Omg Bro, you're incredible. I tried to add this functionality for a very long time and nothing ended with success. But your video solved my problem just in 30 minutes. And one more thing, your English is very understandable for non-native speakers. Thank you a lot!
Thank you - this was perfect! I liked the fast pace and length of the tutorial. Your tutorial is uncluttered, clear, and to the point. Keep making more!
Great video, @Code with Julian. Well done. In the Authenticate method in the LoginController class, there's no need to check for null. The Linq FirstOrDefault(...) will return null if the user with the conditions is not found, otherwise, it will return a user model. Thank you for the video.
Hi Julian, nice one. Love this tutorial. But please you said at 15:06 that this isn't a proper authentication and we shouldn't do it in production, so what do you suggest or would say is a proper authentication. Would you mind doing a video on that? So we learn the proper way too. Or do you say so because you used Constants instead of an actual database? Thanks
Your tutorial is amazing, very much what I was looking for to create a production-level API with authentication, you explained stuff clearly, very detailed and well-explained and code is easy to follow without complexity and unnecessary filler codes that can be used as a template in corporate APIs. I've had paid subscriptions on Pluralsight and LinkedIn Learning, but the way you teach and this example topples most of the ones I've seen in those paid online courses where all they've done is pad their tutorials with unnecessary junk of codes to make it longer but pretty difficult to implement! I've subscribed and will definitely watch all your videos, thanks and keep it up!
Hey Brad! First of of, thank you very much for your kind words. I wish you guys would feel the same way I feel when you leave these nice comments. It truly brings joy and motivation to keep going! Secondly, I'm happy that you've found this tutorial valuable, I try to cut the fluff as much as possible, without compromising on essential details on the subject. Thank you again for your comment and I hope you have a great day!
I was looking for this for a long time. Watched tons of garbage. Finally I've found the exact video I was looking for. Every single thing I need is in the video. Thanks for sharing this useful tutorial.
Thank you for the simple and effective explanation. I was really stuck on how to decode jwt token to get user detials, and didnt got any perfect solution for this problem. But you did a great job at this.
there is very important point for UseAuthentication method call. The calling order should be like that for net5 and upper versions, app.UseAuthentication(); app.UseRouting(); app.UseAuthorization(); Otherwise you will continue to get 401 error due to middleware execution order.
thanks a lot man. I was facing the 401 issue and I really worked so hard to fix it but I was unable to fix it. So lastly I start reading the comments and found urs. Thanks a lot 🎉
any idea, why I am getting below error when I try to access API having [Authorization]? System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action configureOptions).
Best Video to learn about JWT TOken Authentication and Authorisation 1. Simple explanation 2. Clear command over topic 3. step by step by explanation 4. Working code link
I created an asp.net core mvc web application for individual accounts. I abstracted out EF core, and have all the authorization/2FA, pw reset, email authorization, account lockout... etc, handling in place. I eventually would like to create a mobile application to go with it. I planned on having the user use the website for setting up/editing their account personal details, and password changes/reset. I figure right now is a good place to create the Web API and start configuring now common data access/changes the web app and mobile application will use. What is the best way to approach this, and leave the current authorization/authentication in place for the web application, but have it also authenticate to the web api? Thank you!
hi, i have a question. can i use jwt as authentication, then i have 2 client which is web and mobile apps. so when user log in in web it will get access token for that web client, and when the same user log in into mbile apps it will get access token for that app client. therefore if 1 of the client is logged out by the user, the other client shouldnt log out. just want to know is this still correct practice. because i have confused with identityserver, AOuth 2.0
Short and to the point, Thanks Julian. I have 1 doubt .what is the significance of creating new instance of UserModel in getCurrentUser method in UserController?
I have a couple questions, first though, great video!! 1. You stated that your user authentication....where you compare the login and password is not correct? What was wrong with that? 2. In the JsonSettings you had two URLs you pasted in, Issuer and Audience, if my api is hosted on say Azure, do I use the web api url for both? 3. My app will mainly be used off line. The backend is murely sure syncing...when the user has service....I have been leaning towards just basic authentication. This app doesn't really house any PII information. I am confused how the token would be used for offline?
Hi thanks for your feedback and questions: 1. That was a mock authentication process for the simplicity reasons. In reality, you'd integrate ASP.NET Identity or a related framework to take authenticate the user for you. Here's how you could do it 👉 ruclips.net/video/5UfJeDcoC1k/видео.html 2. I will probably make a separate video on deploying a such application Azure in the future. 3. I'm not familiar with the requirements of your application, but from what you've said, if you don't wish to store user data yourself but still require authentication, you'll need to integrate with a 3rd-party tool, i.e: Okta, Google.
Please for the love of all things good, where can I find the article on this within the microsoft authentication. I would like to read on it for indepth details
This is a great video! One thing i want to ask. When you have multiple controllers and you want to get the authenticate user from getCurrentUser method. Where is the best practice to put getCurrentUser method? Do i need to build a repository/service for that and inject it to every controller that will need authentication/authorization? thanks
great Tutotial is just that i need, please have a question how pass this auhorization in a method of mvc, i tell you i put the [Authorize] in one method but altougth im autheticated the response is unauthorized please and thanks for your time
Excellent tutorial !!!, my english is basic and i use the automatic provide for youtube translator in spanish and is a really nice, this is because u audio is so god. Thanks :)!
This was amazing, I just have one question If this needs to be done on a prod environment would the issuer and audience change in the appsettings.Production.json file that we would create?
Hi there, thanks for the feedback, appreciate it! Yes, the appsettings props values will need changing depending on the environment they're deployed to. Hope this helps!
Well done! Super clear and to the point! Would you reckon it's a good idea to fetch the data from the Database based on the Username that's passed in with the claims when hitting "AdminsEndpoint"? For instance, let's say someone logged in, was assigned the JWT, and then tried to access their profile settings by entering the endpoint "MyProfile". Would this be a valid way of making sure that it's only accessing it's own page?
Hi Payload thanks for the feedback, great channel by the way! This tutorial was to demonstrate how a JWT is generated and composed of, and how to create endpoints that are designated for specific security roles. In an enterprise application I would only pass in the user Id to the _MyProfile_ endpoint. The asp.net core role-based authorization will take care of granting/denying access to that endpoint (based on the JWT stored). Finally, if the user is granted access to that endpoint, they will only ever receive the profile data associated with their user id. Hope this helps!
@@CodeWithJulian Doesn't that mean that if I take away access, it takes up to 15 minutes for it to apply (or whatever the timeout is set to); since technically the jwt token is still valid and this isn't really being checked every request? Seems a bit risky to me?
@@ruadeil_zabelin The general consensus is that is best practice to set the expiration time to 15 minutes tops. Feel free to lower that limit depending on the case. Hope this helps!
Hey Julian, thanks for this informative video. I appreciate your efforts to make this useful content. I liked how you explained all about JWT & authentication in steps. Thanks and keep sharing. Edit: I subscribed the channel. 😊
you are amazing can you do a vedio on sending requests from a client react app side to the api,i would like to see how it works with jwt,am interested in the logic.Otherwise your tutorial is the best on jwt
Hello, thanks for the great video, it really helped me to start. But I have one question left. Is there a working way to map the token to the identity on the frontend side? currently it always says not authenticated and all my tries to change this have failed.
Thanks for feedback, glad it was helpful! You'll need to store the JWT as a cookie when you log in and right after generating the token. This way, the token can be accessed by the middleware. Just googling _storing JWT asp net_ should prompt you to the right place. Hope this helps!
Omg Bro, you're incredible. I tried to add this functionality for a very long time and nothing ended with success. But your video solved my problem just in 30 minutes. And one more thing, your English is very understandable for non-native speakers. Thank you a lot!
Thanks, really appreciate your feedback, happy it's been useful!
Thank you - this was perfect! I liked the fast pace and length of the tutorial. Your tutorial is uncluttered, clear, and to the point. Keep making more!
Clear, crisp and quality teaching by saving the time too, great man!
Bro this tutorial just saved me today, thanks so much, your calmness and pace of everything in the way you teach is excellent please keep it up
Complex matters explained with simplicity. Thank you for sharing your great work!
This is the best tutorial on JWT Authentication and Authorization I've ever seen so far, Thank you so much for your efforts.
the best on youtube that explaine it , the exemples of success and failings , helps a lot , keep it up sir
Great video, @Code with Julian. Well done.
In the Authenticate method in the LoginController class, there's no need to check for null. The Linq FirstOrDefault(...) will return null if the user with the conditions is not found, otherwise, it will return a user model.
Thank you for the video.
It's the subject I've been looking for for a long time and the best resource I've found. Thanks...
This is very well done, thank you so much for making this!
Hi Julian, nice one. Love this tutorial. But please you said at 15:06 that this isn't a proper authentication and we shouldn't do it in production, so what do you suggest or would say is a proper authentication. Would you mind doing a video on that? So we learn the proper way too. Or do you say so because you used Constants instead of an actual database? Thanks
He meant that your users list should not be hard-coded in the system as was done in this tutorial.
If you are using .NET 6, add this to your program.cs file
builder.Services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
.AddJwtBearer(options =>
{
options.TokenValidationParameters = new TokenValidationParameters
{
ValidateIssuer = true,
ValidateAudience = true,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
ValidIssuer = builder.Configuration["Jwt:Issuer"],
ValidAudience = builder.Configuration["Jwt:Audience"],
IssuerSigningKey = new SymmetricSecurityKey(
Encoding.UTF8.GetBytes(builder.Configuration["Jwt:Key"])
)
};
});
var app = builder.Build();
Your tutorial is amazing, very much what I was looking for to create a production-level API with authentication, you explained stuff clearly, very detailed and well-explained and code is easy to follow without complexity and unnecessary filler codes that can be used as a template in corporate APIs. I've had paid subscriptions on Pluralsight and LinkedIn Learning, but the way you teach and this example topples most of the ones I've seen in those paid online courses where all they've done is pad their tutorials with unnecessary junk of codes to make it longer but pretty difficult to implement! I've subscribed and will definitely watch all your videos, thanks and keep it up!
Hey Brad! First of of, thank you very much for your kind words. I wish you guys would feel the same way I feel when you leave these nice comments. It truly brings joy and motivation to keep going!
Secondly, I'm happy that you've found this tutorial valuable, I try to cut the fluff as much as possible, without compromising on essential details on the subject.
Thank you again for your comment and I hope you have a great day!
do you have any plans to make a version of this tutorial for blazor server ? because blazor server uses a dfferent workflow from controllers
Thanks for your suggestion! Sounds good!
I was looking for this for a long time. Watched tons of garbage. Finally I've found the exact video I was looking for. Every single thing I need is in the video. Thanks for sharing this useful tutorial.
Thanks for your feedback! I'm glad the tutorial was helpful to you.
Thanks..... I've now created my first Web API thanks to you
Well done!
Thank you for the simple and effective explanation. I was really stuck on how to decode jwt token to get user detials, and didnt got any perfect solution for this problem. But you did a great job at this.
Glad the tutorial has been helpful to you! Thanks for sharing that!
there is very important point for UseAuthentication method call. The calling order should be like that for net5 and upper versions,
app.UseAuthentication();
app.UseRouting();
app.UseAuthorization();
Otherwise you will continue to get 401 error due to middleware execution order.
Thank you so much for this help !
Thank you so much for this comment
thanks a lot man. I was facing the 401 issue and I really worked so hard to fix it but I was unable to fix it. So lastly I start reading the comments and found urs. Thanks a lot 🎉
Thank you so much!
Great Tutorial, you should post one where you refresh the tokens.
Thaks a lot the way of your teaching is so clear and straightforward.
Just passed by that one and it was so straight-forward for me. Keep it up and thank you for such an awesome content
short, to the point, and a nice tutorial. Kudos to Jason and Elysse
Thanks for the feedback!
Just like a pro
you saved my graduate project
thank u
that was awesome, Julian! You reminds me the dude from Silicon Valley TV Show xd. I rly appreciate for the video's content.
Haha beautiful, thanks! Glad the tutorial was useful!
Thanks so much Julian for making me understand this easily. Subscribed and will keep following updates here.
any idea, why I am getting below error when I try to access API having [Authorization]?
System.InvalidOperationException: No authenticationScheme was specified, and there was no DefaultChallengeScheme found. The default schemes can be set using either AddAuthentication(string defaultScheme) or AddAuthentication(Action configureOptions).
Brilliant Explanation you made this topic so simple by your explanation
Best Video to learn about JWT TOken Authentication and Authorisation
1. Simple explanation
2. Clear command over topic
3. step by step by explanation
4. Working code link
Thanks for your feedback, much appreciated!
this is one of the best tech videos i've watched for a long time!
Thank you for your feedback! I'm happy it's been useful to you!
Fantastic explanation Julian. Subscribed. Nice one, mate
Thanks for feedback! Happy it's been helpful!
Simple and Neat explanation, Great Job
I created an asp.net core mvc web application for individual accounts. I abstracted out EF core, and have all the authorization/2FA, pw reset, email authorization, account lockout... etc, handling in place. I eventually would like to create a mobile application to go with it. I planned on having the user use the website for setting up/editing their account personal details, and password changes/reset. I figure right now is a good place to create the Web API and start configuring now common data access/changes the web app and mobile application will use. What is the best way to approach this, and leave the current authorization/authentication in place for the web application, but have it also authenticate to the web api? Thank you!
Bro i have an doubt.. You have declared Role in the models and you call Roles in the api end point how it's gonna work i didn't get that
Amazing work. Thanks for the great explanation. May all your work success and shine bright..
Thanks for the kind words!
Thank you so much …this tutorial helped me in my interview …
That's wonderful news! Hope you got the job 🥳
I did exactly like you, not missing even a single syntax but keep receiving the "missing of Kid" which is KeyId. Can you help?
Any reason why you didn’t choose .NET 6 since that’s already released and has so much of performance improvements?
Can you authorize controllers instead of doing one end point at the time for admins/other-users?
hi, i have a question. can i use jwt as authentication, then i have 2 client which is web and mobile apps. so when user log in in web it will get access token for that web client, and when the same user log in into mbile apps it will get access token for that app client. therefore if 1 of the client is logged out by the user, the other client shouldnt log out. just want to know is this still correct practice. because i have confused with identityserver, AOuth 2.0
Best tutorial on the subject, thank you bro
Thanks for your feedback!
Hey, Can you please help with encrypting and decrypting the JWT? It doesn't seem to work in dotnet.
Short and to the point, Thanks Julian. I have 1 doubt .what is the significance of creating new instance of UserModel in getCurrentUser method in UserController?
Thanks, it is a clear teaching.
You're welcome, thanks for feedback!
This video was very helpful, thanks for this. Please continue to create more content.
This is a great tutorial. Clear explanation and good examples. Thank you very much.
Thanks Sebastian! Happy it's been helpful!
Thanks Julian, you're very clear and tbe video is very useful.
I have a couple questions, first though, great video!!
1. You stated that your user authentication....where you compare the login and password is not correct? What was wrong with that?
2. In the JsonSettings you had two URLs you pasted in, Issuer and Audience, if my api is hosted on say Azure, do I use the web api url for both?
3. My app will mainly be used off line. The backend is murely sure syncing...when the user has service....I have been leaning towards just basic authentication. This app doesn't really house any PII information. I am confused how the token would be used for offline?
Hi thanks for your feedback and questions:
1. That was a mock authentication process for the simplicity reasons. In reality, you'd integrate ASP.NET Identity or a related framework to take authenticate the user for you. Here's how you could do it 👉 ruclips.net/video/5UfJeDcoC1k/видео.html
2. I will probably make a separate video on deploying a such application Azure in the future.
3. I'm not familiar with the requirements of your application, but from what you've said, if you don't wish to store user data yourself but still require authentication, you'll need to integrate with a 3rd-party tool, i.e: Okta, Google.
Simply Awesome. Thanks for creating awesome tutorial. Keep great work up.
Thank you, Julian, very easy to understand.
Very clear and easy to understand ..Thanks
You're welcome, thanks for the feedback!
Nice, you explained necessary code
Valuable lesson. Thanks Julian.
Does this also work when my project type is Web Api and not web application?
@Code With Julian Thanks for the video. This tutorial gave me an idea about JWT tokens implementation
Everything in one go, Thanks for the video.
Thanks for the feedback, glad it was helpful!
Thank you for the great tutorial!
It`s nice tutorial ! Not too long, but very useful ! Thanks. Subscribed.
Thanks for the feeback, much appreciated!
where to provide jwt token into code after generate? I seen you do this in postman.
What's the difference between using this and identityuser from identity package?
Please for the love of all things good, where can I find the article on this within the microsoft authentication. I would like to read on it for indepth details
when i post the api/login . service always return "not found " error . why?
I'm using .NET 6 .
Hi, there could be many reasons for this. Ensure the port number is correct. Also, ensure the method is set to POST. Hope this helps!
Thank you so much for your excellent tutorial 🖐😄
I'm glad it's proven useful!
You are so awesome. Thank you! This has been so helpful
Awesome Awesome just awesome... Amazing video
Thank you so much 😀
Perfect explanation , straight to the point ! Thank you
Thank you! Glad it's been helpful!
This is a great video! One thing i want to ask. When you have multiple controllers and you want to get the authenticate user from getCurrentUser method. Where is the best practice to put getCurrentUser method? Do i need to build a repository/service for that and inject it to every controller that will need authentication/authorization? thanks
Yes you could store it in a separate service that's accessible from all your controllers, then, as you say, inject it if/where you need it.
Where can i get JWT key value in appsetting.json ?
Great
I see you added api controller to razor page project.
How can I make use of the 2 controllers in the razor pages ?
Worked perfectly! some detailed explanation about JWT settings might have helped more in understanding internals
Great to hear! More JWT videos to come!
great Tutotial is just that i need, please have a question how pass this auhorization in a method of mvc, i tell you i put the [Authorize] in one method but altougth im autheticated the response is unauthorized please and thanks for your time
That was so helpful ,Thank you so much .
Perfect, I will use it for my apprentices. Thanks a lot!
Nice one! Glad it's been useful!
Thank you so much, it helped me a lot
Excellent Sir
doubts are cleared now
@@CodeWithJulian kindly also share about real world Example for ,Net core Api
This was exactly what I needed. Great job. Look forward to more.
Thanks for the feedback! More to come shortly!
Excellent tutorial !!!, my english is basic and i use the automatic provide for youtube translator in spanish and is a really nice, this is because u audio is so god. Thanks :)!
Also because the code is understood regardless of the language in which you speak
Hi. I use .Net 6 version and there is no Startup.cs file. Can anyone help me What should i do?
Hi, please check out my .NET 6 tutorials. I show how to register services and add Authentication and Authorization to the pipeline.
Amazing Tutorial
This was amazing, I just have one question
If this needs to be done on a prod environment would the issuer and audience change in the appsettings.Production.json file that we would create?
Hi there, thanks for the feedback, appreciate it! Yes, the appsettings props values will need changing depending on the environment they're deployed to. Hope this helps!
Great content.
I wonder how did you learn these , maybe im blind but I couldn't find any document for jwt in Microsoft website.
Thanks a lot for making this, it really helped me out!
What if i am used to asp net core project not api?
You are doing great work
Keep the good work goin brother
Why are you using symmetric key instead of asymmetric
Great tutorial. Loved it!
Thanks, glad to know that!
Well done! Super clear and to the point! Would you reckon it's a good idea to fetch the data from the Database based on the Username that's passed in with the claims when hitting "AdminsEndpoint"? For instance, let's say someone logged in, was assigned the JWT, and then tried to access their profile settings by entering the endpoint "MyProfile". Would this be a valid way of making sure that it's only accessing it's own page?
Hi Payload thanks for the feedback, great channel by the way! This tutorial was to demonstrate how a JWT is generated and composed of, and how to create endpoints that are designated for specific security roles. In an enterprise application I would only pass in the user Id to the _MyProfile_ endpoint. The asp.net core role-based authorization will take care of granting/denying access to that endpoint (based on the JWT stored). Finally, if the user is granted access to that endpoint, they will only ever receive the profile data associated with their user id. Hope this helps!
@@CodeWithJulian Doesn't that mean that if I take away access, it takes up to 15 minutes for it to apply (or whatever the timeout is set to); since technically the jwt token is still valid and this isn't really being checked every request? Seems a bit risky to me?
@@ruadeil_zabelin The general consensus is that is best practice to set the expiration time to 15 minutes tops. Feel free to lower that limit depending on the case. Hope this helps!
Hey Julian, thanks for this informative video. I appreciate your efforts to make this useful content. I liked how you explained all about JWT & authentication in steps.
Thanks and keep sharing.
Edit: I subscribed the channel. 😊
Hi Julian , I have my API hosted by Azure , in the apssettings.json , what should I tippe in for Issuer and Audience ? thx
Excelent tutorial, very precise. Thanks !
Glad you enjoyed it!
Thank you. This was super helpful!
man, you are awesome. Thank you very much for this video. You are a hero that saved me a lot of time!
Glad I could help, thanks for the feedback!
you are amazing can you do a vedio on sending requests from a client react app side to the api,i would like to see how it works with jwt,am interested in the logic.Otherwise your tutorial is the best on jwt
Your video is very very useful , Thank you!
Thanks for the video. Good stuff!
if you uses httpcontext across api requests, then is that still stateless?
I depends on how you use it, but yes, it is stateless.
Does this also work with .Net 6 ??
Hello,
thanks for the great video, it really helped me to start.
But I have one question left. Is there a working way to map the token to the identity on the frontend side?
currently it always says not authenticated and all my tries to change this have failed.
Thanks for feedback, glad it was helpful!
You'll need to store the JWT as a cookie when you log in and right after generating the token. This way, the token can be accessed by the middleware. Just googling _storing JWT asp net_ should prompt you to the right place. Hope this helps!
thank you so much for this tutorial!!
You're welcome, happy it't been helpful!
Thank you - this was perfect!
Thanks Mesut! Really appreciate it!