Asp Net Core - Rest API Authorization with JWT (Roles Vs Claims Vs Policy) - Step by Step

I know this video is 2 years old, but it is OUTSTANDING, Thank you very much for this tutorial.

I was trying to implement the same functionality by own so I found your video to find and get a different approach, and i got very surprised about how clean and scalable your implementation was. Thanks for this useful resource Mohamad! I hope you can make new series about Dotnet!

Great tutorial! Finally, I was able to understand this topic. Thank you, Mohammed! ❤

God's blessing will upon on you sir. Thank you so much.

Great, right now I am struggling to learn this topic, your tutorial comes at the right time! Thank you!

Mohamed you are such a hero,
I'm a top fan of you and your work,
keep it up man ❤

Ma'Shaa'Allah. Keep up the good work.❤

You don’t talk about authentication schemes and challenges… This is really critical aspect many people get confused with

Great video. Thank you for the detailed explanation.

Just found you on youtube as I'm building a boilerplate API for Xamarin/MAUI and refreshing my knowledge - great resources man.

You’re the man Mohamad. Thanks for making these videos

Thank you so much Mohamad for your time and effort, it is really appreciated
Wish you all the best.

Jazak Allah Khairan

Thank you so much.. your videos are clear and understandable... this is the right place I have to learn more things...

thanks my brother very well done so organized and pro written program thank u soo much this work inspired me ! god bless u

Good explination!!!. You have a typo in your slides Authorisation => Authorization

جزاك الله خير شرح جميل

جزاك الله خيرا

awsome tutorial man...had lots of problem implementing jwt but after watching this..i was able without struggling..Thanks a lot for this tutorial

Great job bro, keep it up. I was wondering if you could share the source code with us.

thank you so much!

Nice video Mohamad! Great work!

Very good tutorial, you explained it clearly! I would appreciate a deeper dive into policies if its possible. Thanks in advance!

Great Mohammed, thank u

Good explanation, thanks a lot 💪

Very nice. Thank you very much for the videos :)

keep it up ur the best😁

Yes, could you please make more policy like the one in the slides at the beginning of this EP.
For example there is a product and assign permissions like view edit create delete the normal CRUD
and assign these permissions to the role, That will be highly appreciated.
Thank you very much.

Brilliant!

Thank you so much

Awesome video.

There is one thing that does not work for me. You set 30 seconds for the jwt token. If I use the GET request, the token does not expires after 30 seconds, I tried to wait f.e. 2 minutes and I could still use the same jwt token for the GET request. Only after 5 minutes the request got denied. Did I understood something wrong or why is the jwt token havior different?

Please can you provide us the source code?

Great video Brother

I didn't get how to set the policy. I did all as author showed on a video and authorization scheme by role works for me , but when I add policy authorization , then I added claims for user and an attempt to call a method witch protected by policy it returns 403 error forbidden. Also I checked my JWT token and it had necessary roles and policy. Has anyone had the same problem and how to solve it?

Right: grants access to a feature e.g. edit invoice; Role: defined group of rights, a user can be assigne to 0..N roles. Rights resolve from role membership, e.g. roles are Administrator, Normal User, Backup Operator, note: very similar to user groups, roles are typically manually assigned by an Administrator / claims: defined properties like First Name, Department, Country, rights are derived by user depending on values of claim, e.g. user with cost center = 4711 are allowed to accept bills for that cost center. if the users claim changes the access right change automatically. If you do a step by step vidoe you can't leave out the stepp of adding authorization. there are also several errors in logging.

Sir please make video on claims in detail and also add functionality of add rang claims

Hi there, thanks for the video, it was an amazing explanation, but it seems the project is no longer in your repo. Where can I find it?

thanks that was helpful

Great video !!!

Thank you so much, great content! One question: can one use the same approach (e.g. `[Authorize]` attribute) on GRPC endpoints instead of REST endpoints?

If someone got my token and edit expireday then the back end will validate and know it is invalid token right?
Another case is what if someone copy my token and use it?

hi i can't find the v8 repository in your git hub

very good

The claims sounds like models I am confused with that but I am at 11:49 I will keep watching this video lol

Can you please check the starting of the starting project. Currently it's not available.

What happens if the user edits the jwt token and adds a claim he needs for malicious activity ?

One thing - in GenerateJwtToken you already have logic for RefreshTokens which come in Episode 4 of your tutorial? This may confuse some ppl as in Episode 2 it returns string, and here it's Task and the method is async. Because the method is not async in Episode 2, my IDE returned error when I wanted to await GetAllValidClaims, as the parent method is not yet async as per episode 2.

the git repo is not available!?

i don't find the github repo you mentioned

I do not find this repository in your GitHub account

Hi Mohammad
I can't seem to find the link to the tutorial for the starting project.
I would like to see how you implemented the user management + db migrations etc.
Thanks

Thank You for your effort ,
in my mvc app alwayes give me Unauthorized 401 after Applying the roles and claims
can anyone help me

The github no longer contains the code examples?

Hello, Github link is not found :(

Hi moha, nice work and great explained as usual, yet i have a question:
How we could make a dynamic policy? i meant if the app super admin needs to create dynamic policies
Thanks man

@
Mohamad Lawand :Awesome. Can we have more indepth on policies, also can the identity manager be provisioned using SCIM?

You mentioned a link to an initial starting project that would be in the video and comments, but I cannot find it in either.

thanks to your great course ,how should we store jwt token in secure way ?
i undrestand that local storage and cookies are unsafe to store tokens? so what is the best way?

Souce Code is not aviable in github(

The code is no longer available in your Git

Dear Mohamad, could you upload github the same this project also with sql server when you have time? Thank you..

Impossible see the video in cell phone

The final version of the code lacks the disabling of checking whether the token has expired when it is refreshed. If anyone has a problem with this, just change the line
"var tokenInVerification = jwtTokenHandler.ValidateToken(tokenRequest.Token, _tokenValidationParams, out var validatedToken)"
|
|
V
at
|
|
V
"_tokenValidationParams.ValidateLifetime = false;
var tokenInVerification = jwtTokenHandler.ValidateToken(tokenRequest.Token, _tokenValidationParams, out var validatedToken).
_tokenValidationParams.ValidateLifetime = true;
"

thanks very much