Thank you! That was the best one I've seen yet on this topic. All of the others are either impossible to follow or just fly though it so fast, they skip over their boilerplate code that we're supposed to have or type something so quickly and jump off the screen, we have no idea what they just did. There is ALWAYS something they have pre-installed and just assume we have it too. You are the first one that didn't do that.
Hi Patrick, how are you? I hope all is well with you and your baby! I'm from Brazil and thanks to your tutorials, I got my job as a Junior programmer, I thank you from the bottom of my heart and I hope one day to thank you in person. my dream is to visit the USA. and once again thank you very much God bless you!
Hey Mauricio, thanks for the awesome feedback! I'm really glad to hear my tutorials helped you get a job. That's amazing! Congratulations! I'd love to chat. Feel free to email me at mail@patrickgod.com. Good luck with your programming journey! Take care, Patrick
One video that I haven't come across but which would be useful to many is an elegant way to handle cross-cutting concerns in WebAPIs, for example, without having a ton of code in, or called by, the controller. I don't think that the decorator pattern applies well to Web APIs, unfortunately. The cross-cutting concerns I can think of (I am sure there are more) which might apply to a web API include: - Logging - Caching (memory, Redis...) - Performance timing - Authorization - Authentication - Validation - Exception handling - Auditing (e.g. Log the jsonified parameter object) - Debounce - Rate limiting - Duplicate detection - Retry - i18n? - Transactional processing - Fault tolerance (e.g. Circuit Breaker pattern) - Persistence - Real-time constraints - Synchronization
Binge-watched these two vids this morning for breakfast, think it was this one where you weren't too happy with the new intellisense. Me, sometimes it's bad, sometimes it's right on, sometimes it's half on. it's annoying when it's half on because me, wanting to save keystrokes, i have to do a mental calculation between tabbing into it then correcting it (e.g. it's suggesting IF(ENTITY != NULL) when i want == ) overall, with my typing style, it seems neutral as far as keystroke/time saving, so am putting up with it because i know MS will fine tune it. also, the great escape!! Lol, if it's annoying you, you can always hit the "esc" key and it will let you do your thing without offering unsolicited advice. Lol, that's what it is right? That annoying friend hopping around your feet that, halfway through your statement of intent, eagerly interrupts you with, "you know what you should do right?" (Then the annoying friend clouds your mind with a bunch of grey letters, lol) anyway, i thank you for these vids because as of .net 6, when one creates a new ASP.NET Core hosted Blazor Webassembly app and enables "Individual Accounts", it pushes in this... not gonna look it up, the point is, it comes with a license agreement that it is free for small-time schmucks like me--FOR A YEAR. Then what? since 2008 when i started with the MS tech stack, security was always an annoyance for me--though an annoyance i had to get right. (They've changed it so much... gah, that in itself...) i wanted to focus on my intent, not implementation details of system.yadaYada.cryptography! now i must, which is where you come in hoss. i don't like spending good money on sh*t that i could have googled myself. With your upcoming .NET 6 Blazor WEBASSEMBLY (I hope) course, will the solution begin with a standalone blazor webassembly app, a back-end web api app, and how to connect them along with how to do authentication/authorization WITHOUT using any third party middleware that might want to charge money? gotta admit, i'm hesitant to spend money on "courses" because i've generally found them disappointing. I'm self-taught (and yes, brain-dead), but often the courses are beginner's sh*t, no real-world examples, and overall, gah! I feel like i got screwed out of the first month's subscription (which of course i promptly cancelled) i just might do your Ko-Fi thinga-McJigger for these youtube vids, but constant (sometimes annoyingly so) references to your course... i'm hesitant. Not because of you, but because of your progenitors. with love and support, me
Great stuff. I am working my way through your Web API Authorization series, and I am learning a lot. I really like that you break down the different parts to use JWT, so we really come to understand how it works. Best wishes to you and your family. Nice thing to get a little peek into your life too.
Thanks a lot Patrick for clearly explaining each concept with practical solution. It really helps us understand the concepts in depth, Much Appreciated Efforts. Bible for Interested Developers
Anyway, thank you for this tutorial, it worked very well! Just one more question: is there any way to decouple, let's say, the token role claims from the role names? What do I mean, for example, instead of a string value for role, the User table might have a foreign key RoleId, with the roles specified in a separate table; so, the JWT token might have only that number, with the server then doing the mapping between the role strings specified in the attributes and those role IDs. Or is it not really a common practice in actual systems and I might be better off just, as here, fetching the role name from the database and just putting it into the token?
Fantastic video. Now for a question: If i have an endpoint that takes the role "CalendarParticipants". This endpoint allows a Calendarowner to remove a user from the calendar. How can i check that the Calendarowner is in fact ... the calendar owner. Cause the parameters are "CalendarID" and "UserID". So even though i validate that the CalendarOwner is of the role CalendarOwner it doesn't ensure that he is the owner of that specific calendar.
As always well explained. 😉 You did show how to add that JWT Bearer token in the header of the HTTP request using Swagger. Can you also make a video (if the video is already there where can I find it?) demonstrating how to add that JWT Bearer token to the HTTP request using code? For example using a Handler etc. Thanks.👍
Hey friend! Thanks for your feedback. Sure, that's a good idea for another video. In fact, we do exactly that in the Blazor Bootcamp (ruclips.net/video/In7YSYisMh4/видео.html) within that Blazor WebAssembly App. But, do you mean, making another call in the Web API and setting the Authorization Header there? For instance, with the HttpClient instance? Take care, Patrick
@@PatrickGod I meant the Web API on the server being called by a (Blazor Web Assembly) client. And the client uses for that an HttpClient instance and puts the JWT Token in the header of the HTTP-request for the Web API on the server. In this video it is Swagger that acts as the client (I presume).
Firstly, excellent tutorial, u are the best ! but Let me ask something , if a do not need the role based authentication , i can simple jump this video to part3, or i need to watch until the Add SwaggerUI Authorization?
▶ [Part 1/4] .NET 6 Web API 🔒 Create JSON Web Tokens (JWT) - User Registration / Login / Authentication: ruclips.net/video/v7q3pEK1EA0/видео.html ▶ [Part 2/4] .NET 6 Web API 🔒 Role-Based Authorization with JSON Web Tokens (JWT): ruclips.net/video/TDY_DtTEkes/видео.html ▶ [Part 3/4] .NET 6 Web API 🔒 Read JWT Authorization Claims of a User (from a JSON Web Token): ruclips.net/video/fhWIkbF18lM/видео.html ▶ [Part 4/4] Refresh Tokens with a .NET 6 Web API 🚀: ruclips.net/video/HGIdAn2h8BA/видео.html
Thank you Sir to sharing knowledge with us. I have a question, just maybe my knowledge just not to good, but why you put the roles inside that get weather method? The roles get from registration process, in registration page maybe and that on client side and the roles is from what the admin gives. Why not Just put [Authorized] above the [Route("[controller]")] and that just enough?
Thanks for asking! I added roles in the 'get weather' method to make sure only certain people can see that info. While [Authorize] checks if someone is logged in, roles check if they have the right to see the data. It's like a double-check for safety. Hope this helps!
Probably stupid question. But in your .net 7 tutorial you set up authentication and login, and in the end you linked this video, which is .net 6 roles. Is it relevant between .net 6 and 7?
Hello Mr. God, thanks for sharing. The question is, can you please provide a tutorial about authentication in the Console Application? Thanks in advance.
After watching video. I have question. When I register - I always get 'admin' role? How can I add at least one more role? So that admin can do all, and guest or noob can just read. This for API with CRUD functionality. Thanks.
Wonderful video. Great content. I have a concern though, if it is possible to decode and view the role, what stops the client, or in this case an attacker to edit the role to lets say 'admin' and get access to endpoints they are not authorized to see.
The token is signed with the server's private key ("AppSettings:Token" in this case), so an attacker cannot change it without invalidating the signature.
@@isnakolah Yes, you can't edit issued token because signature is part of JWT and signature(old data, key) != signature(edited data, key). User haven't access to key to forge new signature. The token can be stolen. So you need to transfer it over a secure connection, even if it cannot be edited.
Thank you so much ! I have a question: in Claim properties can we set any prop without MS boilerplate inside token ? sorry if my eng is not good enought :P
does anyone know where in the microsoft docs they explain what needs to be done in the program file? I can't find any mention of exact steps to introduce authorization.
That's an amazing video! One question please, You mentioned on a comment that the Token is signed with the servers private key(taken from app settings/token). That means that if the same key is used in multiple servers, the same token can be used and will be valid independently of the server handling the request. Is that correct?
Hi i still dont understand after watching 15 videos what is ValidIssuer and ValidAudience, you you put to false both... is that fine?? if not, how do I know what to put in both string???? my API is in Auzre with swagger, i dont get it
I have a question, if my Authentication API discuss with another Server, the Server must have his proper role ? Or that's not the best way to send messages between my 2 applications API & Server ?
🚀 Join the .NET Web Academy with a 30% discount - closing soon!
👉 www.dotnetwebacademy.com/courses/academy?coupon=dnwas23yt
Thank you! That was the best one I've seen yet on this topic. All of the others are either impossible to follow or just fly though it so fast, they skip over their boilerplate code that we're supposed to have or type something so quickly and jump off the screen, we have no idea what they just did. There is ALWAYS something they have pre-installed and just assume we have it too. You are the first one that didn't do that.
Hi Patrick, how are you? I hope all is well with you and your baby! I'm from Brazil and thanks to your tutorials, I got my job as a Junior programmer, I thank you from the bottom of my heart and I hope one day to thank you in person. my dream is to visit the USA. and once again thank you very much God bless you!
Hey Mauricio, thanks for the awesome feedback! I'm really glad to hear my tutorials helped you get a job. That's amazing! Congratulations! I'd love to chat. Feel free to email me at mail@patrickgod.com. Good luck with your programming journey! Take care, Patrick
You are my .Net 6 Web Api teacher!! Thank you Patrick 👍
Wow, thank you so much! 😊
Thank you Patrick, Waiting for the policy based also
One video that I haven't come across but which would be useful to many is an elegant way to handle cross-cutting concerns in WebAPIs, for example, without having a ton of code in, or called by, the controller. I don't think that the decorator pattern applies well to Web APIs, unfortunately.
The cross-cutting concerns I can think of (I am sure there are more) which might apply to a web API include:
- Logging
- Caching (memory, Redis...)
- Performance timing
- Authorization
- Authentication
- Validation
- Exception handling
- Auditing (e.g. Log the jsonified parameter object)
- Debounce
- Rate limiting
- Duplicate detection
- Retry
- i18n?
- Transactional processing
- Fault tolerance (e.g. Circuit Breaker pattern)
- Persistence
- Real-time constraints
- Synchronization
Binge-watched these two vids this morning for breakfast, think it was this one where you weren't too happy with the new intellisense. Me, sometimes it's bad, sometimes it's right on, sometimes it's half on.
it's annoying when it's half on because me, wanting to save keystrokes, i have to do a mental calculation between tabbing into it then correcting it (e.g. it's suggesting IF(ENTITY != NULL) when i want == )
overall, with my typing style, it seems neutral as far as keystroke/time saving, so am putting up with it because i know MS will fine tune it.
also, the great escape!! Lol, if it's annoying you, you can always hit the "esc" key and it will let you do your thing without offering unsolicited advice. Lol, that's what it is right? That annoying friend hopping around your feet that, halfway through your statement of intent, eagerly interrupts you with, "you know what you should do right?" (Then the annoying friend clouds your mind with a bunch of grey letters, lol)
anyway, i thank you for these vids because as of .net 6, when one creates a new ASP.NET Core hosted Blazor Webassembly app and enables "Individual Accounts", it pushes in this... not gonna look it up, the point is, it comes with a license agreement that it is free for small-time schmucks like me--FOR A YEAR. Then what?
since 2008 when i started with the MS tech stack, security was always an annoyance for me--though an annoyance i had to get right. (They've changed it so much... gah, that in itself...)
i wanted to focus on my intent, not implementation details of system.yadaYada.cryptography!
now i must, which is where you come in hoss.
i don't like spending good money on sh*t that i could have googled myself. With your upcoming .NET 6 Blazor WEBASSEMBLY (I hope) course, will the solution begin with a standalone blazor webassembly app, a back-end web api app, and how to connect them along with how to do authentication/authorization WITHOUT using any third party middleware that might want to charge money?
gotta admit, i'm hesitant to spend money on "courses" because i've generally found them disappointing. I'm self-taught (and yes, brain-dead), but often the courses are beginner's sh*t, no real-world examples, and overall, gah! I feel like i got screwed out of the first month's subscription (which of course i promptly cancelled)
i just might do your Ko-Fi thinga-McJigger for these youtube vids, but constant (sometimes annoyingly so) references to your course... i'm hesitant. Not because of you, but because of your progenitors.
with love and support,
me
Great stuff. I am working my way through your Web API Authorization series, and I am learning a lot. I really like that you break down the different parts to use JWT, so we really come to understand how it works. Best wishes to you and your family. Nice thing to get a little peek into your life too.
Thank you so much for your kind words, Rune! Appreciate it. 😊
Patrick, your videos are REALLY clarifying! Very nice job.
Happy to help! Thank you so much for your feedback! 😊
Ok i am getting ready for some international job, more to practice, thanks to this God
Hi Patrick,
Looking forward to your next course.
Thank you!! 😊
25:45 - said like a true developer 😆. Stay curious!
Great series on JWT Auth Patrick, thanks!
Well, sometimes you gotta do what you gotta do. Would have checked it anyways after the recording. 😄 Thanks for your feedback!
My .NET power is now over 9000!!!!
This is amazing, thank you! 😂 The Dragonball reference is actually a really great idea for another tutorial. 😁
Thanks. This video really helped me out at work when documentation was failing me
ABSOLUTE PURE GOLD!!!!! Thank you for this video!
Thanks so much for much for your feedback, Rodrigo! Happy to help! 😊
Man, you just became my netflix, i watch more of your content then any other thing haahahahaha great stuff, congrats for such a good job
Wow, thank you so much! Means a lot to me! 😀
Thanks Patrick, Awesome
Glad you enjoyed it! 😊
Hey Patrick! I'm from India, its really helpful lecture. Thanks a lot.
Glad I could help! Thanks for the feedback! 😊
Ein weiteres tolles Video, vielen Dank dafür :-)
I was struggling with that kind of authorization. Thanks for it. You are coding Thor... 👍👍👍
die jwt reihe ist super hilfreich. vielen dank für deine mühen!
Your oAuth tutorials have been extremely helpful. Thank you very much :)
Well demonstrated, thank your for taking the time to explain it 👍
Thank you so much for your feedback, Daniel! Glad you like it. 😊
U R a great Teacher
I think I will write the whole project thanks to your videos 😅
Thanks for the great videos, exactly what I needed to configure JWT for my new API
Glad to help! Thanks for your feedback! 😊
You are awesome Patrick.
YOU are awesome! 😁 Thank you very much. 😊
Very clear thx for uploading,👍👍👍
Most welcome 😊 Thanks for your feedback!
Great content i have followed your JWT token and this video both are amazing
So complicated just to add some security lol, good video btw.
maan I love ur channel and tutorials, very thanks for the lessons!! u'r great
Happy to hear that! Thank you so much!
thanks Patrick, u have a new suscriptor.
Awesome, thank you!
Great video, but how can I implement this if the role comes from a database? and it is not in the bearer token
Thanks for the great video..! 😍
You're welcome 😊 Thanks a lot for your feedback!
Your videos are always my go to, thank you!
Thank you for this video. This helped me a lot. Actually I was given a task exactly on this topic, and I found this tutorial helpful 😊👍
Thanks for all the Blazor!
Any time! Thanks for your feedback! 😊
Thanks a lot Patrick for clearly explaining each concept with practical solution. It really helps us understand the concepts in depth, Much Appreciated Efforts. Bible for Interested Developers
You're the best Patrick :) Thank you
Appreciate it. Thank you so much! 😊
Thanx, i finaly understand why my AutZ is not working )
Glad I could help! Thanks for your feedback. 😊
This was really good! Thanks for making it
Glad you liked it! Thanks a lot for your feedback! 😊
Really great video. Thank you so much.
You're very welcome! Thanks for your feedback! 😊
Anyway, thank you for this tutorial, it worked very well! Just one more question: is there any way to decouple, let's say, the token role claims from the role names? What do I mean, for example, instead of a string value for role, the User table might have a foreign key RoleId, with the roles specified in a separate table; so, the JWT token might have only that number, with the server then doing the mapping between the role strings specified in the attributes and those role IDs. Or is it not really a common practice in actual systems and I might be better off just, as here, fetching the role name from the database and just putting it into the token?
Great stuff, thanks 👍😊
So cool
Fantastic video. Now for a question: If i have an endpoint that takes the role "CalendarParticipants". This endpoint allows a Calendarowner to remove a user from the calendar. How can i check that the Calendarowner is in fact ... the calendar owner. Cause the parameters are "CalendarID" and "UserID". So even though i validate that the CalendarOwner is of the role CalendarOwner it doesn't ensure that he is the owner of that specific calendar.
Another great course !! Weil explaîned
Thank you so much! 😀
Thank you
Welcome! 😊
Thank you brother!! could you please make a video on Code First Approach Web Api Please ?
Hi! We do this already in this video: ruclips.net/video/FHx6AGVF_IE/видео.html Enjoy! 😃
It would be also great to see you explaining how to store passwords on Azure Vault or a similar system. Thank you!! keep up the great videos.
As always well explained. 😉 You did show how to add that JWT Bearer token in the header of the HTTP request using Swagger. Can you also make a video (if the video is already there where can I find it?) demonstrating how to add that JWT Bearer token to the HTTP request using code? For example using a Handler etc. Thanks.👍
Hey friend! Thanks for your feedback. Sure, that's a good idea for another video. In fact, we do exactly that in the Blazor Bootcamp (ruclips.net/video/In7YSYisMh4/видео.html) within that Blazor WebAssembly App. But, do you mean, making another call in the Web API and setting the Authorization Header there? For instance, with the HttpClient instance? Take care, Patrick
@@PatrickGod I meant the Web API on the server being called by a (Blazor Web Assembly) client. And the client uses for that an HttpClient instance and puts the JWT Token in the header of the HTTP-request for the Web API on the server. In this video it is Swagger that acts as the client (I presume).
Can you make a video about Authorization with one-time password (OTP)?
¡Gracias!
Thank YOU so much! Really appreciate it! 😁
Initially take a thanks
Firstly, excellent tutorial, u are the best ! but Let me ask something , if a do not need the role based authentication , i can simple jump this video to part3, or i need to watch until the Add SwaggerUI Authorization?
Great Content!
Thanks for the video, greetings from Brazil.
Thanks for this video!
My pleasure! Glad it was helpful!
Saved my life!
▶ [Part 1/4] .NET 6 Web API 🔒 Create JSON Web Tokens (JWT) - User Registration / Login / Authentication: ruclips.net/video/v7q3pEK1EA0/видео.html
▶ [Part 2/4] .NET 6 Web API 🔒 Role-Based Authorization with JSON Web Tokens (JWT): ruclips.net/video/TDY_DtTEkes/видео.html
▶ [Part 3/4] .NET 6 Web API 🔒 Read JWT Authorization Claims of a User (from a JSON Web Token): ruclips.net/video/fhWIkbF18lM/видео.html
▶ [Part 4/4] Refresh Tokens with a .NET 6 Web API 🚀: ruclips.net/video/HGIdAn2h8BA/видео.html
Damn Impressive!
Great video
completed!
You're creating awesome Videos. Love coding alongside :-)
Thank you Sir to sharing knowledge with us. I have a question, just maybe my knowledge just not to good, but why you put the roles inside that get weather method? The roles get from registration process, in registration page maybe and that on client side and the roles is from what the admin gives. Why not Just put [Authorized] above the [Route("[controller]")] and that just enough?
Thanks for asking! I added roles in the 'get weather' method to make sure only certain people can see that info. While [Authorize] checks if someone is logged in, roles check if they have the right to see the data. It's like a double-check for safety. Hope this helps!
Thank Patrick ;-)
Amazing video. It help me a lot. Keep it up!!!
Probably stupid question. But in your .net 7 tutorial you set up authentication and login, and in the end you linked this video, which is .net 6 roles. Is it relevant between .net 6 and 7?
Hello Mr. God, thanks for sharing.
The question is, can you please provide a tutorial about authentication in the Console Application?
Thanks in advance.
thanks a lot !!!!!
Hey. Nice tutorial! Is there any way to put in a variable in the Authorize attribute or do I have always have to put in a string manualy?
thank a lot
amazing
Great video, thank you very much !!!!
Thanks Patrick, great video but what if I want to authorize an endpoint for more than one role?
Thank you Felipe! You can use multiple roles separated by a comma. Hope this helps!
After watching video. I have question. When I register - I always get 'admin' role?
How can I add at least one more role? So that admin can do all, and guest or noob can just read.
This for API with CRUD functionality.
Thanks.
Wonderful video. Great content. I have a concern though, if it is possible to decode and view the role, what stops the client, or in this case an attacker to edit the role to lets say 'admin' and get access to endpoints they are not authorized to see.
The token is signed with the server's private key ("AppSettings:Token" in this case), so an attacker cannot change it without invalidating the signature.
@@romanvostrikov6578 So, if I am getting you correctly, once signed it cannot be edited? How do signatures work then.
@@isnakolah Yes, you can't edit issued token because signature is part of JWT and signature(old data, key) != signature(edited data, key). User haven't access to key to forge new signature. The token can be stolen. So you need to transfer it over a secure connection, even if it cannot be edited.
Thank you so much ! I have a question: in Claim properties can we set any prop without MS boilerplate inside token ? sorry if my eng is not good enought :P
Thankyou Sir! hw to implement jwt auth for controller?
Hey there! Just add the [Authorize] attribute on top of the controller class. Take care, Patrick
@@PatrickGod i mean that controller that return View (), not ApiController
We have an Active DIrectory shop. Is there a way to do this with AD without any tokens?
does anyone know where in the microsoft docs they explain what needs to be done in the program file? I can't find any mention of exact steps to introduce authorization.
Thank you
why don't use Postman ?
That's an amazing video!
One question please,
You mentioned on a comment that the Token is signed with the servers private key(taken from app settings/token).
That means that if the same key is used in multiple servers, the same token can be used and will be valid independently of the server handling the request.
Is that correct?
hi Patrick, good tutorial. How to implement multiple roles ?
yeah, I was wondering that too...
Just subscribed your channel....
Hey, just wanna ask if I should add a property call Role in my user model then use that in ClaimTypes.Role?
That's totally a way to do it! 😊
Hey, bro! You are cool!!!
Thank you very much! Appreciate it. And you, too!! 😊
Thanks!!!!!!!!!!
You're welcome! 😊
Can you do a video on permissions?
isn't that static user at the top a problem? how is that will work with multiple requests
why i do the same as you but i always get 401 error, anyone like me?
Great Video. Can you do a .Net web api with sqlite tutorial?
How about RBAC that role can have permissions?
Hi i still dont understand after watching 15 videos what is ValidIssuer and ValidAudience, you you put to false both... is that fine?? if not, how do I know what to put in both string???? my API is in Auzre with swagger, i dont get it
You just saved mu fucking ass!! Thank you!
Can you create function base authorization?
Please do something on refresh tokens.
Noted! 😄
hello sir , I'll request for authorization middleware for all Api's
I have a question, if my Authentication API discuss with another Server, the Server must have his proper role ? Or that's not the best way to send messages between my 2 applications API & Server ?
i want to use auth plugin , vue frontend, .net core , mssql for backend, Can you suggest please.