Hi, Tussi gr8 simple & gr8 ho
btw, what overall I understood that if you are applying 3 leg authentication than this part (of authentication and providing the access token) will be with 3rd party authorization provider like gmail or facebook. Correct?
Hlw Jyoti,
U can use a third party STS(authentication server) app like "identityserver3" to urs project. "identityserver3" supports other social logins like FB, GMAIL. Pls chk the web link below
www.scottbrady91.com/Identity-Server/Identity-Server-3-Standalone-Implementation-Part-1