The first time in a long time I needed a refresher on this and this is the first recommended video, posted only 17 minutes ago. What sorcery is this, Nick?
That's called a kind of P-hacking. You internally calculate "wow how low was the chance, that this specific channel releases a video about this topic now" But in reality you have many channels and probably many queries/demands. The chance that one of them by one of them is fullfilled is much higher.
Great video! I would suggest to people who are new to JWT first learn fundamentals about OpenID Connect and authorization methods like "Authorization Code Flow" or " Resource Owner Password Grant Flow". Once you understand the flow you will get that Cognito, IdentityServer4 or any other providers are just wrappers around this protocol
I think you should comment that once you start using AWS Incognito service, you don't need the "token generator API" anymore. In my experience, most developers brains shortcircuit when they try to understand oidc and some may think they still need the API even after they start using Incognito because they don't understand how it works.
Changing the first letter "e" is not a good test for if the JWT is working, because the "e" is the base64 character for the open brace "{" for the JSON. That's why all JWTs start with an "e". It could be failing because it's not a valid JSON fragment
You can always decode a base64 string. Nothing is secret about that. The point of changing the content of the token payload was to show that as soon as the payload is changed, the token is invalid because the content no longer matches the signature verification.
It would be awesome if you could show how to support multiple authentication methods. Like an API key together with jwt tokens. How do we correctly authorize endpoints and setup the auth ?
Wish to see more on this topic, I started off by rolling own ID server using OpenIddict, was quite a rough start first time learning in the whole OpenID process 😅. Video on rolling your own ID server would be nice, even better if it's using OpenIddict. Still waiting for more videos on event sourcing too, only see one in your channel, perhaps those are locked behind patreon?
It's good starting video on using an external Idp, but don't forget that what's shown here is the bare minimum. Also, notice that Nick is using a stand-alone UI (i.e. Postman or similar) to exchange the returned auth code for a set of tokens that's stored locally (Redis is a great option for these types of short lived data); you'll need to build the exchange mechanism yourself, which is a fun little task. A word of caution: security is not something you should take lightly, especially in an public facing environment and you should never attemt to implement encryption algorithms, unless you're one of the very few experts in the industry, that works professionally on this topic.
Thanks, couple questions tho: How should I sync the users to my db with external id providers? Should I store roles, permission in my db or in the external provider? and also shouldnt client secret be secret? I shouldnt use it in a spa, right?
Same way as the API example in the video. The authorization feature for a blazor component is decoupled from the authorization method. For example, for a product I made a blazor app authorizing users with OpenID through Azure AD but the components themselves has no idea HOW the user is authorized. They just allow access IF the user is autenticated and - in some case - is authorized with certain roles. In this case the OpenId could easily be replaced with a simple login using JWT without changing anything in the blazor components.
@nickchapsas Great refresher. I find it difficult to establish a resources that outlines at length the ins and outs of security(providers, users, flows, scopes, policies, federation). As part of the courses offered on Dometrain do you have a plan to do a comprehensive course on the subject.
I'd like to see something simular also showcasing the approach via azure (if possible not sure). And maybe also with something more restrictive configuration(if possible of course), like enabling google or facebook login, where you can customize which google emails can register but , restricted to a specific domain. Or for the facebook side enabling registration for specific users(ofcourse if possible). Otherwise again a nice lecture, i enjoy your videos, keep it up👍
Have you ever considered or compared this to something opensource and self hosted like key cloak? I've used it in a couple of project and i has pretty much all you've showcased but it's bit more quirky.
Keycloak follows the oidc/oauth2 protocol and comes with lots of identity providers, user management and roles. It's a complete solution compared to this example which just creates a JWT token from hardcoded values.
Let's demand a #buttercop series in which Nick takes a look at terrible butter advice posted on LinkedIn and signs off with "But now I want to know about you.... which butter do YOU think is the nicest butter? Are you using butter in your applications? Or a healthy low-fat substitute?"
It would be awesome if you could make a video about how to implement a refresh token mechanism in my API project. My API issues a JWT with a refresh token, but when the browser makes multiple requests in parallel, sometimes they fail because the first one refreshes the JWT, while the others fail because the refresh token has already been used. It would be nice to see how you'd solve this problem.
What about the user in DB? Manage additional data ? That you don’t want to exposed in jwt How you will merge the auth flow with real application need like current user in a request context Gather additional info from db and so on In best practice from your perspective
When i see you doing it seems graspable Why everyone else claims that authentication and authorization are the holy grail of programming? Concepts so difficult to grasp that you need a doctorate degree!?
It's poorly documented in certain areas, and I've found most of the answers digging through stack overflow. Concepts aren't that difficult, but implementation in .NET can be a she-dog...
Because the hard work is being done for us by people that know a lot more about it than we do. It's effectively lego-by-design specifically because it's so hard to get right.
Yes. (If I understood your question correctly). Login to your AWS, find Cognito Service, create your UserPool and in the tab "Users" you can do just that.
"Trust me" Famous last words :) But in all seriousness, could you use something like this to authenticate your application? Basically making it not possible for anyone outside of your hosted domain to request data from the API?
CORS is better suited for that. You can set it up a policy on your server to say “If a request comes from anywhere other than a specific URL, reject it”, and then give it the URL of your client application so that only requests from your client application are let through.
@@DisturbedNeo From what I understand about CORS is that it cannot be used to authenticate your application. CORS being only relevant within a browsers JavaScript, they read the CORS headers from the response and raise the error if the URL doesn't match the one in your address bar. Anyone can still make a request and get a response with curl or any other API tool.
Maybe production ready isn't a good term for this. I wanted to say that we're integrating an independent identity service which is what most modern production apps are using. Maybe "Modern" is better
I don’t know what other people feel about your way of speaking but I feel tired after listening you for 5 minutes. In my opinion quality doesn’t mean 100 words per minute. In the past your explanations were more human than now. Hope you understand my feedback.
".NET does not have native JWT integration, so you have to install a Nuget package..." is said like it is a negative thing, but it is a positive one. Why would the core library have support for a specific auth mechanism, of the hundreds that have come and gone?
The first time in a long time I needed a refresher on this and this is the first recommended video, posted only 17 minutes ago. What sorcery is this, Nick?
I’m behind you
(⊙ˍ⊙)
it's called youtube algorythem *smirk*
@@nickchapsasDo you have a course on sql for ef core developers?
That's called a kind of P-hacking.
You internally calculate "wow how low was the chance, that this specific channel releases a video about this topic now"
But in reality you have many channels and probably many queries/demands. The chance that one of them by one of them is fullfilled is much higher.
Great video! I would suggest to people who are new to JWT first learn fundamentals about OpenID Connect and authorization methods like "Authorization Code Flow" or " Resource Owner Password Grant Flow". Once you understand the flow you will get that Cognito, IdentityServer4 or any other providers are just wrappers around this protocol
I wouldn't recommend IdentityServer4 since it's no longer maintained. Instead use Duende IdentityServer (commercial) or OpenIddict.
ROPC flow is obsolete and it should not be used unless your api and STS are on the same server
We're using Keycloak for both Java and .NET apps
I think you should comment that once you start using AWS Incognito service, you don't need the "token generator API" anymore. In my experience, most developers brains shortcircuit when they try to understand oidc and some may think they still need the API even after they start using Incognito because they don't understand how it works.
Changing the first letter "e" is not a good test for if the JWT is working, because the "e" is the base64 character for the open brace "{" for the JSON. That's why all JWTs start with an "e". It could be failing because it's not a valid JSON fragment
They all start with "ey". It's like the Matrix, you start to see the code and recognize it if you look long enough.
I don’t think author knows details
You can always decode a base64 string. Nothing is secret about that. The point of changing the content of the token payload was to show that as soon as the payload is changed, the token is invalid because the content no longer matches the signature verification.
The modern way to create JWTs is using the new `JsonWebTokenHandler` class, not the older & slower `JwtSecurityTokenHandler` class.
You are right. I used my old codebase for this video instead of the new one that used the WebToken one 🤦
2:30 "It's a piece of string!"😄love it
It would be awesome if you could show how to support multiple authentication methods. Like an API key together with jwt tokens. How do we correctly authorize endpoints and setup the auth ?
Wish to see more on this topic, I started off by rolling own ID server using OpenIddict, was quite a rough start first time learning in the whole OpenID process 😅. Video on rolling your own ID server would be nice, even better if it's using OpenIddict. Still waiting for more videos on event sourcing too, only see one in your channel, perhaps those are locked behind patreon?
It's good starting video on using an external Idp, but don't forget that what's shown here is the bare minimum. Also, notice that Nick is using a stand-alone UI (i.e. Postman or similar) to exchange the returned auth code for a set of tokens that's stored locally (Redis is a great option for these types of short lived data); you'll need to build the exchange mechanism yourself, which is a fun little task.
A word of caution: security is not something you should take lightly, especially in an public facing environment and you should never attemt to implement encryption algorithms, unless you're one of the very few experts in the industry, that works professionally on this topic.
so pro-apprentices like me probably still better use Auth0?
@@aracon9721 not only you, but almost everyone, except if you work in that Cognito team. as I've heard - never write your own logging and auth.
Funny thing is that I made exact same implementation with keycloak yesterday for the first time
Thanks, couple questions tho:
How should I sync the users to my db with external id providers?
Should I store roles, permission in my db or in the external provider?
and also shouldnt client secret be secret? I shouldnt use it in a spa, right?
It would be pretty intersting how you can secure a Blazor app with JWT.
Same way as the API example in the video. The authorization feature for a blazor component is decoupled from the authorization method. For example, for a product I made a blazor app authorizing users with OpenID through Azure AD but the components themselves has no idea HOW the user is authorized. They just allow access IF the user is autenticated and - in some case - is authorized with certain roles. In this case the OpenId could easily be replaced with a simple login using JWT without changing anything in the blazor components.
Great video! I would like to hear more about the other option you mentioned in your video. Server-side applications with confidential clients
I much prefer jwt.ms over Auth0's decoder. Much simpler page and also decodes the iat and exp values etc.
This couldn't of come at a better time.
@nickchapsas Great refresher. I find it difficult to establish a resources that outlines at length the ins and outs of security(providers, users, flows, scopes, policies, federation). As part of the courses offered on Dometrain do you have a plan to do a comprehensive course on the subject.
I'd like to see something simular also showcasing the approach via azure (if possible not sure). And maybe also with something more restrictive configuration(if possible of course), like enabling google or facebook login, where you can customize which google emails can register but , restricted to a specific domain. Or for the facebook side enabling registration for specific users(ofcourse if possible).
Otherwise again a nice lecture, i enjoy your videos, keep it up👍
It’s called B2C in Azure and free up to 50K users
Have you ever considered or compared this to something opensource and self hosted like key cloak? I've used it in a couple of project and i has pretty much all you've showcased but it's bit more quirky.
Keycloak follows the oidc/oauth2 protocol and comes with lots of identity providers, user management and roles. It's a complete solution compared to this example which just creates a JWT token from hardcoded values.
What about roles check during API call?
Hey Nick, can you make a video about which is the nicest butter?
Let's demand a #buttercop series in which Nick takes a look at terrible butter advice posted on LinkedIn and signs off with "But now I want to know about you.... which butter do YOU think is the nicest butter? Are you using butter in your applications? Or a healthy low-fat substitute?"
These Boots Have Seen Everything
Nick which SO do you use?
It would be awesome if you could make a video about how to implement a refresh token mechanism in my API project.
My API issues a JWT with a refresh token, but when the browser makes multiple requests in parallel, sometimes they fail because the first one refreshes the JWT, while the others fail because the refresh token has already been used. It would be nice to see how you'd solve this problem.
may be implement a retry mechanism on the frontend?
What about the user in DB?
Manage additional data ?
That you don’t want to exposed in jwt
How you will merge the auth flow with real application need like current user in a request context
Gather additional info from db and so on
In best practice from your perspective
Nice video! Could you show us S2S auth process?
When i see you doing it seems graspable
Why everyone else claims that authentication and authorization are the holy grail of programming? Concepts so difficult to grasp that you need a doctorate degree!?
It's poorly documented in certain areas, and I've found most of the answers digging through stack overflow. Concepts aren't that difficult, but implementation in .NET can be a she-dog...
I never saw anybody saying it is "the holy grail of programming", but it is a difficult problem, yeah.
Because the hard work is being done for us by people that know a lot more about it than we do. It's effectively lego-by-design specifically because it's so hard to get right.
Can JWT also be used in simple ASP NET Core webapps (no API's), right? Thanks.
Does .dometrain have any support? What is the problem with the video player?
Can you show an example of this using Active Directory?
cool. could you show us how this would work with the microsoft identity tables in SQL
Ok, this bg3 reference got u one more like. Are you happy now???
What an absolute banger of a game
Is there a way to add users to the cognito service (rather than users having to enrol)?
Yes. (If I understood your question correctly). Login to your AWS, find Cognito Service, create your UserPool and in the tab "Users" you can do just that.
Any chance of making a video for integration with MS Entra SSO?
A really clear and concise explanation, as usual! It would be good to see something similar but utilising Entra Id rather than AWS Cognito.
"Trust me" Famous last words :) But in all seriousness, could you use something like this to authenticate your application? Basically making it not possible for anyone outside of your hosted domain to request data from the API?
CORS is better suited for that. You can set it up a policy on your server to say “If a request comes from anywhere other than a specific URL, reject it”, and then give it the URL of your client application so that only requests from your client application are let through.
@@DisturbedNeo From what I understand about CORS is that it cannot be used to authenticate your application. CORS being only relevant within a browsers JavaScript, they read the CORS headers from the response and raise the error if the URL doesn't match the one in your address bar. Anyone can still make a request and get a response with curl or any other API tool.
@@DisturbedNeocors has nothing to do with server side
What do you mean "Production Ready"? I already implemented JWT to PROD using knowledge from your previous video about JWT!
o_0
Maybe production ready isn't a good term for this. I wanted to say that we're integrating an independent identity service which is what most modern production apps are using. Maybe "Modern" is better
definitely make a video for service/machine/server authentication. duh! uh, i mean please :)
Not sure if I am the only one or not, kindly take your time when talking, you seems to be extremely fast when talking. You are educating us
Im really wonder why you repeatingly confuse classes and functions , e.g. 3:16 and also in other videos
Hi, NIck, coud you make video about ocelot api gateway with Scalar.AspNetCore
I'd suggest using YARP instead..
@@VanDameDev does YARP can be integrated with scalar for centralize API docs?
@@sachinmaharjan6398 If you do include scalar in the ApiGateway(YARP) project, I don't see why not..
I don’t know what other people feel about your way of speaking but I feel tired after listening you for 5 minutes. In my opinion quality doesn’t mean 100 words per minute. In the past your explanations were more human than now. Hope you understand my feedback.
Who else felt odd when Nick wrote just 60?
Don't think when making an advert video he could do 69.
Azure AD (Entra) B2C is way better than Cognito
".NET does not have native JWT integration, so you have to install a Nuget package..." is said like it is a negative thing, but it is a positive one. Why would the core library have support for a specific auth mechanism, of the hundreds that have come and gone?
It’s not said as a negative thing. It’s said as an observation
Also the package is still from Microsoft themselves, thus you don't have to rely on some 3rd party library.
My gosh, you use so many words to convey so little information.
You’re not explaining what anything means, you’re effectively showing how to copy paste your code
There are 500000 videos explaining JWT including mine. Watch those. I just wanna show the implementation
You're missing the point of the video if you're expecting a dive in to how JWT works
@@nickchapsas I would explain what's MetadataAddress, this has a key role I think in this approach
too fast man!!!
var key="sdfafas"u8; just to learn this notation was worth watching the video 🙂