COUPON Code: *EARLYBIRD20* => Spring Data J PA course: aliboucoding.com/p/the-full-guide-to-master-spring-boot-data-jpa
@firibuanyass
Жыл бұрын
Great Bouali Ali. I did watch your previous videos and I read the comments on the Refresh token. And here you go everyone he delivered as you asked for. Such an inspiration. Keep up the great work.
@BoualiAli
Жыл бұрын
Much appreciated
@ВолодимирЖуківський
Жыл бұрын
Гарно освітлена тема. Дякую
@BoualiAli
Жыл бұрын
My pleaser!
@loicsan5616
Жыл бұрын
One of the best trainers for sure. I would just like to see your way of doing this authentication with angular; because your way is always very optimal and understandable.
@BoualiAli
Жыл бұрын
Happy you liked it I'm working on it and it will be released soon
@sachin.tandon
18 күн бұрын
This is great! One of the best tutorials I've seen on this. I wondred, whether in your series, you might consider teaching how to implement login with email validation, but instead of angular receiving the tokens, a Spring BFF, with say an Auth Provider like KeyCloak...
@surge6652
Жыл бұрын
Finished your spring security course and i was wondering how to implement refresh tokens. You read my mind. Thanks for this
@tresorkaleto1481
Жыл бұрын
you wait for JWT and aouth2 authentication together implementations. thank you for sharing.
@BoualiAli
Жыл бұрын
You are welcome
@hamzaelbouzidi7720
3 ай бұрын
شكرا جزيلا على مجهودك. اتمنى ان لا تنسى المجتمع العربي من شرحك
@anirudh514
7 ай бұрын
This video is very useful, thank you very much!!
@BoualiAli
5 ай бұрын
Glad it was helpful!
@abu-dukhan
Жыл бұрын
I'm actually speechless Ali, thank you so so much for your effort in providing such awesome content. And please if you'll make a video that dive into CSRF it'll be really useful, I mean the CSRF is important when it comes to security right. Because most of the video out there just disable it and then move on, without giving why and what should be the best practices on that at the dev environment. Thank you once again for the contents ❤❤❤
@BoualiAli
Жыл бұрын
Thank you, I will
@abu-dukhan
Жыл бұрын
@@BoualiAli Thank you Sir, JazaakAllahu khairan
@seksky333
5 ай бұрын
Really appreciated you created this tutorial for the latest Spring boot version.Right timing for me to pick up more backend skills.
@BoualiAli
5 ай бұрын
Glad it was helpful!
@mfarooqwasi
7 ай бұрын
Great Work
@ashishsonune9014
Жыл бұрын
Good concept explain by you sir 😊
@BoualiAli
Жыл бұрын
Happy you liked it
@johancamacho3493
Жыл бұрын
Great video ! thanks for sharing this!
@BoualiAli
Жыл бұрын
Happy you liked it
@vojinkarisik1554
9 күн бұрын
How to revoke tokens? The whole video is almost useless if I don't know how to revoke tokens... It would take you a minute to show that, but it will take me 15 minutes to find another video that explains it and integrate it. Other than that, video is very helpful and well made.
@BoualiAli
9 күн бұрын
check the logout video and you will get your answer
@vojinkarisik1554
6 күн бұрын
@@BoualiAli I know, but I don't want to unnecessary waste about 15 minutes for that.
@BoualiAli
4 күн бұрын
@@vojinkarisik1554 searching in the channel takes 1 minute
@ferio2828
9 ай бұрын
Nicely explained 👌
@BoualiAli
8 ай бұрын
Glad you liked it
@sserra
Жыл бұрын
Thank you, I will use it for my university project. portuguese here
@BoualiAli
Жыл бұрын
Best of luck!
@erichivan5419
Жыл бұрын
Grande ali😎
@BoualiAli
Жыл бұрын
Thank you 🙏
@bryanguzman4051
Жыл бұрын
This is a great content, thank you so so much.
@BoualiAli
Жыл бұрын
Glad you enjoyed it!
@mahamattchalle3198
Жыл бұрын
You're the Best
@BoualiAli
Жыл бұрын
Thank youu 🙏
@bartosztoropolski8191
Жыл бұрын
i love it
@BoualiAli
Жыл бұрын
I'm glad you like it
@balazsvarga4216
Жыл бұрын
Again a great content. But I have two question to it: 1. In the method refreshToken why we use ObjectMapper instead of returning the AuthorizationResponse like we do it if we register or log in? 2. If I understand it correctly, the whole point of a refresh token is to send a new access token, if the old is no more valid. I miss this workflow from the video. I mean there should be a common method, which checks, if the access token belongs to the right user, but it is expired, and if so, then call the refreshToken method and with the new access token let the user access the restricted resource. Because now if we hit the demo controller, we get only a token expired exception. And I think, in this case, we should call the refreshToken method. And this generally for all secured endpoint. Maybe in a common exception handling, where we catch the token expired exception. This would be a kind of silent re-login. What do you think?
@BoualiAli
Жыл бұрын
Thank you for the feedback. here are the answers to you questions: 1- When I create new videos, I always try to show many ways of doing things because I believe that someone would need it one day 2- The refresh token is also a JWT token which signed and assigned to the connected user. Refreshing the token should be always done by the API client (frontend, mobile App, ...) not the API it self
@merxxibeaucoup9093
Жыл бұрын
Mashallah brother … thank you !!
@BoualiAli
Жыл бұрын
My pleasure
@migolovach1371
Жыл бұрын
ty very match from Russia
@BoualiAli
Жыл бұрын
My pleasure 😇
@dagnogoyaya5639
Жыл бұрын
Thanks for this sir ! Please do we have a course on sending email when a user creates an account🤩🙏
@BoualiAli
Жыл бұрын
I have one on my website Aliboucoding.com/courses
@ghiles3890
Жыл бұрын
thanks,🤗
@BoualiAli
Жыл бұрын
Welcome 😊
@michaelroyf4766
Жыл бұрын
thank you!
@BoualiAli
Жыл бұрын
You're welcome!
@konscomputertutorials7473
Жыл бұрын
Thank you very much sir.
@BoualiAli
Жыл бұрын
Most welcome
@sardorbekyorqulov
7 ай бұрын
Best !
@BoualiAli
4 ай бұрын
Glad you think so!
@Great_Sahara
Жыл бұрын
thank you for the great content. Can you please make a tutorial about online payement with spring boot and angular . TKU
Great content as always :) I'm still waiting for the Swagger interation. I hope you still find time for it :)
@BoualiAli
Жыл бұрын
Coming really soon.
@DungNguyen-ki9cr
7 ай бұрын
Thank you for nice tutorial. But may i ask you a question that should we save the refresh token in db like we save the access token? if not (only store access token in cookie or anything regarding to client-side), what will happen, it it secured like when we log out the refresh token will be revoked in some how? Thank you in advanced!
@JayasuryaASurya
3 ай бұрын
I had the same doubt. Is this okay to save the refresh token in DB instead of access Token ?
@AnvarbekTurdaliyev
Жыл бұрын
thank you very much
@BoualiAli
Жыл бұрын
You are welcome
@Quasar106
9 ай бұрын
Please correct me if I am wrong: For the front end I should be using the refresh token endpoint whenever I receive a 403 when using the access token then resend the same request with the new access token. And if I receive a 403 on the refresh token endpoint that's when I log out the user from my app (I am using a mobile app for the front end and spring boot for the backend)
@medAmineRg
7 ай бұрын
as far as i know you could use a setInterval function that will execute code after 1 min or it depends on your access token.
@IanCheng-bd3rm
Жыл бұрын
25:20 Can add " response.setContentType("application/json"); " before " new ObjectMapper().writeValue(response.getOutputStream(), authResponse); "
@BoualiAli
Жыл бұрын
Thanks
@aziztolearn
Жыл бұрын
👍👍👍👍
@especializacionIngenieriaSoftw
5 ай бұрын
Hello Sr. Thanks for your content. I was wondering: Do I have to persist the token in the data base if I want the functionality of refresh-token? o are there any other althernatives?
@BoualiAli
5 ай бұрын
No need
@CuriousTogether
5 ай бұрын
Hi, i have question, if someone pass refresh token instead of access Token, it will also work. then what is purpose of creating two token ?
@BoualiAli
4 ай бұрын
I think yes. As I mentioned in my latest videos, it better to use an auth provider like keycloak (opensource) and avoid all this manual handling. I will release a full integration video soon for keycloak
@adhiadhil4096
11 ай бұрын
First of all thank you for providing such a explanatory session but may i ask you one thing that you are generating the access token and refresh token with same method called build token where the only thing differs is the expiration. So my concern is that with this refresh token the user should not be able to access the endpoints other than refresh-token. So how is it made possible? I didn’t see any information regarding that. Hope you will help me with this soon.
@medAmineRg
7 ай бұрын
i guess you can set a claims inside the token (ex : token type -> refreshToken or accessToken then you can check in the backend)
@sehameldeen1162
Жыл бұрын
I am wondering; if the jwtToken is stateless, why do we need to save it in the database?
@BoualiAli
Жыл бұрын
I explained that in the logout video. It is just an approach (maybe not the best) to implement a logout mechanism
@sehameldeen1162
Жыл бұрын
@@BoualiAli Thank you for your quick response. I understand. Do you recommend any other approach from your personal experience?
@goodnewsjohn2482
9 ай бұрын
Hi I think a better way to do it and the way I see it done by decoding other library token is by adding a token_type: refresh
@ajdinpipo08
Жыл бұрын
First of all, your contents are awesome, thank you for that. Secondly, I have a question about why we dont save a refreshToken to the DB also, in case we want to use it later after accessToken is expired for example in 1 day ? I mean how this aproach will be usefull in fullstack app when we call it from the client side ? Again, thank you so much!!!
@BoualiAli
Жыл бұрын
I already mentioned that you can also save the refresh token and perform a second level of validation too
@chijiokeibekwe9710
Жыл бұрын
Hello Bouali. Thanks for this video. Which would you say is the more efficient? Implementing JWT authentication using filters or implementing it on the controller and service layers?
@BoualiAli
Жыл бұрын
first option is better
@khalilbouali3480
11 ай бұрын
thanks
@BoualiAli
11 ай бұрын
You're welcome!
@istand4myself
7 ай бұрын
this is so wrong in so many ways, starting from implementing your own jwt auth flow instead of using spring security's provided oauth2, using symmetric encryption instead of assymetric one (i assume you're using HS256), while the key itself is just a random (not cryptographically secure) string etc. The code itself is bad, e.g. using objectMapper to print the response is just a wtf moment. There's a good OWASP JWT cheat sheet, which I recommend to anyone stumbling across this poor 'guide' as well as comparing them to session based authentication, which you probably want to check first.
@gusdev-r
4 ай бұрын
do you have some recomendation instead that guide?
@arefsa6
11 ай бұрын
Thank you very much for this wonderful video tutorial Is there no need to save the refresh token in the database? Because we do not store the refresh token in the code
@BoualiAli
10 ай бұрын
Happy you liked it! Storing the token was an approach to implement logout (just an example)
@ОлексійМоренець
7 ай бұрын
Ok, we store all user’s tokens in the db, but when do we need to read them from db? You only read them for update when revoking tokens…
@_5_184
Жыл бұрын
Hello, I am a student who is taking a lecture in Korea. Thanks to the video, I am studying jwt well. I'm leaving a question because I'm curious about the video. 1. I processed it in the filter when I logged out, but I wonder why you processed it in the filter instead of going to the service layer. 2. And I was wondering if I should process it through filter even if my access token has expired and I need to reissue it with refresh token. Or I wonder if it should be handled by the service layer. I'd appreciate it if you could answer. In conclusion, I wonder if all the authentication/authorization procedures are handled by the filter or by going to the controller -> service layer.
@BoualiAli
Жыл бұрын
Hello, here are the answers to your questions: 1- because the filter is the first layer to receive the request 2- the security filtering / checking should be done on the filter layer
@shamilheydarov289
9 ай бұрын
Frist of all, thank you so much for these great videos. I have a question. I've written all the codes with you. At the end, i can register for a new user and get 2 tokens, also can get 200 from demo-controller request. But when i send "refresh-token" request, i doesn't send me token. I just get 200 message. I also had this problem with "authenticate" endpoint, mostly returns 403. What could be the reason? Thank you.
@johnmumo8282
Жыл бұрын
Good content i like it it really helped me... is it possible to combine Oauth2 with jwt in the same spring application???
@BoualiAli
Жыл бұрын
Really happy you liked it Yes it is possible of course
@user-tz2ms1cm9q
8 ай бұрын
Why acces token should expire after 1 minute, is it preconfigured? It seems that my acces token doesnt expire and i can acces demo-controller even after 10 min, does someone have similar problem or can help ?
@medAmineRg
7 ай бұрын
if you use these 86400000, it will expire after 1 day
@chungphamthanh5061
Жыл бұрын
I see you set the expiration time of the access token to 1 day, so why when using postman the expiration time is 60s ?
@BoualiAli
Жыл бұрын
Just to demonstrate. I cannot wait one day until the token is expired to showcase it lol
@elyeszaabi9957
6 ай бұрын
why am i getting error 500 when the jwt goes expired ?
@eugenesmith9940
Жыл бұрын
We are doing all stuff manually, like register and login and logout and refreshing tokens but I bet it's not how it works in a real world, right? So we have to implement some sort of redirection or what? I mean if a user have access and refresh tokens and when the 1st one expires he won't reach secured endpoints.. then what he gets? Will he be redirected to login screen or when access token is expired and when user tries to get to secured endpoint he will be redirected to someting "/refresh-token" url and then redirected to url he wanted to get? But what if our user is not a real person who has all those frontend possibilities (like buttons to logout, login screen, browser will store those tokens and manipulate it without user knowing what's even going on and so on). What is our user is another api? What happens then? Everything we did in postman must be implemented in that app's code like to get token after registration, store it somewhere too and then provide us with those tokens so we can compare with what we (our api) have in our database, right? Also, seems like those banking mobile apps don't use jwt or anything like that since I've heard that access tokens have pretty small expiration period like 15 mins which means that after it expires I would have to authenticate again but I can use those apps as long as I want as long as I stay active. What is the mechanism behind those apps then? Sessions that expires after a set period of beind idle? Sorry for such messy message, I'm a bit excited after this video and have so much questions. PS. we've made a separate entity for token with its state and we're storing it in our database, do we move from stateless to stateful now?
@BoualiAli
Жыл бұрын
For the first part of your question: this API is designed to be consumed by any client (API, frontend, ...) The client should handle the token expiration and refreshing the token because we need to stick to the REST architecture. For Machine To Machine (api to api) you can implement an other mechanism like API secrets / tokens Also storing the token does not make your API stateful because it is all about saving the state of the client in your backend, which is not the case for our REST API
@pujanshrestha5900
Жыл бұрын
please sir make a video for jwt exception handling
@BoualiAli
Жыл бұрын
Already uploaded. Check the playlist
@joshmiller2954
Жыл бұрын
Why does your access_token expire for the demo controller after 1 minute but the application.yml is set to a day?
@BoualiAli
Жыл бұрын
Just for the demo. It is hard to wait a day until the token expires to demonstrate
@joshmiller2954
Жыл бұрын
@@BoualiAli Okay, that is what I assumed, I thought there was some specification outside the .yml to say the JWT bearer was expiring every minute. It worked just fine with the .yml was modified to a lower time-frame.
@sonmai4840
Жыл бұрын
Thank you so much for your video. i have 1 question : if i already have an unexpired accesstoken and send it to the refreshtoken endpoint will i get a new access token and i will have more time to use it. If so, I only need 1 access token and I will be able to log in forever. please help me explain. sorry if there's something wrong
@BoualiAli
Жыл бұрын
for the refresh, you need the refresh token which hase a longer expiry period but it is not for ever (depending on you implementation)
@sonmai4840
Жыл бұрын
@@BoualiAli sorry pro, because i'm not good at english. I mean after call endponit /authenticate , there is accessToken and refeshToken and when I call endpoint /refreshToken the variable I pass to api is accessToken with time, the response will still return new accessToken , I got such bug because I didn't check whether the token sent is a refresh token or an access token at the /refreshToken endpoint
@Shashee99
Жыл бұрын
when it comes to front end what is the best and secured way to store the refresh token?
@BoualiAli
Жыл бұрын
session and local storage are perfectly fine
@ridasafwan1240
Жыл бұрын
incase of token expired what excpetion must be thrown in order to the client(caller) will call the refresh token and by that the client can differentiate between expired token and wrong token?
@BoualiAli
Жыл бұрын
I really don't remember the exact exception class name. pass an expired / wrong token and check the console and then add the exception handling for it. You can check the Exception handling video that I already posted before
@emresdocumentary
Жыл бұрын
Hello Ali. After using the Refresh Token, don't we need to generate the Refresh Token again? So, wouldn't we reset the lifetime of the Refresh Token in this way?
@BoualiAli
Жыл бұрын
If you also regenerate the refresh token each time, it will never expire which is not relevant as I explained
@GoncaloSilva137
Жыл бұрын
Hi, i dont need to store the refreshToken in the database?
@BoualiAli
Жыл бұрын
Not necessarily in a database but you need to save it to a storage system / cache like redis
@deepikar4404
Жыл бұрын
its a great video .really helpfull Ali but i have an doubt plz clarify me .i implement your code everything including refresh token and access token when i post data through postman tool it showing response 200k but body of response showing me as accessToken:null, refresshToken:null.I dont know how to solve pls reply me
@BoualiAli
Жыл бұрын
Check if you set correctly the values. Follow the same steps as I did
@gucciflipflops9665
9 ай бұрын
Your issue was 8 months ago but I just ran into this same problem so if anyone runs into this as well then check your if() condition for the userEmail inside of the AuthenticationService refreshToken() function. Remove the SecurityContextHolder check if you still have it; it should only be if userEmail is null
@gucciflipflops9665
9 ай бұрын
Small typo at the end; I meant not equals null, so: if(userEmail != null)
@sovannborithyun5205
Жыл бұрын
How to handle refresh token expired?
@BoualiAli
Жыл бұрын
Same way as the normal token
@MrJayenta
Жыл бұрын
Plz try for the forget Password
@BoualiAli
Жыл бұрын
Sure I will do
@MrJayenta
Жыл бұрын
@@BoualiAli thank plz
@tami-he4mm
11 ай бұрын
it does not make sense, when you refresh token you have to refresh both tokens as well, not only access_token
@BoualiAli
10 ай бұрын
really? So wha is it called refresh token if you have to refresh it within the real token
Пікірлер: 129