Secure a .NET Core API with Bearer Authentication

It's October 2022 but for me it's still the best free material about a practical approach to learn authentication in .NET on the internet.
Great job. Congratulations and thank you!

radeksendecki

Watch out on minute 31. Azure added an extra field when creating a client secret. Make sure you copie the value and not the ID!!
Super video thank you so much.

maximlejaeghere

Les Jacson σε ευχαριστούμε που υπάρχεις και μας δίνεις τόσες χρήσιμες συμβουλές!!

DChristop

[EDIT] - I forgot to say thank you for the video, extremely useful indeed!

17:25 Regarding your advice not to use appsettings.json for production use. I can appreciate that there is a need to be careful with this during development: the application is on your local machine along with the appsettings.json file which reveals security critical information. And you certainly wouldn't want to commit that to git or any other version control.

But once you've deployed to your production environment I feel like it's pretty safe to use appsettings.json. This is because the file is then on the server (be it Azure or somewhere else). Nobody else has access to it. And, if they do, it means they already have control of your server and therefore the security has already been compromised.

So on local machine: be careful with appsettings.json as it contains secure information.
On production (deployed to server): appsettings.json is OK.

Do you disagree?

brianhoskins

Loved this video! Good explanation, my teachers could learn a lot from u!
I did get an error at the end: "The remote certificate is invalid according to the validation procedure".
But I got it working by adding this code right above making the httpClient:
HttpClientHandler clientHandler = new HttpClientHandler();
= (sender, cert, chain, sslPolicyErrors) => { return true; };


The HttpClient then uses another constructer like this:

var httpClient = new HttpClient(clientHandler);
Thanks a lot! Subbed immediately ;)

boebawashere

This is honestly the best .NET Core channel out there.

SpoderSuperhero

I would be interested in third party sign in (Twitter, Google, etc) and associating that sign in with an application user. For example a user might have a profile in our application, and that profile should be associated with their third party sign in. Hope that makes sense. Keep up the great videos.

DaydreamtombLP

After searching for many many hours on this topic, with no luck, I came across this video. You explained things clearly and made a lot of sense out of a confusing topic. Many thanks!!

blinkskaterkc

The best video ever. Very well explained. What is missing is additional video in case you have swagger and you need to be able to test the API using AAD.

svetlin

Les Jackson Sir. You save my lot of time. This is exactly what I have assigned to do. Superb!!!

Ajmal_Yazdani

Ok, Les, you got me! I spent 2 days on your 3 hr. API video and transferred all that knowledge to my big project, works Great! Now adding the tokens. Lots of little bumps that force a good developer to understand their environments, like sometimes VS Code just gets lost and you have to restart it, all good. I love your stuff is CURRENT! 2017 is ancient times in technology;-) Enjoy the wine, wish I could deliver it personally and share a bottle to thank you. I think that would be a riot! Keep going and good luck! Oh yes, you should get yourself a green screen;-)

jeffpetrie

Absolutely love the way you've explained all of this. I've been googling, watched other videos, tutorials, but nothing comes even close to what you've done here. Cannot thank you enough!

richarddufour

Great video! I'm a Sr Software Engineer (and manager) and found a lot of value in your video. Explained everything very well! Thanks for sharing!

CognatioBestia

Thank you for explaining everything so clearly. I’ve been wanting to learn this for a long time. Since I started watching your videos it finally starts to make sense to me.

JonOvereem

I am at 5:28, and I had no any info earlier, how this works, just what you show on your diagram, and scenario. Just for fun, from your diagram, I guess, the way it works is, that the JSON token is signed by one of Azure's private keys and the dot net core tool kit has the Azure's public key(s). This is how I'd implement this. I am looking for the end of the story, if I was right. Your videos are tremendously entertaining.

miklosnemeth

Love your teaching style, very realistic and practical explanation. Thanks very much for making this video, you have demystified the Bearer Authentication a great deal

HenryTsang

This is really great. I watched about a million videos and blogs and all are talking bits and pieces but couldn’t get a complete picture. This session gave me the whole picture and finally I am able to successfully build a system for my purpose. Great explanations. Really loved !!!!

ptry

Thank you Les for your time. I was getting crazy until I saw your video with the resourceId "/.default" . I missed this part. Thank you.

sebastianayalavalderrama

I like your other videos that have broken the parts of your video, it's easy to follow because I will know what topic you're talking to that point. It's hard to watch the video for more than 15 minutes.

ronaldabellano

The Key things in your Videos are Very well explained, Practical usage and content oriented. Thank you so much for sharing your knowledge.

manishjawarkar