Excellent intro to JWT! Would like to add that you can also decorate an individual action with [AllowAnonymous] when the whole controller requires authentication, if for that one action anyone would be allowed to access.
Your video is very good, I also read microsoft docs for the authorization but it find very difficult for me to understand it, how you manage to understand the official docs and provide good tutorials like this ?
Thanks for the amazing explanation. I have a little bit more complex scenario and I would be pleased for any useful advice. Let's imagine that we build a management system for some organizations. The user can have access to different organizations but at the same type, it can have different roles in each organization. It means that the Jwt has to consist of all roles together with corresponding organization ids to which the particular user has access. The user can switch to the organizations. Do you have any idea what is the best approach to tackle this problem? To solve this problem I came across two solutions. 1) The information about accessed organizations and roles per user is stored in JWT. 2) when the user switches to another organization, the HTTP client sends a request about the role of the selected organization. Based on the response the JWT stored in Blazor will be manually updated.
Thanks that fills in the blanks! One question, if someone hits the rental endpoint and doesn't meet the age requirement is there a clean way to return in the body of the 403 Forbidden response what they are missing?
Fantastic video, thanks, QQ, if I want to manage the role membership on my own DB (authentication remains on the identity provider, but not the roles), the right way to do it today is via that same Policy mechanism you used for the age requirement?
I can't talk about all identity providers, but at least in Azure AD and Auth0 you can manage roles and you would have them in roles claims on the token. So, no need do do anything fancy. If you want to manage roles independently then you would for sure need to kepp track about those roles in the database and create either an authorization requirement or use an authorization filter to do the check.
Thanks for the feedback. I'm not sure what value this would bring. Permission based authorization is achieved by defining security requirements and policies, exactly like I did in the vidoes. Permissions are usually present in the form of claims on the JWT. So, it's just a matter of creating a policy that you can call "CannAdd" and write your own requirement logic.
I assume you know the answer to this question is not that straightforward. 1. For production setups you almost never generate the token. You usually use an identity provider for that. Either Azure AD, or Cognito or Auth0 and so on. 2. If you really want to take all the security risks in your own hands (most that do this, do it badly. Security is a hard thing to achieve) need to implement their own identity provider. In the .NET world we'd normally use IdentityServer for it (which is a paid library). 3. If you really want to bring user management and JWT issuance in your API (which is literally the last thing I'd do), then this might be a PoC for that: ruclips.net/video/mTc7ntbnm_c/видео.html
I just have one comment regarding your blazor authentication videos. One thing I think was missing, was a good example on how to redirect you to the login page if not authenticated. I have not found any good built in solution.
@@Codewrinkles You remember which one? I usually put it in the area where you put the Cascading views but Blazor for some reason has non threaded methods to handle it.
I make source code available for ambassador members. So, if you joing as a member on this channel with the Ambassador level, you should be able to find all shared source code on the "Membership" tab that will be available to you after joining.
Excellent intro to JWT! Would like to add that you can also decorate an individual action with [AllowAnonymous] when the whole controller requires authentication, if for that one action anyone would be allowed to access.
Yep. Nice addition. I should've included it in the video.
Your video is very good, I also read microsoft docs for the authorization but it find very difficult for me to understand it, how you manage to understand the official docs and provide good tutorials like this ?
Thanks for the amazing explanation. I have a little bit more complex scenario and I would be pleased for any useful advice. Let's imagine that we build a management system for some organizations. The user can have access to different organizations but at the same type, it can have different roles in each organization. It means that the Jwt has to consist of all roles together with corresponding organization ids to which the particular user has access. The user can switch to the organizations. Do you have any idea what is the best approach to tackle this problem?
To solve this problem I came across two solutions.
1) The information about accessed organizations and roles per user is stored in JWT.
2) when the user switches to another organization, the HTTP client sends a request about the role of the selected organization. Based on the response the JWT stored in Blazor will be manually updated.
What do you mean by "organizations"? Is this some kind of multi-tenant setup?
How to generate the jwt token without using the cli? I would like to generate it in the code as usual
Holy Molly. This is perfect
Glad you found it useful!
Great video, well explained. You should possibly look into securing this token in the client side if that is not a topic that is too broad.
The problem is, almost nothing on the client side is secure :)). Generally, cookies are more secure than JWTs.
Excellent explanation sir. ❤
Glad you liked it
Excellent explanation .. very simplified.
Glad it was helpful!
Thanks that fills in the blanks! One question, if someone hits the rental endpoint and doesn't meet the age requirement is there a clean way to return in the body of the 403 Forbidden response what they are missing?
This video answers exactly your question: ruclips.net/video/JrGCPUkEgSU/видео.html
Finally here it is
Glad you enjoyed it.
Fantastic video, thanks, QQ, if I want to manage the role membership on my own DB (authentication remains on the identity provider, but not the roles), the right way to do it today is via that same Policy mechanism you used for the age requirement?
I can't talk about all identity providers, but at least in Azure AD and Auth0 you can manage roles and you would have them in roles claims on the token. So, no need do do anything fancy. If you want to manage roles independently then you would for sure need to kepp track about those roles in the database and create either an authorization requirement or use an authorization filter to do the check.
Thank you!
Thanks Mr.Dan
I hope you talk about how to do permissions like "CanAdd, CanEdit, CanDelete,..." for role/user per page
Thanks for the feedback. I'm not sure what value this would bring. Permission based authorization is achieved by defining security requirements and policies, exactly like I did in the vidoes. Permissions are usually present in the form of claims on the JWT. So, it's just a matter of creating a policy that you can call "CannAdd" and write your own requirement logic.
Say this API is for a Mobile App, How would you handle sign up / login on the server? How would you generate the jwt tokens in production?
I assume you know the answer to this question is not that straightforward.
1. For production setups you almost never generate the token. You usually use an identity provider for that. Either Azure AD, or Cognito or Auth0 and so on.
2. If you really want to take all the security risks in your own hands (most that do this, do it badly. Security is a hard thing to achieve) need to implement their own identity provider. In the .NET world we'd normally use IdentityServer for it (which is a paid library).
3. If you really want to bring user management and JWT issuance in your API (which is literally the last thing I'd do), then this might be a PoC for that: ruclips.net/video/mTc7ntbnm_c/видео.html
Great vid mate
Thank you very much. Great content.
Glad you enjoyed it.
Great content. Thank you Sir
Glad you enjoyed it!
is it possible to write an own "Dekorator" like [AllowMinAge("18")] or similar? Great Video thx for the deeper dive in this topic *thumbsUp
Theoretically you can also write your own authorization filters but tbh I never did it.
Yes, you can do this. You'll use a custom policy, requirement and requirement handler..
I just have one comment regarding your blazor authentication videos. One thing I think was missing, was a good example on how to redirect you to the login page if not authenticated. I have not found any good built in solution.
Hmm, I will take a look, but I remember in one of the videos I have talked about the redirect.
@@Codewrinkles You remember which one? I usually put it in the area where you put the Cascading views but Blazor for some reason has non threaded methods to handle it.
@@Codewrinkles Did you find it?
Mulțumim!
Multumesc si eu :)
Hi!
Could you give me source code of this project please???
I make source code available for ambassador members. So, if you joing as a member on this channel with the Ambassador level, you should be able to find all shared source code on the "Membership" tab that will be available to you after joining.
Dan, get a mechanical keyboard to add some sweet, sweet ASMR to your videos. Will help you get more views
Thanks for the tip. I never paid attention to this detail, but I think it's a great idea. Thanks!
Thank you!