ASP.NET Core Authentication with JWT (JSON Web Token)
Vložit
- čas přidán 27. 07. 2024
- Authentication is the process that helps identify who is the users. On the other hand, authorization is the process of determining what a user can do. For authorization to work, the user will be authenticated first. We need the user’s identity to identify the role of a user and act accordingly.
Authentication middleware is responsible for authentication in ASP.Net Core applications. The authentication middleware uses the registered authentication handlers to authenticate a user. The registered handlers and their associated configurations are called schemes.
In ASP.Net Core, the authentication middleware is added in the Startup class, inside the Configure method. It is done by calling UseAuthentication method on the IApplicationBuilder instance passed to the method.
Authentication schemes are registered in the Startup class inside of the ConfigureServices method. It is done by calling AddAuthentication method on the IServiceCollection instance passed to the method. We can register multiple authentication schemes, whereas only one of them will be a default scheme.
What is JWT
JWT stands for JSON Web Token. JWT is JSON based access token created for claims. It is a self-contained and compact standard for access token to securely transfer claims.
For our project, we will use JWT. For creating a JWT, we can use different hash algorithms. We will use HS256 algorithm for this project.
Blog: dotnetcorecentral.com/blog/au... - Věda a technologie
That's how a tutorial should look like! Straight to point with a working example. Love it! 😎🤩
Thanks!
Easy and great setup of how to add authorization to a web application. Well done!
@Francois Smit, thanks for watching!
This worked like a charm. Exactly what I was looking for..., Confused with various online material, but this was most clear of all of them...
@Ra m, thanks for watching the video, and glad this video helped you!
Great tutorial, easy to follow and understand. Thanks a lot!
@gh057k33p3r, thanks for watching the video!
Thank you for this very helpful video and sharing your knowledge! Subscribed!
@Rehan Alibux, thanks for watching the video and subscribing to my channel!
Dude!! Thx for the video! It really helped me out. Right know I'm just reading your blog to understand better the whole code.
@Carlos Daza, thanks!
Amazing video thank you! So clear and concise!
@Brett Gregory, thanks for watching!
Add my voice to the chorus. Insanely helpful and well-done video, thank you.
Thanks!
This is the most simple way of doing JWT , thanks so much
@junaid m, thanks for watching!
Excellent video brother.. I have been looking for this.. Thank you so much 🙏🙌👏👏
@Praveen Kumar, thanks for watching!
Thank you so much for taking the time to make this video and share your knowledge! Excellent. Subscribed :)
@Monica S, thanks for watching!
Very quality content. It very helped me to understand this important theme !:)
@Eva Apperson, thanks for watching!
Thank you for this helpful video. Keep doing the good work.
@Hinda Chokri, thanks for watching and taking the time to provide a comment!
Awsome way of teaching. And working with real scenario.
@Avtar Sashia, thanks for watching!
Awsm Explanation, Easy to understand
Great video. Truly helped me out!
Why wasn't I able to find this channel earlier 😭 🤣🤣
I've shared your content with all my colleagues 🙏
@The Red Baron, thanks for watching. I hope everyone you have shared with will find it useful.
Simple and clear example, thank you 👍
Thanks for watching!
Great video. Keep doing the good work
Gautam Saraswat thanks for watching!
Excellent work explaining this!
@Knightmare RIP, thanks for watching!
Thank you! Very helpful tutorial.
@Jeff Breuninger thanks for watching!
Very well explained. Thanks for your effort.
@Sohail Sarwar, thanks for watching!
Thank you Nirjhar. Great explanation.I have implemented with your example
@Rahul Sharma, thanks for watching!
really nice explanation to the point and explained every point thanks alot
A heartly thanks to you for teaching the tokenization in simple way.
@Yashas Gowda, thanks for watching!
Thank you for making it easy understanding.
@Ajith Chanaka, thanks for watching!
Thank you man, that is what i sought for
@Marco Taliente, thanks for watching, and glad this video helped you!
Thanks You. Great... very neat and clean explanation given by you.
@Pritam Deokule, thanks for watching!
Excellent content.. very straight forward
Thanks!
Thank you very much! very well explained
@Julian GZR
, thanks for watching!
Excellent Show, thanks much.
@Stephen Viswaraj, thanks for watching!
God bless you my friend for this video
@DAVID EMMANUEL, thanks for watching!
Very good explanation.
thank you .
Very nicely done. Thank you.
Thanks a lot for such content. I respect and really admire your huge efforts, for such incredible content. God bless mate.
Thanks a ton
Great content 👏👏 , Thank you
Excellent... keep up the good work
@Abc Xyz, thanks for watching!
Thank you so much for this video! it's really helpful..
@sachin deshmukh, thanks for watching!
Very useful information. Thank you sir...
@Vinayak Katti, thanks for watching!
good help full, if you want to add more things then add authorization with multiple roles, multi-tenant application authentication.
Thanks for the suggestion!
Awesome keep up the good work
@Rahul Mathew, thanks for watching!
Great video, nicely explained
@Shivendra P. Singh, thanks for watching!
Thank you for all of your tutorial
@Monsieur Bobel, thanks for watching!
Nice explanation 👌
@Funny Toddler, thanks!
Thanks, great video
@hdjfgt, thanks for watching!
Love the video. I urge you to create video on OAuth with JWT implementation. Complete details on OAuth.
Thanks, will do!
your tutorial is amazing, the IT community needs more people like you!
however, MICROSOFT SUCKS for implementing a million different classes and ways to implement authentication /authorization classes then those classes get deprecated and then the developer will be scrambling for answers to solutions that new core version/framework is trying to introduce!
For MS, there is no one universal, non-complex, non-confusing way to create a simple web API with basic authentication, it's like each authentication scheme is created by one developer that is trying to out-do the other developer within their team that has implemented a recent class/code! I hope, I really, really hope, that MS should one day be overtaken by another company or that incoming new developers will instead switch to open source and other tech stacks for web api-related stuff!
I will be the first to rejoice if MS will file for bankrupcy one day, or get bought by Apple!
Really helpful !
@Marian Kurtov, thank you for watching!
Thank you this is an awesome video
@Aj Botha, thanks for watching!
this is awesome.. thanks a lot!
@ayush singh, thanks for watching!
really helpful to understand the jwt authentication. please make a video on refresh token also
@Sudip Jash, thanks for watching. I already have a video on refresh token on my channel.
i am big fan of your videos .
@Ashutosh Mishra, thanks for watching!
Hi, thanks for the tutorial! You keep the content simple and easy wich is great, but for future improvement you could add a real front end, just a login page, 1 or 2 authorized pages and a logout. this way we could see the complete workflow of the jwt and how is stored in page transitions.
Pedro Moura thanks for the suggestions. I’ll definitely work on that. Thanks again for watching the video.
@@DotNetCoreCentral Did you ever make this video?
@@DotNetCoreCentral Did you ever make this video?
@@lengoctuan5217 no, I never got to it.
@@DotNetCoreCentral Thanks brother for the reply. Your video is very helpful.
Excellent video, I have shared with my whole team to watch. Thank you. One question, at 15:56 you add the JwtTokenAuthenticationManager to services with the key, but what if you wanted to pass in the DbContext and also maybe the ILogger so the JwtTokenAuthenticationManager can confirm the credentials against the Db. How do you configure the services for the JwtTokenAuthenticationManager in startup to inject those into the class?
Thank you!
@cezar007dead, thanks for watching!
Thanks . Perfect video
You're welcome!
Great video, i request you to explain the token validation parameter , and token descriptor class properties significance and what situation what value we should set may help great if you do some short video on that portion
@Web Samurai, thanks for watching, I will try to do a video for that.
Thanks....good explanation
@Shsik zuhair, thanks!
Thanks for your video, a Very Good explanation. I have a suggestion. if you can list out all the dependencies that will be great.
@jvv (vvj), thanks for watching and the suggestion!
This is really good. Thanks..
@Bhanushka Ekanayake, thanks for watching!
Thank You!
@John Magnetron, thanks for watching!
Nice and simple video
@Yogesh Tripathi, thanks for watching!
very well explained
Thanks!
Great video brother. If you could explain why we are using each commend and its benefits would have been really helpful.
@Kishor Kadavil, thanks for watching and great feedback, I will work on this.
v good video really helped me
Thanks!
May I know the use of having the AuthenticationManager interface instead of just having a solid Class? thanks
Very good video
@Raj Raj, thanks for watching!
Thanks man.
@Finish The Carrot, thanks for watching the video!
Nice video , But I feel it would have been been great for beginners like me , if you had spent some time explaining the usage of each line while configuring authentication in startup and controller class files .
@Kiran BS, thanks for watching, and thanks for your valuable feedback, I will surely keep this in mind.
So satisfying keyboard typing.))))
@Roman Doskoch, thanks!
Awesome !!
@habeeb afvan, thanks!
thank you.
Thank you for your well explained video. If possible, could you please make another video to show, secure an api with azure active directory and consume it from AAD secured react app.
majichayan I’ll definitely try. Thanks for the suggestion and thanks for watching.
Nice!
Can you please provide the second part of this tutorial. It is very nice video. Awesome.
@Nafees Khan, thanks for watching! What are you expecting in the second part?
Hi, I see that the AuthenticationHandler class comes under two namespaces.
- Microsoft.AspNetCore.Authentication
- Microsoft.Owin.Security.Infrastructure
could you please explain what factors decide the namespace I need to use.
@sanjay varma, Microsoft.Owin.Security.Infrastructure
is the legacy namespace. If you are using ASP.Net Core 3.1 you should be using Microsoft.AspNetCore.Authentication
.
Thank you for the knowledge you shared. What are the headers that I should be using with Postman?
In header you have to put “bearer token”
thank you very much
@bergurmg, thanks for watching!
Hi thank you for posting this video. I find it very helpful. I have one question regarding the authentication step though. After receiving the token with a valid username + password combination and entering it as Authorization : Bearer[whitespace]token, the Get step still throws a 401 error. Any idea of what may cause this? Thanks!
you can raise the logging level in the config and you can see the exact issue resulting in 401
Guys I am confused here that the implementation of JWT here is working on O Auth 2.0 mechanism or not?
I am able to generate the token. I am also getting the data without authorisation. But when I give the Authorize for the get method I get unauthorised. Could you please help me solve this issue.
Very nice explanation !!! Just one query I have in simple asp.net api we used Owin and OAuth to generate and validate token but I dint see OAuth implementation in Core is there any reason ?
OAuth can be implemented by a middleware. I do not see any reason why it cannot be. I will give it a try. I did not have the need yet, hence I did not try it yet. I will post my video after I try it out. Thanks for the question.
@@DotNetCoreCentral Thank you so much.
Thanks for the Awesome Video. But I have a question. If I need to create a Custom Unathorized return message from any POST or GET api, what should I do ?
@Deepjyoty Roy, thanks for watching!
In your scenario, you can remove the Authorize attribute and inside of each method check for User.Identity.IsAuthenticated, and based on that throw Unauthorised with you custom messages per method.
In this JWT is authorized when sent as header in the request. May I know how can the access token be validate as part of query string ?
its a good practice to send token as part of header, but nothing stops you from sending token in query string, there are use cases like websocket where you might need to pass it in query string
How we can achieve same thing in MVC and pass token after authentication?
Hi. Good video. But what is the purpose of audience nd issuerence?
how would i get user data from token such as username ?
Hi, why did you uncheck the "Configure for HTTPS" and check "Docker enabled" option while creating the project? It'll be really helpful info if you tell us.
@Shubham Shaw, there is no particular reason. You can keep both enabled.
If you configure https you will need SSL certificate. While running in localhost you can do with http.
Hi Thaks for the video, I have a couple of questions . can you please clarify this?
1. I got a token from the server. I just passed it to someone to use this token. he could able to access the API with the token until it expires. How can we restrict this?
2. I got a token from the server with an expiry time of 15 min. before 15 min I hit token controller and got another token with an expiry time of 15 min. Now I have two tokens with valid time. will the two tokens work? or only the latest one?
if so how can we validate?
@Chandu Subhakara Reddy Satti
1. If you pass the token to someone else purposefully, there is nothing that can be done here right. Until the token expires that person will have access to your API unless you keep all tokens in storage and check against that, in which case you can flag the token.
2. It depends if you are keeping the tokens in storage, in that case, you can have an implementation of invalidating older tokens when you send out new tokens. Otherwise, both will be valid.
Hi, at timeline of 11:26 in this video, you added 1 hour as expiration. I tried with 1 min.
But, after 2 min also, I could able to use same token and get the data. Means: token is not expired.
Could you please help me on this.
@Ravindranath S, I will try it out and let you know.
@@DotNetCoreCentral we have to use UseExpirationValidation in AddJwtBearer configuation
@@umairghouri1718 thanks for the suggestion!
This is great and I was able to replicate this. However, I'm wondering.. where do refresh tokens come into play?
@Jamie Bowman, refresh token comes to play when as an app you want to extend the token lifetime of the user without asking the user to enter id/pwd again for a new token after the initial token expired. The classic example will be a mobile application.
My Authorization header is missing IDK why but I don't have problems with other headers, is there a way to change the header name?
@tertulianeo, how are you passing the header? can you share the code?
@@DotNetCoreCentral ty, it was a problem with my cloud front
@@tertulianeo great to hear your issue is resolved!
Hi , Have you used ever redis cache in identity server 4 to improve the preformation
@vivek Gowda, no, I have never used it. But it's a good idea I would guess. I might give it a try.
@@DotNetCoreCentral thank you 😀
How about updating the token expiration when user tends to log out?. can you help me with that code?
@Norell Mantilla, I have a video on refresh token, you can refer to that and let me know if that works for you.
great
thanks!
how to validate bearer token - if you put post man bearer token its allow to hit the method i want to how to validate bearer token and the method
@Ramesh Kumar, in the controller you will need to do this:
if (!User.Identity.IsAuthenticated)
return Unauthorized();
Rest will be taken care of by the middleware.
Please help me ,i am getting error from postman when i tried to access get after applying [authorize] error : similar to 403 forbidden, but specifically for use when authentication is possible but has falied or not yet provided.The response must inculde a www -authenticate header field conataining a challenge applicable to the requested resource
@Ajith Jacob, I am not sure I completely understand the question, I will definitely look into it tomorrow, and if I have any doubt about your issue I will get back to you. Thanks!
@@DotNetCoreCentral thanks for your reply. Let me explain the error.i have implemented the jwt token functionality and set attribute as allowanomus . So from postman i am able to generate the token .
Then I decorated the get action method with authorize attribute and tried to access it from postman using the jwt token generated, that time I am getting the above error from postman
@@ajithjacob2054 I tried to reproduce your issue, but since I am not able to see your code its hard to reproduce. This is the location of the demo code, where I am not able to reproduce the issue. Maybe if you compare your code with mine, you will be able to get some clue what is going on. github.com/choudhurynirjhar/auth-demo
Thanks for the tutorial. You are explaining the concepts very well.
Could you please give some suggestions on this?
What are the ways to store a JWT token securely on client side. We can use cookies or local storage. But, however someone/ anonymous will able to see the token by using some debugging tools and they can mock the same request and use it in outside of the application. How we can avoid it?
Thanks.
Saravana Kumar I’m afraid there is not many choices for storing token securely on client side. Your best bet is local storage. But in terms of avoiding security threats keep your token expiry shorter. So that even if it’s stolen it cannot be used for a longer period.
@@DotNetCoreCentral Thank you so much for replying me.
Will we use refresh token to overcome this issue?
@@SaravanaKumar-bt5xn yes, that's usually better.
Good job 👍 .. what about refresh token?
@
Ali Haydar, thanks for watching! czcams.com/video/7JP7V59X1sk/video.html
im getting 404 not found in get when im trying to get values1 and values 2
@shashi vishw, if you can share your code in GitHub I can take a look, thanks.