.NET 8 Authentication with Identity in a Web API with Bearer Tokens & Cookies 🔒
HTML-код
- Опубликовано: 28 май 2024
- 🚀 Join the .NET Web Academy: learn.dotnetwebacademy.com
💖 Support me on Patreon for exclusive source code access: / _patrickgod
🚀 Get the .NET 8 Web Dev Jump-Start Course for FREE: dotnet8.patrickgod.com
🐦 Let's get social on Twitter/X: / _patrickgod
🔗 Let's connect on LinkedIn: / patrickgod
Table of Contents:
00:00 .NET 8 Authentication with Identity in a Web API 🔒
01:05 Official Announcement
02:14 Create a Web API Project
03:08 Add an Entity Framework DataContext
06:12 Register the IdentityDbContext
10:18 Add Authentication with Identity
12:04 Add & run code-first migrations
14:35 Run the App
16:34 Configure Swagger to test the Authentication
18:06 Test the Authentication with Swagger
18:58 What about Cookie Authentication?
#DotNet #Identity #WebAPI
May, the fourth.. anybody? 🌌
sir please make a video for External Authentication with Yahoo in Asp net core
If everyone had the kind heart and the passion that Patrick has for teaching and .NET, the world surely would be a better place. Thanks as always, man!
Hey João, thank you so much for your kind words! I'm really touched to hear that you appreciate the passion and effort I put into my tutorials. My ultimate goal is to make learning .NET and Blazor as accessible and enjoyable as possible. Knowing that I've made a positive impact on your learning journey means the world to me. Stay tuned for more content, and if you ever have any questions or topics you'd like me to cover, feel free to reach out. Happy coding! 🚀💻
Thanks, man! Very much appreciate your work!
Tried implementing this from an article I saw a while back and it didn't work, glad this came out!
Great video! Would be great if you could add the following as well:
1. Authorization roles, policies, etc
2. Extending the existing feature set provided, like login/register/2fa and adding some own logic as well
3. Creating and using our own UserEntity class instead of IdentityUser.
4. Integrating it with Blazor 8 using the best practices
Thanks!
Yes. It would be great to see the same token/cookie working with other API's and a Blazor client (kind of a SSO).
Yes that that would be grat. Also how to use Authentication and Authorization in a seperate service (API) and connect it to the front end and also other services (APIs).
Halo, do you find a way using roles with this method, and is it possible at all???
You are so chilled man
Brilliant videos
Hey Patrick. Thank you for everything you do and for being a cornerstone in the .NET community.
Hey Jeffrey, thank you so much for the kind words! I'm humbled to hear that you consider me a cornerstone in the .NET community. My mission has always been to help others learn and grow in the field, and knowing that I've made a positive impact is incredibly rewarding. If you have any topics you're curious about or suggestions for future tutorials, please don't hesitate to share. Your feedback is invaluable. Thanks again for your support, and happy coding! 🚀💻
This is the absolute first anything I have ever subscribed to on RUclips. This is perfect.
Thank you so much!! Really appreciate it! 😄
Thank you for this instructive video. It's really nice how it's so simple now. I would really love a followup video explaining logging with google/MS/Apple or the two way authentification.
Super clean and clear tutorial! love it!
I was waiting for this video!
This is brilliant!
It covers so many types of authentication in such a short video & it's easy to follow along with.
Granted that it doesn't quite go in-depth with how the authentication types work properly but it shows how to implement it all, step by step, without any issues!
Thanks for sharing this & keep doing what you do. You're helping so many developers/engineers, myself included 😁
so my project runs on Identity 2.2.0 (deprecated)
I migrated my project from .NET 6 to .NET 8
but still my code runs on the deprecated package.
it feels scary to update it!
I planning to add refresh token with my existing JWT
how should I go about it ?
Thanks Patrick for this wonderful tutorial.
Thank you man, really appreciate your work!
Awesome and informative as always!! 💯❤
Excellent video, as usual!!! Thank you.
Sooooooo Much Love from Pakistan
you are really great teacher for me!😀😊
Very useful guide, thank you!
Thank you , Amazing video!
When took some NZT pills and decided to become a developer :) Thanks a lot, Patrick!
Thank you Very much for this amazing video
Amazing, Microsoft did a great job with this feature in .Net 8, thanks Patrick for this introduction!!!
Glad it was helpful!
You are the best. Thank you!
Timely. Thanks!
You're welcome!
Great tutorial!! Thx
That's cool. Nice feature.
Thank you.
It’s great, what You are showing here. Could You prepare tutorial how to use new authorisation in Blazor WebAssembly, please?
I am watching your tutorial when our baby also sleep:)
please continue this tutorial make a part 2, to integrate it into a spa :D:D
Thank You! Great, simple, eficient. It would be nice if we could see something like a SSO with other API's and/or a Blazor client. 🙏
I wasted half a day because I added the wrong library. Be careful when adding libraries!!!
Thank you bro
Awesome video it's very useful!!!
That was amazing although faced few issues like separate DAL and lib version 7.0.11 . But I am able to achieve this with dotnet 8 and Postgress db Thanks
Hi Patrick, thanks so much for the video. I just have a quick question, with these new security controllers, is there a way for us to be able to override the default logic? E.g. if I wanted a bespoke /register controller
Thank you. I hope you will make Role-based authorization for .net 8 in a web API
Is there a way to use the new Identity Endpoints without EF? Eg. if I'm already using Dapper for db communication?
Are there any examples of this that don't use EF? Some objects templates with something like Dapper?
Can you please elaborate refresh token concept also. Once access token expires, how to implement refresh token thing?
Really nice tutorial thanks ! So does that mean that the client doesn't need to handle tokens anymore if everything is handled in the api with the cookie/session method ?
Anyway, keep up the good work !
Great Tutorial!
Would love to see social login next.
Dumb question, how do you log out again with a httpOnly cookie?
A question, i have implemented it in my API project, but (i'm using controllesr too) i can't find the controller relative to the auth functions, or i have to create a service that inherits from the identity one ?
But how does the auth work across separate microservices? That would be good to know.
Would you consider doing a video on implementing custom OAuth identity providers in Blazor WASM Hosted, similar to your Google OAuth video, but for non-standard OAuth providers, such as Discord, Battlenet, Github, etc.
Great video, thanks Patrick. There seems to be one missing piece of the puzzle though. This is great from Swagger, but - when you need to send the cookie (as Bearer), then how is it possible to grab the aspnet cookie - from Wasm especially - to be able to pass it? I can't find anyway from Wasm to be able to grab the cookie (apart from AFTER rendered, via JsInterop which is too late - unless i'm missing something)
Hi Patrick!
This is pretty new to me as I am used to making my own code that does those functions.
How do you configure the Register controller?
For example lets say I want to also execute some other code when registration happens, or change the password requirements. How can I do that?
Hello Patrick,
I'm a huge fan of your videos. I've bought a course on udemy too. In this case the video is nice and helpful too. But it would be good to let people know that using duende identity api's can be a license thema. So if you develop an open source application you've to inform everyone that if you use that application in a commercial context, depending on the size of your comopany you've to pay license fees to duende!
I would be very thankful, If you can make a video about Authentication and Authorization without Duendes Identity API's in .NET8.
Wish you all the best and thanks for your videos!
If i need add custom identity data like AplicationUser i need yo use a custom endpoint? Or there’s a way to do it on the built in endpoint!?
A video about setting up 2FA would be great
Thats nice, but how about when you need to use it in a real world situation with old user database and information? i need to make custom sql query requests to fetch a custom user object that i then need to access from my controllers? i can't just use identity database because my user database is used systems coded 15 years ago
can we configure it to use phone and otp for login instead of email/password?
I came across your informative video on integrating an ASPNET Core API and found it really helpful. I'm in the process of implementing this in a .NET MAUI application. However, I'm facing some challenges in fetching data from the database tables created by the API within the .NET MAUI app. Could you provide additional guidance or resources on how to make API calls and handle data retrieval specifically in a .NET MAUI context? Your insights would be greatly appreciated!
Hi, will this work in blazor 8, be great to see more info on how to implement auth in blazor web app. compared to blazor server and wasm. :)
Do you have a video of how to customize the /register controller generated by NetCore Identity?
What about m2m and reference tokens? Also what about protecting api resources and using introspection to authenticate tokens? Also what about scopes
Hey Patrick thank you so much for great explanation of Authentication Flow with Identity in .NET 8 Web Api !! 👌Can you please explain or make a tutorial with MongoDb version of this one and/or the key points of implementation of MongoDb?
What id colors setup do you use?
I've learned more in a couple minutes than I did in a full semester. Now, what if I want to generate api key in case I want to give other people access to some data without the need of an account?
This video save my job! Thanks! hahahahaha
Hi, @PatrickGod
First, great video! Thanks for that.
You told that token isn't a JWT. For professional applications, the mode showed in the video is safe?
PS: Sorry for the english. I'm from Brazil, and I'm trying to write without Google Translator to learn.
Same question
Hey is the refresh token working by itself too and refreshes the bearer automatically if it is expired ?
Did I miss something where we are setting IssuerSigningKey?
Great video Patrick. However, I must ask what was the improvement that has been made compared to previous version of dotnet? It'd have been nice if you quickly showed the previous way of doing Auth in dotnet. Great video bdw.
Hey! Here's the video with JWTs in .NET 7. Hope this helps: ruclips.net/video/UwruwHl3BlU/видео.htmlsi=v4pXBo-AIGl1tVuf
Hi, Does anyone have a hint how to limit options from this new identity for example to to delete two factors methods endpoint?
Hi great tutorial, I followed all the steps but after launching the API I didn't get endpoint like register , login etc. I only have default weatherforcast. Is there anything else I have to do to get other authentication end points.
Thanks
Is it possible to disable some of those "out of the box" controllers? 2fa for example..
Question, the section on cookies. Is the cookie stored on the server after valid email/password??? I don't see it in the response
I made the settings for Swagger like as you did, but it doesn't send the authorization header. And it only works with Postman. And I would like to ask you a tutorial about role-based authentication.
Hi, thank you for your great tutorials.
It would be great if you could say how should we customize the register and login APIs.
For example, what if I want my user to register with {username, email, password} instead of just {email, password}
Need some guidance. If I want to use Identity in this way but instead of a password, use a one-time code instead, how could I achieve this, would appreciate any tips.
Could you make a tutorial on how to implement this API in a website with a login/register form please. Thanks
so my project runs on Identity 2.2.0 (deprecated)
I migrated my project from .NET 6 to .NET 8
but still my code runs on the deprecated package.
it feels scary to update it!
I planning to add refresh token with my existing JWT
how should I go about it ?
Hi Patrick! I can't figure out how to change the time the token expires from 3600 to something like 30 days. I tried even to ask Copilot but it gives me wrong source code to change it. I even told it that I am using .NET 8. If you could give me a hint how to do it in .NET 8 it be great.
Super tutorial. One question: how can we set the expiresIn value to something besides 3600?
Got it. For anyone else struggling:
builder.Services.ConfigureAll(option =>
{
option.BearerTokenExpiration = TimeSpan.FromDays(1);
});
I cant believe there's no official template with this or even an official documentation. Thanks.
I have to watch the video with sound, but how do I add JWT functions to this app?
Hi Patrick, is it possible to invalidate bearer tokens created with this method? I am trying to create a logout endpoint for my app but I can't find a way to do this.
When should I use Bearer Tokens instead of JWT?
Hi Patrick, nice Video. i have a ask to make. How i change the things, like, the proprieties of register, like. to have a name and more?
awesome.
So, all of those APIs are ... just part of the packages and no code required?
how easy is to configure claims?
thank you for this wonderful tutorial. I am however having issues replicating it fully. Everything works except authorization. I login and receive token. I use the token to authorize the swagger. But when I try to execute the weatherforcast endpoint, I receive the 401 response "Unauthorized" response. I have tried replicating your tutorial twice with different new projects and the result is the same. Please advise. Thanks
How do you scaffold identity API Endpoints
Hmn, I don't want the generating authentication register/login. I have the table User in my database, how to use it for authentication?
Hi, can you add these codes to git and provide the link in the description.
Hi Patrick,
New subscriber here. May I ask, how to do this using google or microsoft authentication?
You did not install anything to use IdentityDBContext. Is it a built in thing?
what if i want to make role for every user like ( ... Admin , User , SuperAdmin )
Why don't i have an authorization controller? There are no routs such as login, register, etc.
I am getting this error no matter what I do: A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.) // why?
So i have no access to those methods from the code?
How to add Roles, Claims etc? o_0
looking for Windows Auth without entityFramework. pls help!
Logout - method is missing there!
but now how i disable identity register route?
Please think about posting the code for practice by the viewers
What is the content of the cookie ? Does it store some session in database ? Its not jwt, what is it ?
it is in the Application memory.
How do you change the time the token expiresIn, it is 3600 by default. Also can you add roles using this method?
Asking after 3 months, do you find a way using roles with this method, and is it possible at all???
how to seeding data with IdentityDbContext ?
how can i change expiration time of bearer token? it created 3600 secs by default
.AddIdentityCookies(options =>
{
options.ApplicationCookie.Configure(options =>
{
options.ExpireTimeSpan = TimeSpan.FromMinutes(60);
});
});
Why wasm? My app have 40mb size... (((