Yò stupid question here, but i guess those are the most important, how can i return a feedback to the client from this ? i saw you can add some fail reasons but i just get the html page as a result i did it like this if(user == null) { context.Fail(new AuthorizationFailureReason(this, "Your token expired!")); return Task.CompletedTask; }
@@RawCoding yeah i tried something like this byte[]bytes = Encoding.UTF8.GetBytes("Something went wrong buddy"); httpctx.Response.StatusCode = 405; httpctx.Response.ContentType = "application/json"; await httpctx.Response.Body.WriteAsync(bytes, 0, bytes.Length); but it doesn't seem to work i still get a 302 status and the html page as response :V
Thank you very much for this video! I have a question tags attribute changes the way methods are displayed in swagger, is there any way to prevent tags from affecting it?
Hey man! so, i just started using minimal apis, and faced this problem as well. here is how you can make swagger ignore the permission tags. you can write your own GroupingFilter extending from IOperationFilter, inside that you can make it ignore the permission tags. then you just have to tell swagger to user your GroupingFilter like this: .AddSwaggerGen(c => { c.OperationFilter(); });
Thank you Anton, beautifully done, as always. I would like to clear a thing in my mind. What is the difference *between* having an endpoint that hash a Tag/Identifier for accessing this endpoint (the way I understood it, is that is the permissionId what could also be a Guid.ToString()) *AND* an endpoint requiring a claim. The user will need to have *either* the claim *or* the "permissionId" to access the endpoint. The endpoint will statically always have some "demand". So, what is the "Dynamic" part here ? Is it that it is easier to Add/Remove permissions from DB instead of updating the claims from the User ? For example, the cookie cannot get updated, unless you re-sign-in. So essentially, what is the difference of having a user that has a claim that an endpoint demands, *and* having an endpoint that has some permissionIds and give those permissions to the user.
Dynamic is being fully configurable. Any endpoint any set of claims and then you can group claims in to roles and assign roles. Otherwise If you define which endpoints can be accessed by a role in code, if you want to change that it’s a code change.
@@RawCoding Thank you for the reply. So it is more "fine-grained" having a unique identifier for each endpoint and then assign this endpoint to the user, instead having a Policy (which consists of claims) that could be placed in more than 1 endpoints. Am I thinking in the right direction ?
If you are asking - how do I generate claims for controllers?
watch this old, but gold video on reflection: th-cam.com/video/cdG2JxuZvNI/w-d-xo.html
Insanely cool stuff. Tbh, I won't probably use it in my whole commerical programming life, but the video and the whole topic is very interesting
Cheers :D
Thanks so much for the deep dive into ASP.NET Core security! 😎👍
Thank you for sharing. Finally decided to become a patron too.
Great video. Thank you!
Yò stupid question here, but i guess those are the most important, how can i return a feedback to the client from this ? i saw you can add some fail reasons but i just get the html page as a result
i did it like this
if(user == null)
{
context.Fail(new AuthorizationFailureReason(this, "Your token expired!"));
return Task.CompletedTask;
}
You have access to the httpcontext there you can write whatever response you like before failing.
@@RawCoding yeah i tried something like this
byte[]bytes = Encoding.UTF8.GetBytes("Something went wrong buddy");
httpctx.Response.StatusCode = 405;
httpctx.Response.ContentType = "application/json";
await httpctx.Response.Body.WriteAsync(bytes, 0, bytes.Length);
but it doesn't seem to work i still get a 302 status and the html page as response :V
I’ll have a look and get back to you, can you come on discord and ask this question there so I don’t forget please
@@RawCoding Sure man thanks :D
Thank you very much for this video! I have a question tags attribute changes the way methods are displayed in swagger, is there any way to prevent tags from affecting it?
I don’t use swagger, so nope sorry
Hey man! so, i just started using minimal apis, and faced this problem as well. here is how you can make swagger ignore the permission tags. you can write your own GroupingFilter extending from IOperationFilter, inside that you can make it ignore the permission tags. then you just have to tell swagger to user your GroupingFilter like this: .AddSwaggerGen(c => { c.OperationFilter(); });
I couldn't get the tip page to work. Have an LN public addr?
LN?
@@RawCoding Lightning Network (Bitcoin thing for small payments)
Thank you Anton, beautifully done, as always.
I would like to clear a thing in my mind. What is the difference *between* having an endpoint that hash a Tag/Identifier for accessing this endpoint (the way I understood it, is that is the permissionId what could also be a Guid.ToString()) *AND* an endpoint requiring a claim.
The user will need to have *either* the claim *or* the "permissionId" to access the endpoint. The endpoint will statically always have some "demand".
So, what is the "Dynamic" part here ? Is it that it is easier to Add/Remove permissions from DB instead of updating the claims from the User ? For example, the cookie cannot get updated, unless you re-sign-in.
So essentially, what is the difference of having a user that has a claim that an endpoint demands, *and* having an endpoint that has some permissionIds and give those permissions to the user.
Dynamic is being fully configurable. Any endpoint any set of claims and then you can group claims in to roles and assign roles.
Otherwise If you define which endpoints can be accessed by a role in code, if you want to change that it’s a code change.
@@RawCoding Thank you for the reply. So it is more "fine-grained" having a unique identifier for each endpoint and then assign this endpoint to the user, instead having a Policy (which consists of claims) that could be placed in more than 1 endpoints.
Am I thinking in the right direction ?
It’s about doing it at run time. And not having to change the code.
@@RawCoding Clear. Thanks!
does this only apply to minimul APIs?
No, I think you’ve missed the point.
@@RawCoding hope is applied to normal APIs ex well right?
hi , thanks for this awesome lecture , please upload related code with each video , its request
You can get the source code if you support me on patreon
@@RawCoding how I can ??
@@Its_wes01 www.patreon.com/raw_coding
Speaking too fast ... Please help us from outsite US. Rssss
подстригся и сменил название канала?
Что что?