Why do you set "ValidateIssuerSigningKey" to "true"? This option is for asymmetric algorithms if I'm not mistaken. And in this JWT is used HS256 algorithm.
Great video. Thank you for making. Im watching 3x times now. Im new to both dotnet and also postgres. This helps alot. By the way, at 1:04 what program are you using to visualise the schema?
Just a note, the response from the refresh token endpoint doesn't seem to return a cached response. The access token is different for each request. You can even see it in the video. What would be the difference between using a login compared to the refresh endpoint?
How would you add authorization to an app that uses Supabase authentication? There's a possibility to create custom supabase hook that adds additional claims to the JWT, but I was wondering if it was better to store roles/permissions against the user identifier directly in the database (the one that aspnet core app uses, not the supabase db) and implement authorization handler that checks if there's a valid record in the database. What do you think?
Is it possible to not include some function to require an accessToken? For Example Login and Register (made with Supabase authentication) shouldn't require an AccessToken. If I'm using Controllers how can I require the authorization in them?
Supabase is a much more feature-rich platform. The auth component is just one part of it, and it's a fully-fledged solution (OAuth, social logins, SSO)
Awesome video man! I have one question for this video, what about RLS you disabled it for the video but when I want to query supabase it uses anon token and not the token that I send from postman (frontend). Ive looked every way to somehow set the new token to supabaseClient but I cant get it to work. Thank you!
@@MilanJovanovicTech I don't know either. I think the supabase client needs the active session which I dont have on my backend because I manage session on frontend. I tought that there is some way to include just a access token to supabase client query. I think that I will need to call supabase api directly from backend without supabase client. I tested this using postman and it works. Is this the right move ? Thank you
Hi Milan, could you make a video about many to many relationships in domain driven design? I don’t know how to design my aggregates. Also, do you think that relationships between aggregates should be resolved via ef core HasMany/HasOne foreign keys, or should the relationships be updated manually in domain event handler, like Amichai Mantinband does?
@@MilanJovanovicTech That's right. When setting it up, we can configure multiple valid issuers, right? At that time, adding the previous domain along with the custom domain resolved the issue without any problems. The only downside is that I wish they had returned the custom domain during the validation process. Well, since the custom domain can be changed at any time, it might actually be better to stick with the original domain.
Want to master Clean Architecture? Go here: bit.ly/3PupkOJ
Want to unlock Modular Monoliths? Go here: bit.ly/3SXlzSt
Thanks for the guide. Was having some issues with Auth0 so tried this and working well for me frontend and now api. Thank you!
Glad it helped! Are you switching to Supabase?
@ trying it out. I’m used to identity server but trying other solutions.
Why do you set "ValidateIssuerSigningKey" to "true"? This option is for asymmetric algorithms if I'm not mistaken. And in this JWT is used HS256 algorithm.
You're correct! It's not needed. Setting the IssuerSigningKey is enough.
Awesome content, thank you Milan!
My pleasure!
Great video. Thank you for making. Im watching 3x times now. Im new to both dotnet and also postgres. This helps alot.
By the way, at 1:04 what program are you using to visualise the schema?
That's Supabase' Schema Visualizer
@@MilanJovanovicTech Thank you!
What would you recommend for and small production app?
Supabase
Keycloack
Custom IdentityServer
Supabase/Firebase auth are both great, easy to setup, and "just work". Keycloak you will need to host yourself, which could be a hassle.
Just a note, the response from the refresh token endpoint doesn't seem to return a cached response. The access token is different for each request. You can even see it in the video. What would be the difference between using a login compared to the refresh endpoint?
You're right, I'm not 100% sure what I wanted to say there 🤔 I believe just the expiration time changes, which alters the access token signature.
I think good video should be showing how to add Supabase Auth to Blazor SSR (and if possible SR, WebAssembly)
I rarely cover client-side topics, but that's a nice suggestion
How would you add authorization to an app that uses Supabase authentication? There's a possibility to create custom supabase hook that adds additional claims to the JWT, but I was wondering if it was better to store roles/permissions against the user identifier directly in the database (the one that aspnet core app uses, not the supabase db) and implement authorization handler that checks if there's a valid record in the database. What do you think?
I honestly think that Auth hooks are too good to pass on. So easy to just check the claims. Don't you think?
Can i also use this way to protect my pages in blazor with the authorization view or should i use another way?
I think you can, but check if there are some examples out there
Is it possible to not include some function to require an accessToken? For Example Login and Register (made with Supabase authentication) shouldn't require an AccessToken.
If I'm using Controllers how can I require the authorization in them?
[Authorize] and [AllowAnonymous] attributes
is this something like keycloak like an authentication aggregator but light weight?
Supabase is a much more feature-rich platform. The auth component is just one part of it, and it's a fully-fledged solution (OAuth, social logins, SSO)
Awesome video man! I have one question for this video, what about RLS you disabled it for the video but when I want to query supabase it uses anon token and not the token that I send from postman (frontend). Ive looked every way to somehow set the new token to supabaseClient but I cant get it to work. Thank you!
Is this an issue of the supabase client perhaps?
@@MilanJovanovicTech I don't know either. I think the supabase client needs the active session which I dont have on my backend because I manage session on frontend. I tought that there is some way to include just a access token to supabase client query. I think that I will need to call supabase api directly from backend without supabase client. I tested this using postman and it works. Is this the right move ? Thank you
Can we use this together with Microsoft Identity users? Also, what if we need to manage users directly from our apps?
I also want to ask, is user registration also registered to supabase, the main logic is on our side, supabase just does user data synchronization
No, I don't think these two go well together. 🤔
Hi Milan, could you make a video about many to many relationships in domain driven design? I don’t know how to design my aggregates. Also, do you think that relationships between aggregates should be resolved via ef core HasMany/HasOne foreign keys, or should the relationships be updated manually in domain event handler, like Amichai Mantinband does?
Check out my recent video on DDD Aggregates
@@MilanJovanovicTech I've watched it, but unfortunately there isn't a case with many to many relationship.
i have sign in and up endpoints with oauth providers, should i have a endpoint for the callback o that should be on the front?
Callback is on the UI typically, as the OAuth provider will append some query parameters
Thanks for this informative video. Does it supports "Onbehalf" flow?
No idea
Adding ValidateIssuer = false resolves the issue, but without it, I get a 401 error. What could be the reason for this?
I found the reason. When using a custom domain, the iss value changes, so ValidateIssuer must be set to false
Interesting. But you should be able to specify who the valid issuer is, right?
@@MilanJovanovicTech That's right. When setting it up, we can configure multiple valid issuers, right? At that time, adding the previous domain along with the custom domain resolved the issue without any problems. The only downside is that I wish they had returned the custom domain during the validation process. Well, since the custom domain can be changed at any time, it might actually be better to stick with the original domain.
How to prevent IDOR vulnerabilities?
Input validation
Could you make a tutorial on Authentication using Keycloak? I love this videos
Perhaps
How to setup the Auth Hooks?
From Supabase
Thank you so much
Any time
Please make a video .NET core with oracle database
Will consider
subscribed!!!
Happy to have you 😁