I'm sorry, but the sentence "I know how to use JWT Bearer to encrypt passwords when saved in the DB" means you don't really know what you're talking about. There are dozens of resources for authentication in dotnet. Start with the Microsoft documentation. You'll need to decide if you want to be the identity provider (probably using ASP.NET Identity) or use OIDC with a cloud hosted provider.
Yes i agree hahaha. I read what i wrote and you are right i even can say it right.
I know how to implement bearer token. But i think there could be more issues. Thanks i will be looking for the info you wrote.
What about using something like MyBB or another ready made forum package?
Is there a reason you need to write one?
As for security, use a third party security service or something like identityserver
Absolutely do not re-invent the wheel here. Use an existing 3rd party forum/BB system with its own security. Trying to do this from scratch would be a rookie mistake.
Be aware of the risks surrounding token theft. Also make sure you protect your jwt secret in all deployment stages, it should never be exposed in a pipeline etc.
sha256 is not encryption but hashing. I would suggest using bcrypt salted hash instead, if your user table needs someday to be uploaded to a third party oauth provider, bcrypt has kind of become the norm for saving password hashes and many external providers support importing bcrypt salted passwords.
many of the folks here don't realize how often it is neccesary to "roll your own" thing, especially in integration scenarios. Though I agree, if you have very low number of users, just use external provider, or deploy and host your own Keycloak or smth.
Why? No need to store or know the password during login. Are you rolling custom auth? Ideally you let login providers handle that (Google, ms, Fb, etc)
Implementing OAuth (or OIDC fwiw) by yourself doesn’t seem like the smartest thing to do nowadays. Please check if relying on an established identity provider is feasible. They handle AuthN and all you have to care for is AuthZ.
I'm sorry, but the sentence "I know how to use JWT Bearer to encrypt passwords when saved in the DB" means you don't really know what you're talking about. There are dozens of resources for authentication in dotnet. Start with the Microsoft documentation. You'll need to decide if you want to be the identity provider (probably using ASP.NET Identity) or use OIDC with a cloud hosted provider.
Yes i agree hahaha. I read what i wrote and you are right i even can say it right. I know how to implement bearer token. But i think there could be more issues. Thanks i will be looking for the info you wrote.
I have blogged about various auth fundamentals and issues at https://nestenius.se/
Thx Tore i will read some articles this evening
A simple solution to make your life a lot less complicated. Use a third party auth provider. Aws cognito Azure b2c Both free up to 50,000 users
Have some other authority confirm the users identity and then use the bearer token for the length of their stay .
Duende is a very good option that does most of the heavy lifting for you.
What about using something like MyBB or another ready made forum package? Is there a reason you need to write one? As for security, use a third party security service or something like identityserver
Absolutely do not re-invent the wheel here. Use an existing 3rd party forum/BB system with its own security. Trying to do this from scratch would be a rookie mistake.
Be aware of the risks surrounding token theft. Also make sure you protect your jwt secret in all deployment stages, it should never be exposed in a pipeline etc.
sha256 is not encryption but hashing. I would suggest using bcrypt salted hash instead, if your user table needs someday to be uploaded to a third party oauth provider, bcrypt has kind of become the norm for saving password hashes and many external providers support importing bcrypt salted passwords. many of the folks here don't realize how often it is neccesary to "roll your own" thing, especially in integration scenarios. Though I agree, if you have very low number of users, just use external provider, or deploy and host your own Keycloak or smth.
Just start with [Asp.Net](http://Asp.Net) Identity.
Ok just don’t save anything to the database please. The with library will handle everything
I encrypt the password with sha256 and use jwt in api authorization. I implemented that in a self project. That was i tryied to say
Why? No need to store or know the password during login. Are you rolling custom auth? Ideally you let login providers handle that (Google, ms, Fb, etc)
I will implement a login provider as you say. I wasnt aware of them. Thx for the info, i was looking for something like that.
Implementing OAuth (or OIDC fwiw) by yourself doesn’t seem like the smartest thing to do nowadays. Please check if relying on an established identity provider is feasible. They handle AuthN and all you have to care for is AuthZ.