Very timely, im about to implement this in a new project soon. If you want to make a part 2, I'd be interested in multiple login providers as well as adding roles to the token. I think these 2 are pretty standard requirements for any real world application. Im not sure whether to use Identity package with that approach. Also not sure whether I can get the token (with roles) directly from firebase in my frontend or I need to send request to my own backend.
For most of the social providers you would implement it on the client side, which is something I don't cover on YT Check out the docs for adding roles/custom claims to the token - I'm 99% sure there is support for that
hello, i have this error when i check the JWT signed by Firebase at 23:47 => Authentication failed: IDX10500: Signature validation failed. No security keys were provided to validate the signature. Challenge: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
Shouldn't it be Access Token that's being sent to the backend? From my "reasearch", apparently Id token is for Client Side part of the application to identify the user, and Access Token is for authorization with the server side?
Nice video. I see that you put the sensitive information on the wild (e.g. on screen, on appsettings), it might be obvious for experienced dev, but might not for some. Maybe it's good to mention briefly what's the good practise.
Milan, at 8:17 the LoggingBackgroundJobSetup caught my attention, I wasnt in the quartz video you recently released, and I'm currently starting a proyect that uses quartz and could use that, did I missed it in another video?, can I see the code some where?
In microservice architecture, is it good practice to have this configuration just on Api Gateway or is better to have it on all services for security reasons? In the first scenario, how to add an authorize attribute on other services? In the second scenario it means that the request for a check token will duplicate, could that cause a problem?
Hi Milan, what is the best way in your opinion to handle multiple user types in an application? Suppose we have Teacher, Student, etc... and each one of those has different properties. Is there a better way to do this than having IdentityUser that is used only to sign in, and aggregate roots in domain layer contain property IdentityId to reference the IdentityUser? The issue I have is that by design IdentityUser can be in multiple roles, but in my application the user can't have more than one role. Also what if an error occurred after creating IdentityUser, but before creating Teacher? It feels a little bit clunky to have an enum in IdentityUser like UserType, then doing _teacherRepository.GetByIdentityId(identityId); because there is no constraint at the database level that forbids creating Student aggregate for UserType.Teacher. What do you think? I can't find any article that says something about this.
@@MilanJovanovicTech To me the solution with nullable columns seems cumbersome. It's strange that there's literally nothing in the Internet on this topic, because everyone just shows a simple example with "AppUser", but in real life applications there are multiple user types that need its own properties, so there must be a sane way of doing this.
Thanks Milan for this awesome video 👍 In the solution you have a Persistence project, you recommend this way over creating a Persistence folder under Infrastructure project?
IMHO Microsoft Identity is more then enough in general use cases, didn't even had to use identity server or such extra layers. And im talking about a multi tenant complex project.
This is what I don't like about external providers. Our users need to stay on their platform too? And this is kind of giving our user accounts to other services .
@@MilanJovanovicTech thanks for introducing about new thing. And what are your thoughts on using own DB and authenticating and authorizing users against our DB? We just need to create some tables and configure jwt tokens and that would save us from external or even open source libraries which may become paid at later stages? Stay awesome 😎
Hello Milan Jovan sir, I recently watched your video on implementing Firebase authentication via email and password, and I found it incredibly helpful. However, upon attempting to implement the solution you provided, I encountered an unexpected error. Here's the error message I'm receiving: { "errorMessage": "The request was canceled due to the configured HttpClient.Timeout of 100 seconds elapsing.", "statusCode": 500, "message": "Internal Server Error!" } I've double-checked my implementation against the steps outlined in your video, and everything seems to be in place. Despite this, the error persists. Could you please provide some insight into what might be causing this issue and how I can resolve it? I'm waiting for your response. Thank you in advance for your help!
@@MilanJovanovicTech When dotnet application is trying to authenticate with firebase server. but now it's fixed. everything is working fine, Thank you so much
@@MilanJovanovicTech I’m doing so personally as a choice. I’m not opting in every one of my own customers to be tracked largely without their knowledge because Google gave me free stuff as a developer. BIG DIFFERENCE.
@@MilanJovanovicTech hence my point. Ethical devs don’t use firebase because Google uses it to spy on your users. Ethical devs don’t promote firebase for the same reason as soon as they become aware of how unethical firebase is. It’s literally why apps know what you did in other apps that had nothing to do with each other. It’s how Google spys in android while claiming android is just as privacy focused as iOS. It’s how they’ve infiltrated iOS with their effectively spyware in almost every app. And the kicker is that they primarily get you with push notifications to android and then suck you in to iOS notifications and then the rest. Try doing push notifications on android without it. It isn’t fun and batteries suffer almost always. An excellent series would be: how to be on mobile without Google firebase spyware.
Because it's called OpenID Connect. For years. Or, if your're using a specific Firebase SDK, it's Firebase authentication (or Google Identity Platform Authentication). Custom proprietary API. There is no such thing as 'JWT Authentication'. Show me the specs...
@@geertdoornbos Correctness aside, how many people will know what I'm talking about if I write: - OpenID Connect - JWT Auth What should matter is if I'm sharing something valuable or not in the video. Titles are there to attract attention.
@@MilanJovanovicTech Hey man, why are you always so defensive when it comes to feedback? I often see you justifying yourself for the reactions of others. Lose the arrogance and you'll be a much nicer person.
@@geertdoornbos Where was I arrogant, exactly? I'm trying to nicely explain that we're looking at things from different perspectives. Ever thought you're the arrogant one? Since you can't seem to fathom my POV.
![เปิดคำทำนาย นอสตราดามุส - บาบา วานก้า ปี 2025 คนทั่วโลกต้องเจออะไรบ้าง? | แฉ 11 ธ.ค. 67 [2/3] |GMM25](http://i.ytimg.com/vi/xmTIKWJUMPM/mqdefault.jpg)
Want to master Clean Architecture? Go here: bit.ly/3PupkOJ
Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt
Awesome video, succint and to the point! Keep them coming!
Thanks a lot! I have a few more 🔥 coming up.
Very timely, im about to implement this in a new project soon.
If you want to make a part 2, I'd be interested in multiple login providers as well as adding roles to the token. I think these 2 are pretty standard requirements for any real world application.
Im not sure whether to use Identity package with that approach. Also not sure whether I can get the token (with roles) directly from firebase in my frontend or I need to send request to my own backend.
It would be so cool to see something like this! 😅
Yes man, Part 2 is required with different authorization method such as Google or Facebook. 🤩❤
For most of the social providers you would implement it on the client side, which is something I don't cover on YT
Check out the docs for adding roles/custom claims to the token - I'm 99% sure there is support for that
Thanks!
You're very welcome!
Great content! As a relatively experienced developer I really enjoy your videos :)
Glad you like them! Any topics you'd like to see on my channel in the future?
Great video! You explain very very well. Thank you so much, Milan
Glad it was helpful!
hello, i have this error when i check the JWT signed by Firebase at 23:47 => Authentication failed: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
Challenge: IDX10500: Signature validation failed. No security keys were provided to validate the signature.
It should work if you set the Authority correctly
Hi can you do for some of your future videos email confirmation method?
Maybe, can't promise
Thank you very much for this high quality of videos and content. I wish you all the best ❤
You're very welcome!
Thank you 😊 Milan🤩 great Explanation very helpful
Glad it was helpful!
Shouldn't it be Access Token that's being sent to the backend? From my "reasearch", apparently Id token is for Client Side part of the application to identify the user, and Access Token is for authorization with the server side?
Yes
@@MilanJovanovicTech but Firebase doesnt provide a Access token like cognito does right? What is a good alternative in that case?
Nice video. I see that you put the sensitive information on the wild (e.g. on screen, on appsettings), it might be obvious for experienced dev, but might not for some. Maybe it's good to mention briefly what's the good practise.
Good suggestion, will do in a future video
Milan, at 8:17 the LoggingBackgroundJobSetup caught my attention, I wasnt in the quartz video you recently released, and I'm currently starting a proyect that uses quartz and could use that, did I missed it in another video?, can I see the code some where?
It's here: th-cam.com/video/iD3jrj3RBuc/w-d-xo.html
Thank You@@MilanJovanovicTech
Super useful, how do you parse de errors from the api? Wish I could download it
From the Firebase API?
@@MilanJovanovicTech yes
Hey!
It is possible to get the same result for Azure functions inside a Azure function App?
What does it have to do with Firebase?
What would change if you were setting up a new project in .net 8. Can firebase hook into the new identity out of the box.
Not sure, tbh
I'd like to ask if is possible to implements also External provider authentications, along to username and password.
Yes
hi milan, i have a doubt: if you want to create roles and permissions, would you create them in your database or in firebase?
I'd probably store them in my own database, will be easier to manage
In microservice architecture, is it good practice to have this configuration just on Api Gateway or is better to have it on all services for security reasons? In the first scenario, how to add an authorize attribute on other services? In the second scenario it means that the request for a check token will duplicate, could that cause a problem?
I'm not sure if it's a "best practice" but my team and I used to also leave it on the individual services, just in case.
Hi Milan, what is the best way in your opinion to handle multiple user types in an application? Suppose we have Teacher, Student, etc... and each one of those has different properties. Is there a better way to do this than having IdentityUser that is used only to sign in, and aggregate roots in domain layer contain property IdentityId to reference the IdentityUser? The issue I have is that by design IdentityUser can be in multiple roles, but in my application the user can't have more than one role. Also what if an error occurred after creating IdentityUser, but before creating Teacher? It feels a little bit clunky to have an enum in IdentityUser like UserType, then doing _teacherRepository.GetByIdentityId(identityId); because there is no constraint at the database level that forbids creating Student aggregate for UserType.Teacher. What do you think? I can't find any article that says something about this.
You can nullable columns, inheritance. I would probably not mix any Identity concepts in my domain at all.
@@MilanJovanovicTech To me the solution with nullable columns seems cumbersome. It's strange that there's literally nothing in the Internet on this topic, because everyone just shows a simple example with "AppUser", but in real life applications there are multiple user types that need its own properties, so there must be a sane way of doing this.
Awesome content Milan. A request: do a video about auth and realtime using supabase. Thanks
Ah, Supabase auth - the lost chapter :) Might do another video on that!
Great content 😎 , maybe in future videos try to cover Multiple External Authentication with callbacks and part with refresh tokens. Best regards. 💪
That requires UI work, though
How do we refresh the token?
There's a refresh token endpoint
hi Milan, what do you recommend? login in the backend or login in the front directly to firebase and send the token to the back?
The latter one is simpler, and that's how you'd use an IDP anyhow
Is this a free service we can use from firebase?
Yes, it's FREE up to 50k users per month
@@MilanJovanovicTech thanks for the quick reply mate!:)
Thanks Milan for this awesome video 👍
In the solution you have a Persistence project, you recommend this way over creating a Persistence folder under Infrastructure project?
Either one is fine :) Just use the approach that makes sense to you, and the amount of separation you want to achieve.
IMHO Microsoft Identity is more then enough in general use cases, didn't even had to use identity server or such extra layers. And im talking about a multi tenant complex project.
Yep, if you want to use it - gets the job done just as any other IDP
Is it safe to store api keys in appsettings?
Not the recommended approach
This is what I don't like about external providers. Our users need to stay on their platform too? And this is kind of giving our user accounts to other services .
That is a problem, yeah. You can try Keycloak if that's a problem. It's free, open source, and you can host it yourself.
@@MilanJovanovicTech thanks for introducing about new thing.
And what are your thoughts on using own DB and authenticating and authorizing users against our DB? We just need to create some tables and configure jwt tokens and that would save us from external or even open source libraries which may become paid at later stages? Stay awesome 😎
Hello Milan Jovan sir,
I recently watched your video on implementing Firebase authentication via email and password, and I found it incredibly helpful. However, upon attempting to implement the solution you provided, I encountered an unexpected error.
Here's the error message I'm receiving:
{
"errorMessage": "The request was canceled due to the configured HttpClient.Timeout of 100 seconds elapsing.",
"statusCode": 500,
"message": "Internal Server Error!"
}
I've double-checked my implementation against the steps outlined in your video, and everything seems to be in place. Despite this, the error persists.
Could you please provide some insight into what might be causing this issue and how I can resolve it?
I'm waiting for your response.
Thank you in advance for your help!
Well, which request is taking 100 seconds...?
@@MilanJovanovicTech When dotnet application is trying to authenticate with firebase server.
but now it's fixed. everything is working fine,
Thank you so much
Thank you
You're welcome
Save me from years of reseaching thanks
You don't want to know how much time I spent researching this 😂
Firebase: how Google spys on users even when not using their platform.
You're literally on TH-cam - a Google product 😂
@@MilanJovanovicTech I’m doing so personally as a choice. I’m not opting in every one of my own customers to be tracked largely without their knowledge because Google gave me free stuff as a developer.
BIG DIFFERENCE.
@@jameshancock There are OS alternatives that offer similar things, like Keycloak, Identity server etc
@@MilanJovanovicTech hence my point. Ethical devs don’t use firebase because Google uses it to spy on your users. Ethical devs don’t promote firebase for the same reason as soon as they become aware of how unethical firebase is.
It’s literally why apps know what you did in other apps that had nothing to do with each other. It’s how Google spys in android while claiming android is just as privacy focused as iOS. It’s how they’ve infiltrated iOS with their effectively spyware in almost every app. And the kicker is that they primarily get you with push notifications to android and then suck you in to iOS notifications and then the rest. Try doing push notifications on android without it. It isn’t fun and batteries suffer almost always.
An excellent series would be: how to be on mobile without Google firebase spyware.
First.cs
You've got a compile error in there 🔍🔍🔍
There is no such thing as ' JWT Authentication'
How so?
Because it's called OpenID Connect. For years.
Or, if your're using a specific Firebase SDK, it's Firebase authentication (or Google Identity Platform Authentication). Custom proprietary API.
There is no such thing as 'JWT Authentication'. Show me the specs...
@@geertdoornbos Correctness aside, how many people will know what I'm talking about if I write:
- OpenID Connect
- JWT Auth
What should matter is if I'm sharing something valuable or not in the video. Titles are there to attract attention.
@@MilanJovanovicTech Hey man, why are you always so defensive when it comes to feedback? I often see you justifying yourself for the reactions of others. Lose the arrogance and you'll be a much nicer person.
@@geertdoornbos Where was I arrogant, exactly?
I'm trying to nicely explain that we're looking at things from different perspectives.
Ever thought you're the arrogant one?
Since you can't seem to fathom my POV.
Thank you
You're welcome!
👋