I liked the whiteboard, thank u for the explanation of this concept. Very clear and simple. Also, very helpful to complement the tutorial series. Thanks a lot.
5:10 Since the header is in clear text an attacker can change the header to forge a token. A malicious user may replace the hash key, inject a key and change alg, even none is valid alg which completely bypasses the validation. Please do not trus the header, instead rely on the hash key used during creation of the token.
@@twiksify They can but they are part of the hash itself so if you change them then the hash that you produce during token validation won't match the hash in the token.
@@nickchapsas There are several headers to change the hash key (kid, x5c, x5u) to make validation pass against an injected secret. The header alg can also be misused to make a public key to act as symmetric key, this is only applicable if the server is configured to use a cert however.
doing a video on an implementation of this would also be great. It would also be cool to see a video on the use of that auto mapper tool you've talked about a few times. learning how to use that would save tons of time. Also, while I'm not sure how popular it would be on youtube but showing some unit testing, especially of your posts service, would be a great help. Unit testing entity framework is annoying.
Hi, Nick, thanks for the video. I have a question: With Jwt, Although we dont have to store session/state on each machine, we must store the secret along with a method that checks the token validity on each machine. Having said that, is jwt better than session/state (for that specific aspect)?
It still doesn't make any sense. How is it different then sending password. I mean if someone hacks my computer and copies the JWT, he/she can access my account on website?
I meant to say it only solves the problem where we have cluster but it doesn't strengthen the authentication. In one of your replies below, you mentioned that authentication or JWT can be secured using HTTPS. So I guess JWT + HTTPS is the secure way to go. Can you explain how it is different than CSRF?
Using a cluster as a reason why JWT are even existing is wrong… Clusters are very easy way to handle that (shared session storage etc.), this video is misleading a lot of people by explaining a reason for JWT that is not really a good reason. (I’m not going to explain it but people should look at some resources, one of the main reason is about distributed system and that cannot always authenticate you against the original system for instance, or having tickets with only a specific set of claims etc.. but Load balancing is def. NOT a reason why JWT exists, there are so many ways to handle that and it was there way before JWT)
Love the whiteboard presentations Nick, really helpful and well explained.
Very clear and concise explanation, Thanks Nick, keep up the good work !
I liked the whiteboard, thank u for the explanation of this concept. Very clear and simple. Also, very helpful to complement the tutorial series. Thanks a lot.
Clear explanation and presentation, thank you
Very clear explanation. I really love your work. Thank you Nick.
5:10 Since the header is in clear text an attacker can change the header to forge a token. A malicious user may replace the hash key, inject a key and change alg, even none is valid alg which completely bypasses the validation.
Please do not trus the header, instead rely on the hash key used during creation of the token.
No one said to trusts the header. I said check against the hash which is the last part of the token
@@nickchapsas yes, however my point is that the hash function and hash key can be replaced to bypass validation.
@@twiksify They can but they are part of the hash itself so if you change them then the hash that you produce during token validation won't match the hash in the token.
@@nickchapsas There are several headers to change the hash key (kid, x5c, x5u) to make validation pass against an injected secret. The header alg can also be misused to make a public key to act as symmetric key, this is only applicable if the server is configured to use a cert however.
@@twiksify Sorry I think you don't quite understand how JWTs and the validation against them works
Simple and straight to the point, thank you.
Thanks for explaining and comparison of jwt and cookie.
Really good explanation on JWTs
thats a realy good video. Nice work and keep doing videos!
Nice explain... Ty
Thank you so much.
doing a video on an implementation of this would also be great.
It would also be cool to see a video on the use of that auto mapper tool you've talked about a few times. learning how to use that would save tons of time. Also, while I'm not sure how popular it would be on youtube but showing some unit testing, especially of your posts service, would be a great help. Unit testing entity framework is annoying.
He has one! ruclips.net/video/M6AkbBaDGJE/видео.html
please make a video on identity server
Great explanation!
Great video !
Good Video, Thank you
Hi, Nick, thanks for the video.
I have a question:
With Jwt, Although we dont have to store session/state on each machine, we must store the secret along with a method that checks the token validity on each machine.
Having said that, is jwt better than session/state (for that specific aspect)?
Thanks
Can we have video on AD Authentication in Web API .net core ?
Very helpful , can you please share a github link for source code?
There is no source code for this specific video but I will be releasing the code in the next video which is the implementation video for this concept.
It still doesn't make any sense.
How is it different then sending password. I mean if someone hacks my computer and copies the JWT, he/she can access my account on website?
I meant to say it only solves the problem where we have cluster but it doesn't strengthen the authentication.
In one of your replies below, you mentioned that authentication or JWT can be secured using HTTPS.
So I guess JWT + HTTPS is the secure way to go.
Can you explain how it is different than CSRF?
Using a cluster as a reason why JWT are even existing is wrong… Clusters are very easy way to handle that (shared session storage etc.), this video is misleading a lot of people by explaining a reason for JWT that is not really a good reason. (I’m not going to explain it but people should look at some resources, one of the main reason is about distributed system and that cannot always authenticate you against the original system for instance, or having tickets with only a specific set of claims etc.. but Load balancing is def. NOT a reason why JWT exists, there are so many ways to handle that and it was there way before JWT)
'How to implement Google/Microsoft/Twitter... authentication?'
Great proposal. My next video will be about that. Thanks!
Thanks