On Windows using Curl is a bit different. Use double quotes and remove the space between -X and POST. For example the command at 09:29 is: curl -XPOST "localhost:5443/connect/token" -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d "client_id=m2m.client&scope=weatherapi.read&client_secret=SuperSecretPassword&grant_type=client_credentials" Better use Postman... great tool!
This video is very helpful. Thank you Kevin. I have been looking for a video on step by step implementation of IS4 and finally found one. Thank you so much
Thank you so much, this helped me a lot !!! I have no acknowledgement in C# and I was able to build this from zero just watching the video and using the git code. Literally, this video is for everyone. THANK YOU SO MUCH!
Honestly your tutorials are straight forward, clean and covering every aspect one of the best dev tutorials I've ever watched. Quick question otherwise, is there a grant for exchanging external provider's tokens with is4 tokens ? Thank you again :)
We recommend checking out token exchange. This would allow you to swap access tokens from a trusted 3rd party for ones issued by IdentityServer. Links: - Standard:tools.ietf.org/html/rfc8693 - Write-up: www.scottbrady91.com/OAuth/Delegation-Patterns-for-OAuth-20
@@ScottBrady91 thanks a lot I will take a look at the articles, meanwhile would like to know your opinion if possible about this implementation I just found out : github.com/waqaskhan540/identityserver-token-exchange
This is a great tutorial - however I think that the 'bug' mentioned at ~13:35 where you have to use authentication before authorization makes sense - it seems impossible to authorize someone before you can confirm who they are.
This part is very confusing. The WeatherMVC client and WeatherAPI client are 2 different applications. Why should the WeatherMVC client know the secret key of the WeatherAPI client in it's configuration file? (20:13)
Thank you for this great tutorial! One of the best around I would say. Two question from me : 1. @22:53, Line#44 Does it mean, each time the client queries for weather data, it will also hit identityserver for a token?
2. @27:47, Line#11 Is it safe to keep this secret in client side?
1. That's correct. You would need to implement a caching layer around this service in order to re-use the access token 2. The client application has to know the (plaintext) client secret to perform the code exchange. Some alternatives to storing it in local config would be to use a secure storage area, such as Azure Key Vault, or remove shared secrets completely by using one of the other client authentication types: www.scottbrady91.com/OAuth/Removing-Shared-Secrets-for-OAuth-Client-Authentication Hope that helps!
Could you help me? I tried to send the request in command lin does;nt work - curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d 'client_id=m2m.client&scope=weatherapi.read&client_secret=SuperSecretPassword&grant_type=client_credentials' "localhost:5000/connect/token" but it didn;t work. I got an error and it says - "Unable to convert "Content-Type: application/x-www-form-urlencoded" type "System.string" to "System.Collection.IDictionary" type. How can I fix it? Sorry for my English.
Hi Joe, Thank you for the feedback! We didn't have any plans to create a tutorial for react. However, I have added it to our video backlog, to be discussed with the team. Thanks again!
If you were to create simple production ready system (web api and mobile app as frontend), would you go with identity server or you would skip this and use simple solution like asp net core identity library within webapi?
Without fully understanding what you are trying to build, its complexities, its deployment location and how you plan to scale your solution. We wouldn't be able to give you the best advice for your solution. A core philosophy we like to follow, is that a simple secure solution is often better.
Hi , thank you for this but I can't get the .well-known/openid-configuration page to work, I get this page is unaccessible error. and when I tried to add the authorization, I still get access to the endpoints. anyone knows how to fix this?
Thanks for this great tutorial. I am having a problem I was hoping I could get some assistance with. After following your steps on setting up the IdentityServer and in memory resources, I try running the curl command from VSCode's PowerShell terminal but I get an error every time. (I found the comment where you gave the command and I used that but changed the port its run on to 5001, and it is running on https.) any tips or help would be greatly appreciated. Invoke-WebRequest : Cannot bind parameter 'Headers'. Cannot convert the "Content-Type: application/x-www-form-urlencoded" value of type "System.String" to type "System.Collections.IDictionary". At line:1 char:17 + ... -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cac ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (:) [Invoke-WebRequest], ParameterBindingException + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
@@identityserver Ok i found out why myself... Firebase has many issues.. plus they also can't do ClientCredentials grant flow... so it's pretty useless
Great tutorial. How can we get an access_token using the user credentials(username, password) I see 'password' grant type is not recommended, so what are the options?
Hi! The only way to swap user credentials for an access token via an API call would be to use the ROPC flow (the password grant type). It's a much better idea to use a user interactive flow, such as the authorization code flow. www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications
Hi Jeferson, here is the curl request: $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d 'client_id=m2m.client&scope=weatherapi.read&client_secret=SuperSecretPassword&grant_type=client_credentials' "localhost:5443/connect/token"
@@identityserver Hello! Thanks for this video. The pace is great. I tried the above command, and I get back: "curl: (60) SSL certificate problem: unable to get local issuer certificate More details here: curl.haxx.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above." Any thoughts?
I managed to get this to work in Postman, where in Settings it has a disable SSL options. But using curl I didn't know how to fix it. As for the workaround in Postman, what is a better way to go about the certificate error? Suppose you are in a production environment.
Hi Nest, This might be a hard one to debug over RUclips Comments. Feel free to create a Stack Overflow question and ourselves or a member of the community should be able to help. If it is urgent we do provide consultancy services.
Hi team, Thanks for the video. I have setup the identity server 4 with .net core 3.1 Every thing is working fine but the thing is i need to do Redis caching for server side. Can you help me out :)
Hi! What kind of caching are you looking for? For IdentityServer configuration caching (e.g. clients and scopes), we recommend implementing your own storage layer than decorates the IdentityServer EF implementations. Check out how to create your own store here: www.scottbrady91.com/Identity-Server/Creating-Your-Own-IdentityServer4-Storage-Library There are some open-source Redis implementations from the community, but we don't have any experience with them.
If I were to request a token via a javascript framework library such as Angular instead of having an MVC app, wouldn't I have to leave the client secret somewhere in a javascript file? Assuming I'm not supposed to expose my client secret, (angular being client-side) how would I go on about this?
That's correct, a client secret wouldn't be all that secret within a browser-based SPA. Check out our recommendations for OAuth in browser-based applications: www.scottbrady91.com/OAuth/Cheat-Sheet-OAuth-for-Browser-Based-Applications
Looking for the tutorial to get started with Duende IdentityServer? We have a playlist of new videos that can help: bit.ly/3pRCNml
One single word to define this tutorial: fantastic! Thanks for your great job; it helped me a lot in understanding the IndentityServer.
Hi Marcos, Thank you for your kind words, we are trying our best to make it as easy as possible.
You showed almost all possible ways to use identity server in one 30 min video. Thanks! :D
Great tutorial. This will be the reference video for my team to learn about IdentityServer. Well done...
Thanks for this great tutorial! One of the best on Identity server!
Hi Jan! Thank you so much for the kind words! We wish you a happy new year!
One of the best tutorial. Simple explanation. Thanks so much for making them.
You're very welcome! Please feel to check out our other videos :)
this is the best explanation I can found on how the actual "magic" is working .Deserve a Like
Thank you! - Don't worry there is still lots of magic left to learn :)
On Windows using Curl is a bit different. Use double quotes and remove the space between -X and POST. For example the command at 09:29 is:
curl -XPOST "localhost:5443/connect/token" -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d "client_id=m2m.client&scope=weatherapi.read&client_secret=SuperSecretPassword&grant_type=client_credentials"
Better use Postman... great tool!
Thank you! This is the best IdentityServer tutorial
Hi Claudiu! Thank you for the kind words!
It's really helping me to figure out how these things work. Thank for you your great work
Thanks Ivan! We try our best - we have a Duende IdentityServer tutorial coming soon. :)
This video is very helpful. Thank you Kevin. I have been looking for a video on step by step implementation of IS4 and finally found one. Thank you so much
Thanks a lot from Moscow!
Best explanation I got about IdentityServer4. Thanks.......
Hi Marco, Glad we could help!
Better than MS documentation, thanks for making this!
You're very welcome!
Thank you so much, this helped me a lot !!! I have no acknowledgement in C# and I was able to build this from zero just watching the video and using the git code. Literally, this video is for everyone. THANK YOU SO MUCH!
Hi Xarope, Your comment has brought a big smile to our faces! Thank you very much for your kind words. :)
Honestly your tutorials are straight forward, clean and covering every aspect one of the best dev tutorials I've ever watched.
Quick question otherwise, is there a grant for exchanging external provider's tokens with is4 tokens ?
Thank you again :)
We recommend checking out token exchange. This would allow you to swap access tokens from a trusted 3rd party for ones issued by IdentityServer.
Links:
- Standard:tools.ietf.org/html/rfc8693
- Write-up: www.scottbrady91.com/OAuth/Delegation-Patterns-for-OAuth-20
@@ScottBrady91 thanks a lot I will take a look at the articles, meanwhile would like to know your opinion if possible about this implementation I just found out :
github.com/waqaskhan540/identityserver-token-exchange
Great, clean and clear.
This is a great tutorial - however I think that the 'bug' mentioned at ~13:35 where you have to use authentication before authorization makes sense - it seems impossible to authorize someone before you can confirm who they are.
Very clear and simple tutorial, thanks
Glad it was helpful!
Thank for sharing. Great tutorial.
LOVEEEE
I can't understand what is said at 00:02:17 - how did you make the solution?
thank you sir!! great tutorial .
Hi Deepak, I am glad you found it helpful! Please feel free to check out our other videos!
Cool man.
Question, is the consent page always necessary or can you just have a login username/password?
Loved it .. U have made it so easy
Thanks a lot 😊
This part is very confusing. The WeatherMVC client and WeatherAPI client are 2 different applications.
Why should the WeatherMVC client know the secret key of the WeatherAPI client in it's configuration file? (20:13)
Thank you for this great tutorial! One of the best around I would say.
Two question from me :
1. @22:53, Line#44
Does it mean, each time the client queries for weather data, it will also hit identityserver for a token?
2. @27:47, Line#11
Is it safe to keep this secret in client side?
1. That's correct. You would need to implement a caching layer around this service in order to re-use the access token
2. The client application has to know the (plaintext) client secret to perform the code exchange. Some alternatives to storing it in local config would be to use a secure storage area, such as Azure Key Vault, or remove shared secrets completely by using one of the other client authentication types: www.scottbrady91.com/OAuth/Removing-Shared-Secrets-for-OAuth-Client-Authentication
Hope that helps!
Could you help me? I tried to send the request in command lin does;nt work -
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d 'client_id=m2m.client&scope=weatherapi.read&client_secret=SuperSecretPassword&grant_type=client_credentials' "localhost:5000/connect/token"
but it didn;t work. I got an error and it says - "Unable to convert "Content-Type: application/x-www-form-urlencoded" type "System.string" to "System.Collection.IDictionary" type. How can I fix it? Sorry for my English.
Great tutorial. Could you create a tutorial for react project template? Most of the examples on the internet are MVC for some reasons.
Hi Joe, Thank you for the feedback! We didn't have any plans to create a tutorial for react. However, I have added it to our video backlog, to be discussed with the team. Thanks again!
Hi, I don't see refresh_token when it triggers connect/token endpoint. How can we retrieve it?
@ 10:54 starts writing a protected API
@ 15:29 How to access the API from a Web App using the token
still hard to understand all of the setup, but it seems to provide an clear first look about it, thank anyway!
Hi Dang, If you have any suggestions on areas we can improve on, please let us know!
Hi man , thnx for the tutorial . how do we refresh the token here ?
Is it possible to add multiple auth providers so the user can choose a different loggin method?
Hi Sameplayer, Yes you can customise IdentityServer to enable different auth providers. For example, employees use their AD credentials to log in.
If you were to create simple production ready system (web api and mobile app as frontend), would you go with identity server or you would skip this and use simple solution like asp net core identity library within webapi?
Good tutorial anyways:)
Without fully understanding what you are trying to build, its complexities, its deployment location and how you plan to scale your solution. We wouldn't be able to give you the best advice for your solution. A core philosophy we like to follow, is that a simple secure solution is often better.
Hi , thank you for this but I can't get the .well-known/openid-configuration page to work, I get this page is unaccessible error. and when I tried to add the authorization, I still get access to the endpoints. anyone knows how to fix this?
Hi, can you make a video instead of using TestUsers. Should used IdentityUser from localDb? Thanks
Thanks for this great tutorial. I am having a problem I was hoping I could get some assistance with. After following your steps on setting up the IdentityServer and in memory resources, I try running the curl command from VSCode's PowerShell terminal but I get an error every time. (I found the comment where you gave the command and I used that but changed the port its run on to 5001, and it is running on https.) any tips or help would be greatly appreciated.
Invoke-WebRequest : Cannot bind parameter 'Headers'. Cannot convert the "Content-Type: application/x-www-form-urlencoded" value of type "System.String" to type "System.Collections.IDictionary".
At line:1 char:17
+ ... -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cac ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Invoke-WebRequest], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
How to use refresh token here ?? Plz
How to add Role , UserClaim , RoleClaim to the generated token ?
Hi Guedri, I see that you have opened a support ticket with us. I will be providing you with more information that way. - Cheers Kieran
What.... A white background?
Madness i know! - I prefer Kimbie Dark, what about you?
@@identityserver Yeah :) Dark = Programmer. Btw, how are people still using Identity Server? Isn't Google Firebase Auth 100% free now?
@@identityserver Ok i found out why myself... Firebase has many issues.. plus they also can't do ClientCredentials grant flow... so it's pretty useless
@@addtyu6176 I'm glad you managed to find out what was best! We haven't used Firebase before, so can't provide recommendations on its usage.
Can this be done with Visual Studio?
yes, it can. just tried it
Does anybody know how to authenticate a nodejs service with this identity server ?
Can you also share a source code where we can follow the tutorial?
Hi Gama, Here is the link to the source code: github.com/kevinrjones/SettingUpIdentityServer
Great tutorial. How can we get an access_token using the user credentials(username, password) I see 'password' grant type is not recommended, so what are the options?
Hi! The only way to swap user credentials for an access token via an API call would be to use the ROPC flow (the password grant type). It's a much better idea to use a user interactive flow, such as the authorization code flow. www.scottbrady91.com/OAuth/Why-the-Resource-Owner-Password-Credentials-Grant-Type-is-not-Authentication-nor-Suitable-for-Modern-Applications
can you please give us that curl request?
Hi Jeferson, here is the curl request: $ curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d 'client_id=m2m.client&scope=weatherapi.read&client_secret=SuperSecretPassword&grant_type=client_credentials' "localhost:5443/connect/token"
@@identityserver Hello! Thanks for this video. The pace is great. I tried the above command, and I get back: "curl: (60) SSL certificate problem: unable to get local issuer certificate
More details here: curl.haxx.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above."
Any thoughts?
I managed to get this to work in Postman, where in Settings it has a disable SSL options. But using curl I didn't know how to fix it.
As for the workaround in Postman, what is a better way to go about the certificate error? Suppose you are in a production environment.
@@anydobre1796 Add the --insecure arg to your request: $ curl --insecure -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d 'client_id=m2m.client&scope=weatherapi.read&client_secret=SuperSecretPassword&grant_type=client_credentials' "localhost:5443/connect/token"
Great tutorial
Thank you! Cheers!
Hey i need some help when i use GET invalid bearer = "invalid token".... can someone help me????
Hi Nest, This might be a hard one to debug over RUclips Comments. Feel free to create a Stack Overflow question and ourselves or a member of the community should be able to help. If it is urgent we do provide consultancy services.
I’ve already fixed thanks anyway good courses
@@nestormatias217 Hi nest, Thank you for the kind words. Hope you have a fantastic day! :)
nice tutorial... here you are 1000 subscriber gift :)
Hi team, Thanks for the video. I have setup the identity server 4 with .net core 3.1
Every thing is working fine but the thing is i need to do Redis caching for server side. Can you help me out :)
Hi! What kind of caching are you looking for? For IdentityServer configuration caching (e.g. clients and scopes), we recommend implementing your own storage layer than decorates the IdentityServer EF implementations. Check out how to create your own store here: www.scottbrady91.com/Identity-Server/Creating-Your-Own-IdentityServer4-Storage-Library
There are some open-source Redis implementations from the community, but we don't have any experience with them.
@@ScottBrady91 actually I'm looking for both identity server configuration caching and client , scope and user
If I were to request a token via a javascript framework library such as Angular instead of having an MVC app, wouldn't I have to leave the client secret somewhere in a javascript file? Assuming I'm not supposed to expose my client secret, (angular being client-side) how would I go on about this?
That's correct, a client secret wouldn't be all that secret within a browser-based SPA. Check out our recommendations for OAuth in browser-based applications: www.scottbrady91.com/OAuth/Cheat-Sheet-OAuth-for-Browser-Based-Applications
Great tutorial. This will be the reference video for my team to learn about IdentityServer. Well done...