How To Setup JWT Protection In ASP.NET Core API

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys welcome back so right now we want to start discussing our json web tokens but before we go ahead and implement them and write mountains of beautiful code to do that i want us to have a full understanding of the purpose that they serve in the whole workflow the api security and everything so there is a leading authority at least in my book their leading authority in the form of off zero if i'm not mistaken they're probably pioneers for this kind of protocol but you can go to jwt dot io and you land on the same page that i have here where they display to you a sample token and kind of show you the breakdown so we're going to discuss exactly why tokens are necessary and what exactly they tell basically when when they're being decoded so let's just say once again the person attempts to log in to our api or they attempt to access our resource from our api we have restricted access so we are telling them that we need to know who you are and what you are able to do but then i need to make sure that you are somebody who should be able to access my system to begin with right so our token here pretty much would be issued to them after a successful login attempt so they would pass over their username and password that we already have stored in our system because they're registered once we verify that they are who they say they are we're going to give them a token with information that we have on them so that when they are making subsequent requests they can use this token instead of trying to log in every single time so this token would represent a hash or you know some encoded representation of all the information that we have for them that would that could include their username their password not their password apologies let me backtrack their username their email address if they're different um how long we're allowing them to use this token to access the system what role they have and this other one called claims which means that you are able to do this but not that sort of vibe right so those are the things that we encode in this huge string and send back to them after they have successfully logged in now the benefit of this is that on their side they don't have to keep on calling the login because remember that we're not keeping the session to know if they were logged in previously or not so instead of them having to try and log in every single time they're going to make an api call they log in once get this token and then make every other call with this token attached to the request on our side when we get the request and we see that there is a token we decode it validate that it came from us and then redirect them accordingly or provide that response accordingly so that is what jwt security is all about now you'll see that this string is actually color coded red i think that's i'm going to say lavender and blue right and pretty much each section is uh explained over here so this is the header section which contains what hashing algorithm was used as well as the type of token which in this case is jwt the middle section has the payload or the data so the payload is really to say all of this information is what i know about this user so the more information we pack into it is the bigger the section will get all right and over to the right you see here they're showing you what exactly is included in this payload so the payload can have like the expiration date of the token or date and time because usually you would issue a token for a finite period of time so as long as this token is valid then they don't have to log in again right as soon as it's invalid then they may want to log in get a fresh token and then continue so that's what that that's the purpose that one serves and then the parts now with the signature usually the server uses the signature part to verify whether the token contains a valid information or not so if we issue the token then we would want to verify that it came from us because anybody can really encode this kind of data but they want to make sure that they have down here encoded relative to our issuing key to make sure that it really came from us and it is valid in our system so i hope that cleared up some of the let's say the gray areas are on what jwt is and why we're using it when we come back we will start changing up our configurations in our api to facilitate its use all right guys welcome back so we're going to jump right into setting up our configurations for our jwt so i'm going to create a new section in our app settings file i'm going to call it jwt and basically we're just going to hard code some values that we know we'll need along the way when issuing and validating right so i'm going to say issuer and this means that i am the issuing authority so you can put your at your application name or your domain name whatever it is i'm just going to say the application name here hotel listing api so that means only when a jwt or token comes in with this issuer will i paid attention but you'll see more to that later on and there are other things you can put in here you can put in uh like the preset expiration time actually you can put a key here because there is a key value that is going to be used to set up the token however generally speaking you don't want to put that key in the app settings file because of security reasons right so if you put it there then somebody can see the app settings file and then figure out the key that's being used um i'm putting in a grid value here but this could easily just be um your name or whatever some you something you need that you want to use to verify or generate the key right so alternatively instead of putting something that sensitive inside of the app settings file because you don't want too much sensitive information in this file what you could do is create an environment variable now of course if you create it on the development machine then you have to make sure you create it also on the server when it is deployed so a quick way to bring up the environment or setups are the environment variable is to bring up command prompt make sure you're in administrator mode so if it is that this has to happen on a machine at work where you don't have administrator privileges then you have to make sure that you include this in your release notes so that the system administrator or devops engineer whoever is doing the deployment knows what to do so i'm going to say set x and once again this is an environment variable so this goes on to the windows level so unless uh a hacker was or somebody malicious was able to access the actual os and login to the machine they probably will never see this value or this key all right so i'm going to call this key give it the value so once again this is just a grid that i generated it's complicated enough it doesn't necessarily have to be this complicated but once again it's a context is everything right uh so whatever value you put there you just make sure you wrap it in quotation marks let me do that so key open quotes the value close quotation slash m and the slash m basically saying that it must be a system variable and not a local variable so that's why you need to make sure that your admin so you see it was saved all right so now that we have that set up we can go ahead and create our service extension because we need to extend our startup so once again instead of doing it here we'll just go over to service extensions and create a new method this one we're going to and it has to be public static void so i'll just copy this up until this point this part and say configure jwt and then we're taking the same parameters of the services but then we're also taking i configuration right so i configuration which gives us access to the app settings configuration stuff right for for a little context stuff that when we let me see all right so you see here we said configuration get connection string i configuration right so that's what we're referencing over here i configuration so go ahead and include anything that's missing and then inside this file is where a bit of magic is going to happen so we're going to say var jwt settings is equal to and then i'm going to call on the configuration dot get section and the section that we're going to be getting is jwt settings all right so that's what let me just verify that expert oh it's jwt apologies i call it jwt all right this is giving an error and i think it's because i included the wrong library so let me try that again i configuration and i want that configuration not auto mappers let me try that again and there we go no errors all right so the secret key now let's just say var key is equal to and then i can call an environment dot get environment variable and remember that we set the name of this environment variable just now let me bring back up my command prompt i set it to key so whatever you use there that is the name of your environment variable so key next we want to say services dot add authentication so i'm going to add an authentication option with options sorry let me just get this so they say opt or you just say oh but lambda and then i'm just going to open and close brace because we have quite a few configurations that will be going in here so anytime you have multiple lines you can just open the curly brace and then each line ends with a semicolon so i'm going to say o dot default authentication scheme is equal to and then they have jwt beer defaults so what's not here and i think i need a a few libraries or so on from from new get so let me just check jabra so there it is i need to include the microsoft sp net core authentication jwt bureau so let me go ahead and get that now it's included jwt beer defaults dot authentication scheme so this is basically saying that i am adding authentication to the application and the default scheme that i want is the jwt all right so off the bat once somebody tries to authenticate check for a bearer token that's basically what that is saying and then default challenge scheme is the same thing all right so check for that for authentication and challenge whatever whatever information comes across challenge it based on the jwt um standard right and then we're extending this so i'm just going to remove this semicolon for a bit so i'm going to say in the next line dot add jwt bearer and then this once again is going to have options so i'm going to do my token lambda and then open and close curly brace and let me just fix the indentation right so then we say o dot token validation parameters so there are quite a few parameters that you can set up along the way each person might be different once again the situation might be different so what i'm doing is just educational but in your enterprise setting you may have other needs than what i am going to portray here so if that turns out to be your situation then you just act accordingly right so new token validation parameters and then we're going to you know outline some of the parameters that we want to use to validate that this token you know should grant somebody access so then here we can say do we want to validate who issued the token that's generally a good idea considering that we went through all the trouble of saying here is the issuer so that means if somebody put some other value there then we are saying well if another value is there then it should be invalid do we want to validate the lifetime right so this way we'll we'll reject the token if it's if it is expired we automatically reject it so do you want to do that yes and then another one that we would probably want to do is validate the issue issuer signing key and we already established that this was the key value up top here right so we want to make sure that it was the correct signing key and then we continue and then i'm going to say that a valid issuer or the valid issuer for any given token would be jw settings jwt settings which is the config section dot get section out of that and then it would be issuer right so whatever value is set for the issuer i want that dot value there we go and then let's say the issuer signing key is equal to a new symmetric so now we're going to be hashing it so that's what i said it can be a complicated value it doesn't necessarily have to be because when it's going to set it up it's going to we're going to be hashing it anyway so it's a new symmetry symmetric security key and then we encode so you see even with my very very complicated one that was based on a good we're encoding this and then we're going to hash it again afterwards right so that's why i said that it doesn't necessarily have to be that complicated but encoding.utf get bytes so we're breaking it down to bytes and then we pass in the key value that we got from the environment so the most important part about the key is don't put it in the app settings all right it's frowned upon it could it could have gone there but you know to be out of abundance of caution you put it in the environment variables i have put it in the app settings before but then that was for a very internal application not necessarily public facing right so we just go ahead and include any missing references there and then i think that's just about it for validation parameters but once again based on your situation you may need more validations than i am putting here right so this is all i'm going to use semicolon semicolon and then that's it for our extensions so now we can go over to startup and we can call on our configure jwt so services.configure.jwt and we have that configuration object being passed down the line all right and then we can just stop build just to make sure everything is all so after a successful build we can continue with our tasks so the next thing that i want to do is create some functionality for the validation and the issuing of the token right so i'm going to go up let me just collapse everything in the project all right and then in our well i have a repository and repository so what i'm going to do is create a another folder called services i just want to make sure everything is well segregated so i know where what is so services would be for our extensions right i'm going to add a new class i'm actually oh i'm sorry i should have named this i off manager so add a new class called its ios manager if you end up doing exactly what i did you just renamed the file and it will automatic automatically rename that but then sorry it's not a class it's an interface there we go so in this interface i want to have a task that's going to return boolean and i want to call it validate user and then this is going to take the login user dto and i'll just call it user dto for uniformity purposes there we go go ahead and include any missing references as usual and then i'm going to have something else that will create and return the token so i'm going to call it create token all right so i need a class to consume them right so i'm just going to go ahead and add and i'm going to call this one off manager this one is actually a class which is going to inherit from its interface namesake which is then going to say please implement the methods that you told me i should have before we move on we have to make sure that we register our service in our bootstrapper here in the startup.cs file so we're just going to say services.add scoped and have i off manager mapped to auth manager and we're once again adding it as scoped so that's very important so where are we we're going to create this token so inside of off manager i am going to be pulling down two i'm going to be injecting two things so i need my firstly i need the user manager which i can easily get from account manager so i need that exact instance of user manager right and i'll just go ahead and include the missing reference and i'll also need to inject an instance of the configuration manager so i'll just go ahead make representations for those and then finish the injection and once that's done we can continue so let's start off with validating the user i think that's a lower hanging fruit so let's just deal with that one first right so when we want to validate the user we basically say we want to want to say does this user exist in the system and is the password card right so i can say var user is equal to awaits user manager dot find by name async and then remember that for this find by name basically means find by the username there it is it's asking for the username and we're using the email address as the username so we're only asking for email address in the dto but system wise we're storing that as a username also right so i can just go ahead and do that and this is saying oh so i wait that means i need my async all right so anytime you know you write a perfect await statement and you're still getting a red line just double check if you have the async it tends to slip but with practice it becomes permanent so then after we check if we have found this user so this is going to return the user's object and store it here then i'm going to say and i'm just going to instead of writing an if statement i'm just going to write out like a turner operator to say user not equal to null and so just double check well it's not a ternary signal this is just a logic statement so return if the user is not equal to null and user manager dot check password async i will say user dot password sorry not user user dto because we don't know the password hash so user dto dot password so this is automatically going to see if this password is valid for the user that is being checked so if we return somebody with that username and the password is valid well this is going to return true or false based on the outcome of all of that and what we are missing here is oh we need the user object so i need user comma user detail.password there we go so it's going to check the password see if it's valid and this already would have something if that username existed and then we know it's a valid user item now let us flesh out what happens in the create token operation so here we want to create an object for signing credentials and i'm going to want to get what we call claims and i think i need to include a reference all right so for the create token portion now we want to do a few things we want to create some signing credentials we want to get claims and then we want to add them to the token option so i'm just going to write them line by line get the signing get the signing credentials get claims and then create token options all right we're going to be we have to create these methods so don't worry about the red lines right no but then at the end of the operation i'm going to say return new jwt security [Music] and more than likely this needs something so jwt security token handler let's check so we have to include this identity model tokens.js this and that's a method or that's a class dot write token which is also a method but it takes the token options so whatever we get back here is based on what we get back here and based on what we get back there all right so let's start off with this one so i'm just going to hover over it and generate the method for it and it can be private we don't need it to have any public operation so we're getting the sending credentials so the first thing i need to do is get the key all right and we're going to do a similar operation to what we did in the service extensions to get the key so i just went over and copied and pasted those two lines the key get it's gotten from the environment variable and then we encode it to get that secret and then the next thing that we're going to do is just return new sign signing credentials and that's going to have the secret so secret here would be the encoded version right secret comma and we let it know that the security algorithm used for this was the h m sha256 all right there we go so that's taking care of the signing credentials right now let's do the get claims so i'm just going to hover over that one do the same generate method stop for it all right and then and i just noticed that this is of type object so i'm going to make it very explicit that it is signing credentials that's the return type of this right i'm sure object would have worked but i just like to make sure everything is strongly typed all right so this one let me just go ahead and make it async and it needs to be a task that is going to return a list of claims all right so the reason we have to go through all of this is our claim rather not claims the reason we have to go through all of this to defend the types is that we said var if it were explicit up top here then it would have inferred what return types to puts but because we said var it doesn't know so it's just being very vague all right let us go ahead and get the claims so i'm going to declare a new list var claims is equal to a new list of type claim and we're going to add a new claim and then the thing with claims is that these these are the bits and pieces of information that really tell who or what you can do right so i claim to be this our claim to be able to do that so those are the things that we want to make sure are included in our application or in our token rather so the first claim that i want to add is the claim types dot and when you look there are a bunch of enum so these are all claim types that are there see role is there you can add multiple roles email all those wonderful things right so i'm going to say name name generally means username um email self explanatory etc so if i said i wanted to add a claim type name the name of the user who was just validated which all right i'm going to have to change something here so i am keeping the user local to validate user which means then i would have to try and pass that along so what i'll do here is create a another variable here of type api user and i'm going to call it user and then instead of localizing user in invalidate i'm just going to do that so once we're in the context of this class we will have access to the user data that is added right so let's continue so name is going to come from user dot and we'll just use well we can use username right like for like so in a situation where you wouldn't be using the email as a username then you have the username to use as a name claim and at minimum you'd want to have that right then we can say var rows and then we can await and use user manager to get the roles for the user so there's get roles async there we go and we're just passing the user so it's automatically going to go fetch all the rules for this user and return them in the form of a list there we go list and then for each of those we want to add them so for each role in roles we want to add that claim so i can say claims dot add and then i will just say new claim the same way we did it here we just say claims that add new claim but then clip type would be roll and then the role coming back or the role to be added would be roll from our loop all right and then after all of that and we built it up and once again based on the claims that you wish to put in one uh you can see all of the potential claims here you can put in as many as you want right once you're done that you can just return claims so that's two down and one more to go right so i'm just going to generate this method stop now which is going to combine the signing credentials and the claims and create the actual token to be issued to the user all right so here the return type would be of type jwt security token right jwt security token just so that we're very explicit as to what it should be now inside of this method we're going to be saying that var so i have to get the settings var jwt settings is equal to and i really don't want to retype this let me see if i can just get it quickly here arguably i could have retyped it but that's fine var settings is that then we say var options or token options is equal to new jwt security token and then we have to use this constructor so we don't want an empty one of course so we're going to fill in certain parameters so i'm going to specify that the issuer that i want is coming from the jwt settings section for the valid u issuer just like what we had here that is the issuer that we want so we put that as the issuer there the next one would be the claims and then the claims would come from our list claims which was passed on in the parameters here right and then we want to set expirations expiration is always good to set so it actually asks you for an expires value now you could set 15 you could set 10 i mean you could do that um or you could just modify the settings file and set the value there right so since that's where all of my hard coded values are going i'm just going to keep it uniform and so i'm going to just say get that value from the settings file it's in the section called lifetime so that means this value this token once once created will only be valid for for 15 minutes let me just carry that all right and then the signing credentials which we set already or actually pass down would be here now once all of that is done we go ahead and we return our options or let me let me name this more more appropriately this is the token because this is the creation of the token so we're returning the token and then that is token right then we serialize it into a string and return that string now we've done quite a bit of work here and the one thing that we probably need to do afterwards is to make sure that we and i'm sorry i'm just seeing an error here with the configuration it was the wrong one let me just make sure i have the right one do a build so i was saying that we've done quite a bit here to get our token things up and running so what we want to do is all right i'm sorry so this is good so because i had the wrong configuration i wasn't seeing this error expire should be a date time and i only put 15 minutes so let me let me redo that so i'm going to say var expiration is equal to and what should really happen is we say date time dot no when was it token asked for let's add a a few minutes so whatever it is whatever threshold you want so if it is at a day add minutes add hours you just say add that appropriate one so it's add minutes and then we would put in the value and value here is string so that means i need to do something like an in a convert dot to and i'll just say to in 32 or does this does this require double i think that requires double so let me do a convert to double instead break line and close that so add minutes convert to double there we go i'm sorry yeah there we go so we do that convert to double and then expires is getting the value from the expiration right so at that point we know when the token would no longer be valid and i'm missing a semicolon here let me do a build and we have no errors so i was saying when we come back we will explore how authentication actually or authorization actually one prevents access to our resources and then two how we actually set up the endpoint to authenticate the user and issue the token accordingly hey guys welcome back in this lesson we're going to look at the configurations needed to get our swagger documentation to highlight what is needed authentication-wise so we just set up jwt authentication and we want our swagger dock to reflect that so we'll start off the configuration with our startups.cs file and nevermind the code that you might see appearing that you don't necessarily have we'll get to it eventually but right now we're just focusing on refactoring for our swagger documentation so i'm going to add a new method and i'm just going to call it add swagger doc and i'm passing in the object of the services right so i can just control dot and generate a method stop for add swagger doc and then i can remove this line of code or these lines of code so all of this is happening in the configure services uh method in our startup file so when i go down to add swagger doc let us modify take all the throw new exception and we will put back the services dot add swagger gen with the configuration now for this section we're going to have a few more lines of configuration right so above the swagger dock section i'm going to put c dot add security definition there we go and then the security definition needs a name so i'm going to say bearer or you can say bearer token right just something so that the user can see okay this is the security definition and then i'm going to say new open api security scheme and that's an object so we can initialize it or we can declare it with our curly braces rather and in there i'm going to have to put in some let's say metadata so what is the description that i want here so for that value i put in add sign jwt authorization so that send just makes it a literal string right so jwc authorization scheme interviewer space then add your token in the text so this is just instructions to the user right and then other fields that we're going to add include a name so i'm going to say name is equal to that's on the description which is comma separated there we go name is equal to authorization and then i'll say in meaning where do we put the authorization we know we put it in the header what is the type it's an api key so i have type is equal to security scheme type dot api key and then i have scheme as bearer so once again this is more like a definition to be added or open api document after that i'm going to add in actual security requirements because remember that we can still go in and test it freely but then because we're using the jwt now we have to be using postman for the testing which is not the worst thing but it would be so convenient if we could just test it using swagger right so i'm going to say c dot add security requirement and we're letting swagger know that there is an open api security requirement and once again we're initializing this object and inside of that requirement i have another object body in which i am going to put so here what it requires is a list or it's really a list of open api key uh open api security scheme called a key and the list of values right so it's really just one big collection that we're adding to get that's why we have the open and close curly braces so in there i'm going to add a new open api security scheme object and in that we have the reference which is a new open api reference there we go and just just follow along because i know that it can look like a lot of code and the red lines will soon disappear so don't worry about them too much so our new open api sorry let's take those off in the reference we have the type is equal to a reference type dot so that's an enum and we say reference type.securityscheme and then our id which is a string value is bearer after that that's the reference then we have to define the scheme scheme is and we know that when it's bearer tokens it's o off to the name of this is once again bearer and then our in is the same as what we defined up here so i'll just copy and paste all right so you see some of these things are repeating as we go along and then after we have that defined i'm just going to give this string list uh a value so i'll just initialize a new list of types string just to appease the compiler all right don't really have to pass anything in at least not this time around include the missing reference and open and close and that's really it for configuring the swagger dock so let's review this instead of doing this one line inside of the services file we created a new method so we know that we do that with our extension methods here so you could easily have done that right you could have just created another extension or configuration that would say add swagger dock and do all of that in there so it's just another flavor whichever one you prefer no problem so we have the method and then we're fleshing out some of the rules around how this swagger document should be defined so we're defining a security definition we have our security requirement and then we have the actual swagger documentation and let's take it for a spin so if i control f5 i'm going to test a login to get our token so let me do that and this is an administrative user which means that this user should be able to create so if i tested the get which is not authorized it still works you'll also take note of the fact i have little padlocks beside each endpoint and at the top you'll see authorize so what's going to happen now if i try to do a post and let's say i'm just going to create a country i shouldn't be able to just create a country because i would get the 401 so how do i test this in swagger well i can go to the authorize i already have the token and that is the set of instructions that we are typed in in the configuration right enter bearer then a space and then the token so bearer space token because that is actually how any client app would actually put in the barrier token to call the api so this is just mimicking what any client app would do so we do that we click authorize and then it has authorized this entire context or this entire page or testing session so now he's going to use that token with every request that it sends so when i try to create the country again this time okay i'm getting i'm getting a 400 so we know that 400 means that it tried and it failed which means the authorization is actually working right so let us try venezuela wow what's spelling venezuela there we go and the short name is venn for for instance venezuela and then i execute again and i'm seeing that now the country name is too long so i think it's two letters sorry about that execute there we go so now we have venezuela in our database so that is how you can configure swagger so that you can actually test in swagger using the jwt however it's up to you whether you want to use swagger or you want to use postman just use the right tools to get the right results all right guys welcome back so coming off the heels of setting up our authentication manager to issue generate and issue the tokens what we want to do is actually finish up our login endpoints to the tune where we actually validate the token and allow or deny access to anybody passing in this token right so the first thing that we want to do is inject our newly created auth manager service so we know how to do the injection already so you can just go ahead and hit pause and go ahead and complete this injection operation so once you've added the new three lines one for the private property one into the constructor and initialization then we can go about creating or login endpoints so you would have already commented all the login endpoints you can uncomment it and i already have the revised version of it on screen so let's just go through it together so what we want to do is log want to validate our requested or the data coming in the dto then i'm going to say if the auth manager validate user if not right so you could easily write this as equals false in case you're new to c sharp if not you just put the exclamation sign so this means if it is not a valid user then return unauthorized because well if you try to log in and you're not a valid user then you're not authorized to go any further right otherwise we're going to return accepted or okay whatever it is i'm saying accepted accepted new and a new object with uh with an expression called token and it will take the value of the token that is created so we say await underscore auth manager dot create token so remember that that's what we would have set up in our auth manager just now create token goes through generates all of these bits and pieces of data and then returns the token so that's what that payload will have so we want to go ahead and test that functionality so let's revisit our login endpoint i'm just going to use swagger for this part of it so i'll just try it out and put in a user that i know i created and it's already registered and then i'm going to click execute let's see what happens all right and we're getting a token response so you see this big string so token that's by virtue of the expression we put in the custom object and the value being passed is the token that is here so if i if i take this token and go to our website to look at what's in tokens paste it then we'll see here that we have the algorithm we have trevor example.com that's the claim for the user we have the role all right and we have the expiration time and if you hover it will show you exactly the time from when it's issued and the issuer all right and then if we wanted to go as far as verifying the signature we could do that but we already have the mechanism to do that internally so we don't need to do that here so now what i want to do is experiment with actually preventing somebody access to our endpoint endpoints i'm going to use our hotel hotel controller for that exercise so let us say that the ability to get the list of hotels everybody should be able to do that we should be able to call it without authenticating which is what we have been doing up until now however we want to add an authorized flag or annotation to the call to get one hotel's details so we just put on authorize and actually you could extend the the annotation here for the http get and add authorized right there all right so you could do it either way so if you have this one you don't need this one personally i like to separate them so i'll have the http get authorized i'd actually like to or prefer to put it at the top so as i see it i know it's an authorized endpoint all right so what we want to do is test a call to this endpoint unauthorized and authorized so let's go and for this activity i'm going to use postman so i'm going to firstly test the one that we haven't authorized just to make sure that it still works all right there's a list of hotels we have three hotels good now i'm going to test the one with the endpoint that requires an id value right so when i click send it's going to say 401 unauthorized it's not saying 401 unauthorized because i didn't log in or whatever because i mean this is already authorized and we set up the default schema to say i need to see a token in order to authorize or not so all of that is happening automatically if we have an old token in there which i do this is a token that was issued more than 15 minutes ago then it will automatically also deny access so when and token is issued and then it expires it is the owners of the client calling up application sorry to go and fetch a new token meaning go through the login process again get a new token and then come back and try and access this endpoint all right so in postman what we want to do is go over to authorization and choose bearer token from this drop down list then we provide the token that we have which is the first token and then when we do that and i'm still getting a 401 unauthorized so that means there's some configuration that is missing let me go more than likely it's in the startup.cs and i think i left off one of the middleware so i need to add app dot use authentication right here all right so make sure you have this use authentication and order matters in this situation so authentication then authorization and all of that before this or app.mvc the different.net core versions may have different middlewares being included so as long as you get that general theme you should be good so let's try that same request again and we're having much better success all right so we're getting our status 200 okay and we're seeing the one hotel that we requested so now you see that we just protected our endpoint because if i remove this and say no off and then try and send again i get a 401 unauthorized once i include the bearer token i get the status 200 if i modify this bearer token then it's unauthorized because the token could not be validated against information that was encoded and put in originally so that is how you can go ahead and harden your api and once again this this this jwt method is very secure because this payload yes it can be decoded but it one it shouldn't contain any information that is too sensitive any information that it contains should be information that if you see it it's of no major consequence to the api and underlying infrastructure however it is enough for me to verify who you are and that i am the one who gave you access to the system [Music]

Info

Channel: Trevoir Williams

Views: 4,910

Rating: undefined out of 5

Keywords: .net 5 web api, .net core, api in .net core 5.0, asp.net core, asp.net core web api, asp.net core web api tutorial, asp.net core web api tutorial for beginners, asp.net core web api tutorial nitish, asp.net core web api tutorial webgentle, asp.net web api core 5, authentication, how to build restful apis with asp.net core 5, json web token, restful web api asp.net core, restful web api tutorial asp.net core, web api asp.net core, web api asp.net core 5

Id: iIsaEzNXhoo

Channel Id: undefined

Length: 53min 42sec (3222 seconds)

Published: Mon Mar 21 2022