{"componentChunkName":"component---src-templates-blog-list-template-js","path":"/engineering/9","result":{"data":{"allMarkdownRemark":{"edges":[{"node":{"excerpt":"In web applications, you try to decide when to use either JSON Web Tokens (JWTs) or sessions (cookies) for authentication. When you browse…","fields":{"slug":"/engineering/guest-post/jwt-vs-sessions/"},"html":"

In web applications, you try to decide when to use either JSON Web Tokens (JWTs) or sessions (cookies) for authentication. When you browse the web you use HTTP, which is a stateless protocol. So, the only way to remember the states of your application is using either sessions or tokens.

\n

Goals

\n

This article deep dives into:

\n\n

JWT vs. Session: What to Use?

\n

Deciding to choose between JWT or session is not just choosing one over the other. You need to look at some factors to determine which one to use in an application. In order to figure this out, you need to compare both approaches -- JWT and session -- to authenticate users.

\n

Comparison: JWT and Session

\n

This article starts with how server-side sessions with a session store work, then looks at how client-side sessions with JWT work.

\n

\"authentication

\n

How Server-side Sessions Work With a Session Store

\n

Suppose, you have a website with a login form. You enter your email ID and password, and your browser sends a request to the server. Your server compares the password hashes, and if those hashes match, a session is created with a specific session ID. Then, the server returns a cookie with the session ID and the cookie is HTTP only, so it can not be read by any javascript that is not yours. It is also secured so that the cookie is never transferred over an insecure connection; that is, something that is not encrypted. Otherwise, someone can intercept the communication, like a man in the middle attack.

\n

\"server-side

\n

If you make a follow-up request, your browser automatically sends this cookie along. Take a look at the session ID and fish it out.

\n

How Client-side Sessions Work with JWT

\n

\"client-side

\n

Instead of creating a session in your session store, you check whether the password hashes match. And if they do match, you can just create a JSON signature token and the token is signed with the secret. If someone tries to modify the payload, you will know and the signature validation will fail.

\n

You can return the web signature token that can be put in a cookie, which is way better. Because, if you don't do that, there is a possibility that a third-party javascript can access it.

\n

Problems with JWT and Statelessness

\n

Imagine a scenario in which a bank customer's info has been breached and the customer calls the bank to lock the account. This will be an issue if the bank uses JWT for authentication as JWT is stateless. Although you can find a workaround to do this by introducing state, it just defeats the purpose of having a JWT token in the first place, standing a chance of logging everyone out including the customer.

\n

With Sessions, logging out that one particular customer won’t be a problem at all as the customer's state is stored.

\n

Data Visibility and Control

\n

When using server-side sessions, you don't know who is currently logged into your application as this can be useful to inflict the history of what a person is currently doing. It’s a better idea to use sessions in industries like health care, banking, insurance, or companies that deal with money. It's also good to note that JWT is signed and anyone can read it or get an idea of how data or ID is structured, or how many rows data has, which is not the case for sessions as the data is not visible to users.

\n

Bandwidth Consumption

\n

Session cookies take up very little bandwidth, whereas the bandwidth consumption will be higher in the JWT-based approach because the tokens tend to get bigger and you have the signature you have to send along for each follow up request; whereas if you have the session cookie, it's really small because its just the session ID that is being sent over.

\n

Revoking Roles and Privileges in JWT and Session-based Systems

\n

A lot of breaches that happen in companies is a result of an internal breach from an employee or insider that is stealing data or doing weird things. It is really important to be able to revoke privileges immediately. Imagine a scenario where one person is locked in and has admin rights. Say, the token is valid for ten minutes or so. If for whatever reason you don't want that person to have admin privileges anymore, you can easily revoke the person's access if you use sessions, but might find it difficult if you use JSON web tokens.

\n

JWT: Advantages

\n

This section discusses the advantages of using JWT over sessions and scenarios where sessions do not cut it.

\n

Scalability

\n

One of the “issues” with sessions is scalability. The argument is that sessions are stored in memory and servers are duplicated to handle the application load, therefore, limiting the scalability of the application. JWT, on the other hand, has higher scalability due to its statelessness. If you use a load balancer, you can easily pass along your users to several servers without worrying, as there is no state or session data stored anywhere, making it easy for gigantic scale workloads like that of Google and Facebook.

\n

Maintainability

\n

A downside of the sessions is their maintainability, as the sessions need to be maintained. Somewhere on someone's server, a record will need to be created every time a user is authenticated. This is done in memory. The more the users are authenticated, the greater the overhead on your server. There is no need for maintainability in JWT as no state is stored, making it a better choice in this scenario.

\n

Multiple Platforms and Domain

\n

When using sessions in an applications, there will come a time when you need to scale or expand the data for it to be used on multiple devices. Then, you'll need to worry about things like cross-origin resource sharing or even forbidden requests.

\n

But with JWT, you don't have to bother about CORS as you can provide data to all sorts of devices and applications. Setting up a quick header configuration gets rid of any CORS problem you would have encountered.

\n
Access-Control-Allow-Origin: *
\n

As long as a valid user has a valid token, data and resources are made available from any domain.

\n

Platform Independent

\n

You can easily allow selective permissions for third-party applications with the help of JWT. Say, you build an application that you like to share permissions with other applications; for instance, sharing a video you watched on Facebook to friends on Instagram. You can also get creative building APIs that hand the special tokens to other applications so that user data can be accessed.

\n

Attacking JWTs vs. Session-based Authentication

\n

Auth tokens are usually sent over the network and as such are vulnerable to attack. These kinds of attacks are:

\n\n

Although it may seem that these types of attacks are not likely to happen, it's important to take security seriously and implement appropriate measures. The vulnerability of the system is based on the cumulative probabilities of all the types of attacks. In some ways, you can mitigate the above attacks:

\n
    \n
  1. Man in the middle attack: You can easily protect yourself from this type of attack by using secure HTTP and secure cookies throughout the app. However, this doesn't prevent attacks that use a proxy.
    2. \n
  2. OAuth token theft: The solution to this is to have appropriate measures in place to detect stolen refresh tokens and use only short-lived access tokens.
    3. \n
  3. XSS attack: One way to prevent this attack is to make sure that all of the dependencies are secure. This method is time-consuming and costly.
    4. \n
  4. Cross-site request forgery (CSRF): Prevention of CSRF attacks typically requires the use of an anti-CSRF token or SameSite cookies. However, there are other methods that you can user to solve this in a way that is seamless with the whole authentication process.
    5. \n
  5. \n

    Database and filesystem access: To control damage caused by unauthorized access to your database or filesystem, you could do the following:

    \n\n
    6. \n
  6. Session fixation: Each time a user logs in, generate a new set of tokens for that account. This method will invalidate the old ones if needed.
    7. \n
\n

Cookies vs. Local Storage

\n

Some people who use JSON web tokens return the token and store it in local storage. This can be very dangerous as third party javascript, browser extensions, and malicious CDN scripts can have access to the token. But if you put it in a cookie, no javascript access, or even you has access to it.

\n

Another thing to note is that when using cookies, you need to mitigate CSRF. Preventing it most of the time will have to do with installing a library and writing a few lines of code.

\n

Conclusion

\n

In the article, you've learned the differences in using sessions and JSON web tokens for authentication, how serverside session store works, the advantages of sessions over JWT, and other things concerning the structure of JWT.

\n","frontmatter":{"date":"August 26, 2021","updated_date":null,"description":"In this article, you'll learn the differences between JWT and Sessions, and which one to use for authentication.","title":"How to Authenticate Users: JWT vs. Session","tags":["Authentication","JWT","Sessions"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/3b6b3c675a1895002bda9c771b6829e2/58556/ArticleHead.webp","srcSet":"/static/3b6b3c675a1895002bda9c771b6829e2/61e93/ArticleHead.webp 200w,\n/static/3b6b3c675a1895002bda9c771b6829e2/1f5c5/ArticleHead.webp 400w,\n/static/3b6b3c675a1895002bda9c771b6829e2/58556/ArticleHead.webp 800w,\n/static/3b6b3c675a1895002bda9c771b6829e2/99238/ArticleHead.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Uma Victor","github":"uma-victor1","avatar":null}}}},{"node":{"excerpt":"Introduction Azure Key Vault is a highly secure, dependable, and simple method to store your keys and secrets in the cloud. This article…","fields":{"slug":"/engineering/guest-post/using-azure-key-vault-with-an-azure-web-app-in-c-sharp/"},"html":"

Introduction

\n

Azure Key Vault is a highly secure, dependable, and simple method to store your keys and secrets in the cloud. This article talks about:

\n\n

Use the following steps to read a secret stored in an Azure Key Vault instance.

\n
    \n
  1. Create a Web App in the Azure Portal
    2. \n
  2. Enable Managed Service Identity for your Web App
    3. \n
  3. \n

    Create and Configure Azure Key Vault

    \n\n
    4. \n
  4. \n

    Create a new ASP.NET 5 Core application

    \n\n
    5. \n
  5. Deploy the Application to Azure
    6. \n
  6. Execute the Application
    7. \n
\n

Prerequisites

\n

To execute the code examples provided in this article, you should have each of the following:

\n
    \n
  1. Visual Studio 2019 (preferred)
    2. \n
  2. Azure Account
    3. \n
\n

If you don't have an Azure account, you can create one for free here: Azure Login

\n

What is Azure Key Vault?

\n

Azure Key Vault is a cloud service that helps you store your application's secrets securely: You can store and manage the keys, passwords, certificates, and other secrets. You can also leverage Azure Key Vault to set parameters shared among multiple applications, including applications running in App Service.

\n

It enables you to isolate the sensitive and non-sensitive data in your application. For example, you can use application settings to store default parameters or key-value pairs containing some default settings used by the application. On the contrary, you can use Azure Key Vault to store API keys, secret keys, database connection strings, or Client IDs used in your application.

\n

Understanding Managed Identity

\n

Managed identity is a concept that eliminates the need of having to store credentials once an application has been deployed in the cloud. By using managed identity, you can securely access a variety of Azure services without having to store any credentials like connection strings or passwords. Managed identity may be used to connect to Key Vault from an Azure Function App or an Azure Web App, as well as to connect to Azure Blob Storage from an Azure Web App.

\n

Managed identities are of the following two types:

\n\n

Create a Web App in the Azure Portal

\n

You'll now create an Azure Web App instance with the permissions to access Azure Key Vault. Adhere to the steps given below that would guide you to create a new Azure Web App instance while you’re within the Azure portal:

\n
    \n
  1. In the Azure Portal, click on \"Create a resource\" from the Home screen
    2. \n
  2. \n

    Select \"Web App\" from the list

    \n

    \"Create

    \n
    3. \n
  3. Specify the name and a region for your web app
    4. \n
  4. \n

    Mention the resource group and app service plan for your web app

    \n

    \"Create

    \n
    5. \n
  5. In the Publish section, there are two choices: \"Code\" and \"Docker Container\". Choose \"Code\"
    6. \n
  6. Specify \".NET 5\" as the Runtime stack
    7. \n
  7. Set the Operation system to \"Windows\"
    8. \n
  8. For the region, specify the one that is closest to you
    9. \n
  9. You can leave the other options with their default values, and then, click on \"Review + Create\"
    10. \n
  10. Verify the configuration you've specified. If all is good, click \"Create\"
    11. \n
\n

Once the Web App has been created successfully, you'll be able to see it on the Home screen of the Azure Portal.

\n

Enable Managed Service Identity for your Web App

\n

To enable the system-assigned managed identity for the Azure Web App we just created, follow the steps given below:

\n
    \n
  1. Select \"Identity\" from the left-side menu in the Azure Web App
    2. \n
  2. Change the \"Status\" toggle pertaining to the System-assigned tab to \"On\"
    3. \n
  3. Copy the \"Object ID\" that would be available after a few seconds
    4. \n
\n

\"Enable

\n

Create and Configure Azure Key Vault

\n

In this section, you’ll examine how to create and configure an Azure Key Vault instance.

\n

Create a new Azure Key Vault Instance

\n

You'll now create an Azure Key Vault in the Azure Portal and then add a secret to it. To create a new Azure Key Vault instance, navigate to the Azure Portal and follow the steps below:

\n
    \n
  1. Select \"Create a resource\" in the Azure Portal menu or the Home page
    2. \n
  2. Specify \"Key Vault\" in the search box
    3. \n
  3. When the results are listed, choose \"Key Vault\"
    4. \n
  4. Click \"Create\"
    5. \n
\n

\"Create

\n
    \n
  1. In the \"Create key vault\" screen provide the name, subscription, resource group name, and location. Leave the other options to their default values.
    2. \n
\n

\"Specify

\n
    \n
  1. Click “Review + Create”
    2. \n
  2. Review the entered configuration. If all is fine, click \"Create\"
    3. \n
\n

Create an App Secret in Azure Key Vault

\n

Now that you've created a Key Value instance, you'll add a secret to it and then make the secret accessible to the Azure Web App we created earlier. Follow the steps below to create a secret:

\n
    \n
  1. Select \"Secrets\" from the \"Settings\" section of the \"Key Vault configuration\" page
    2. \n
  2. Click \"Generate/Import\" to add a secret
    3. \n
  3. Select \"Manual\" from the \"Upload options\" dropdown
    4. \n
  4. Next, mention the name and value of the secret
    5. \n
  5. Optionally specify the \"Content type\"
    6. \n
  6. Optionally set the \"activation and expiration date\" options
    7. \n
  7. Click \"Create\"
    8. \n
\n

\"Create

\n

Authorize the Web App to access Your Key Vault

\n

To provide access to the secret you created, follow the steps below:

\n
    \n
  1. Select \"Access policies\" from the \"Key Vault\" screen
    2. \n
  2. Click \"Add Access Policy\"
    3. \n
  3. Provide the \"Get\" and \"List\" permissions
    4. \n
  4. In the “Select a Principal” option, specify the value for the \"Object ID\" you\ncopied earlier for the Azure Web App
    5. \n
  5. Paste, search and then select it from the list
    6. \n
  6. Click \"Add\"
    7. \n
  7. Click \"Save\" to persist the changes and complete the process
    8. \n
\n

\"Add

\n

Create a New ASP.NET 5 Core application

\n

First of all, you'll create an ASP.NET Core 5 web application. The project type comes bundled with all the template files to create a web application, even before you add something. Follow the steps given below to create a new ASP.NET Core Web application within the Visual Studio 2019 IDE.

\n
    \n
  1. Launch Visual Studio 2019
    2. \n
  2. In the start window, choose \"Create a new project\"
    3. \n
  3. In the \"Add a new project\" window, choose \"ASP.NET Core Web API\" from the list of the project templates
    4. \n
\n

\"Create

\n
    \n
  1. Select \"C#\" as the programming language from the \"Language\" list
    2. \n
  2. Click \"Next\"
    3. \n
  3. In the \"Configure your new project\" screen, enter the name and location of the new project
    4. \n
  4. Then, choose \"Next\"
    5. \n
  5. In the \"Additional information\" window, ensure that .NET 5.0 (current) is selected as the framework version
    6. \n
\n

\"Specify

\n
    \n
  1. Since you'll not be using authentication, HTTPS or Docker, or OpenAPI, ensure that all these checkboxes are disabled
    2. \n
  2. Click \"Create\" to complete the process
    3. \n
\n

A new ASP.NET 5 Core application will be created in Visual Studio.

\n

Install the NuGet Packages

\n

To work with AzureKeyVault, you must install Microsoft.Extensions.Azure and Azure.Security.KeyVault.Secrets packages. While you can use the former for injecting dependencies for accessing Azure services, you can use the latter to access secrets via a SecretClient instance.

\n

You may install these packages in one of two ways: Either via the NuGet Package Manager integrated into the Visual Studio 2019 IDE or by running the following command(s) in the Package Manager Console:

\n

Install-Package Microsoft.Extensions.Azure

\n

Install-Package Azure.Security.KeyVault.Secrets

\n

Read Azure Key Vault Secrets in .NET Core

\n

In this section, you’ll examine how to read secrets from AzureKeyVault.

\n

Specify the Vault Uri in AppSettings

\n

Create a section named \"KeyVault\" in the appsettings.json file and specify a key named \"VaultUri\" in there as shown below:

\n

\"KeyVault\": {

\n

\"VaultUri\": \"https://applicationsecretsdemo.vault.azure.net/\"

\n

}

\n

Access Secrets from AzureKeyVault

\n

To access the secrets stored in the AzureKeyVault, you can take advantage of SecretClient pertaining to the Azure.Security.KeyVault.Secrets namespace. Create an interface named \"IKeyVaultManager\" with the following code in there:

\n
public interface IKeyVaultManager\n\n{\n\npublic Task<string> GetSecret(string secretName);\n\n}
\n

Create a class named \"KeyVaultManager\" that extends the \"IKeyVaultManager\" interface and implements the GetSecret method as follows:

\n
public class KeyVaultManager:IKeyVaultManager\n\n{\n\nprivate readonly SecretClient _secretClient;\n\npublic KeyVaultManager(SecretClient secretClient)\n\n{\n\n _secretClient = secretClient;\n\n}\n\npublic async Task<string> GetSecret(string secretName)\n\n{\n\ntry\n\n{\n\nKeyVaultSecret keyValueSecret = await\n\n_secretClient.GetSecretAsync(secretName);\n\nreturn keyValueSecret.Value;\n\n}\n\ncatch\n\n{\n\nthrow;\n\n}\n\n}\n\n}
\n

The \"KeyVaultManager\" class leverages the \"SecretClient\" class to retrieve secrets stored inside the AzureKeyVault.

\n

The KeyValueController Class

\n

The \"KeyValueController\" takes advantages of the \"KeyValueManager\" class to read the secret value for a given secret name and returns the value stored in there.

\n
public class KeyVaultController : ControllerBase\n\n{\n\nprivate readonly IKeyVaultManager _secretManager;\n\npublic KeyVaultController(IKeyVaultManager secretManager)\n\n{\n\n_secretManager = secretManager;\n\n}\n\n[HttpGet]\n\npublic async Task<IActionResult> Get([FromQuery] string secretName)\n\n{\n\ntry\n\n{\n\nif (string.IsNullOrEmpty(secretName))\n\n{\n\nreturn BadRequest();\n\n}\n\nstring secretValue = await\n\n_secretManager.GetSecret(secretName);\n\nif (!string.IsNullOrEmpty(secretValue))\n\n{\n\nreturn Ok(secretValue);\n\n}\n\nelse\n\n{\n\nreturn NotFound("Secret key not found.");\n\n}\n\n}\n\ncatch\n\n{\n\nreturn BadRequest("Error: Unable to read secret");\n\n}\n\n}\n\n}
\n

Register the Dependencies in the ConfigureServices Method

\n

You should specify the necessary code for dependency injection to work in the \"ConfigureServices\" method of the \"Startup\" class as shown in the code snippet given below:

\n
public void ConfigureServices(IServiceCollection services)\n\n{\n\nservices.AddAzureClients(azureClientFactoryBuilder =>\n\n{\n\nazureClientFactoryBuilder.AddSecretClient(\n\nConfiguration.GetSection("KeyVault"));\n\n});\n\nservices.AddSingleton<IKeyVaultManager,KeyVaultManager>();\n\nservices.AddControllersWithViews();\n\n}
\n

Deploy the Application to Azure

\n

To deploy the application, follow the steps below:

\n
    \n
  1. Right-click on the project in the \"Solution Explorer Window\"
    2. \n
  2. Select \"Publish\"
    3. \n
  3. Select \"Azure\" as the target from the \"Publish\" window as shown below:
    4. \n
\n

\"Deploy

\n
    \n
  1. Select \"Azure App Service (Windows)\" as the specific target as shown below:
    2. \n
\n

\"Specify

\n
    \n
  1. Specify, or associate, the \"App Service instance\" with your application
    2. \n
\n

\"Publish

\n
    \n
  1. Click \"Finish\"
    2. \n
\n

Execute the Application

\n

Lastly, you can use Postman to send a Http Get request to the endpoint to retrieve the stored secret as shown below:

\n

\"Execute

\n

Summary

\n

Azure key vault helps you to keep your application's secrets out of the application. You can use it to isolate secrets from your code files. These secrets include connection strings, API keys, environment variables, etc. You can take advantage of Azure Key Vault to keep secrets out of source control or out of your application in a centralized storage place. In this article, you've used managed identity to connect an Azure web app in .NET to an Azure Key Vault and retrieve secret value from there.

\n

The complete source code of the application discussed in this article can be found here: Source Code

\n","frontmatter":{"date":"August 09, 2021","updated_date":null,"description":"In this tutorial, you'll learn how to work with Azure Key Vault in C#.","title":"How to Use Azure Key Vault With an Azure Web App in C#","tags":["Azure","Key Vault","C#"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/5805f256d7d45f4c053d796f640836c2/58556/image.webp","srcSet":"/static/5805f256d7d45f4c053d796f640836c2/61e93/image.webp 200w,\n/static/5805f256d7d45f4c053d796f640836c2/1f5c5/image.webp 400w,\n/static/5805f256d7d45f4c053d796f640836c2/58556/image.webp 800w,\n/static/5805f256d7d45f4c053d796f640836c2/99238/image.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Joydip Kanjilal","github":"joydipkanjilal","avatar":null}}}},{"node":{"excerpt":"Prerequisite You should be familiar with Python and Django, a Python framework. Overview First, we briefly introduce LoginRadius, what it is…","fields":{"slug":"/engineering/guest-post/implementing-registration-and-authentication-in-django-using-loginradius/"},"html":"

Prerequisite

\n

You should be familiar with Python and Django, a Python framework.

\n

Overview

\n

First, we briefly introduce LoginRadius, what it is, and some benefits of using it; then, will move over to see how to implement user registration and authentication in Django using LoginRadius.

\n

Introduction

\n

What is LoginRadius?

\n

LoginRadius is a SaaS-based CIAM platform. It offers simplified, robust features to manage customer identity, privacy, and access -- allowing developers and businesses to provide a seamless and secure digital experience for their customers.

\n

The developer-friendly CIAM provides a comprehensive set of APIs for registration, authentication, identity verification, single sign-on (SSO), and more.

\n

Why should we use LoginRadius?

\n\n

LoginRadius offers many more benefits than above. You can learn more here.

\n

Getting started

\n

To get started with LoginRadius, you have to first create a free developer account.

\n

If you already have an account, log into your LoginRadius dashboard\nYou will see a page like this:

\n

\"Dashboard\"

\n

When you create an account, LoginRadius sets up a free app for you. This is the app you are going to integrate with Django. Here my app name is \"tammibriggs\".

\n

Click on your app, and you will see a page like this:

\n

\"LoginRadius

\n

There is one more thing LoginRadius automatically creates for you: an Auth Page (IDX).

\n

At this point, you know what LoginRadius is, its benefits, and how to get started with LoginRadius. Let’s see how to integrate LoginRadius with a Django application.

\n

Integrating LoginRadius with a Django Application

\n

This section covers:

\n\n
\n

You must have python installed, and the minimum supported version is 2.7.

\n
\n

Getting API Credentials

\n

Before using any of the APIs that LoginRadius provides, you need to get your App Name, API Key, and API Secret.\nOn your LoginRadius app, navigate to Configuration > API Credentials

\n

\"API

\n

You will find your API key under the API Key and Secret subsection.

\n

\"API

\n

Whitelist your Domain

\n

For security reasons, LoginRadius processes the API calls that are received from the whitelisted domains.\nLocal domains (http://localhost and http://127.0.0.1) are whitelisted by default. This means you don't have to worry about whitelisting your domain if you are running your application on Django's development server. But in a production environment, you definitely have to whitelist our domain.\nTo whitelist your domain, in your LoginRadius Dashboard, navigate to Configuration > Whitelist Your Domain and add your domain name.

\n

\"Whitelist

\n

Installation of Dependencies

\n

You need to install the LoginRadius Python SDK. It provides functionalities that allow Python programs to communicate with LoginRadius APIs.\nOpen VS Code, PyCharm, or any other editor you use in general.\nIn the terminal, type:

\n
$ pip install LoginRadius-v2 requests cryptography pbkdf2
\n

These are the dependencies you need to integrate LoginRadius into your Django application.

\n

Setting up Django

\n
    \n
  1. Install Django.
    2. \n
  2. Create a new project.
    3. \n
  3. Create an app inside the project.
    4. \n
  4. Migrate your project.
    5. \n
  5. Create a urls.py file in your app.
    6. \n
\n

You can accomplish all this with the following commands in your terminal:

\n
$ python -m pip install django\n\n$ django-admin startproject radiusAuth\n\n$ cd radiusAuth\n\n$ python manage.py startapp radiusApp\n\n$ python manage.py migrate\n\n$ cd radiusApp\n\n$ type nul > urls.py
\n

Here, the project name is radiusAuth and the app radiusApp but you can use any name you want.\nYou now have a radiusAuth project and radiusApp app setup.

\n

Configure Project

\n

You need to tell Django about the app you created and the location of the app's urls.py file.\nFirst, let Django know the location of your app.\nIn your radiusAuth project navigate to radiusAuth/settings.py, modify the INSTALLED_APPS:

\n

radiusAuth/settings.py

\n
INSTALLED_APPS = [\n    "django.contrib.admin",\n    "django.contrib.auth",\n    "django.contrib.contenttypes",\n    "django.contrib.sessions",\n    "django.contrib.messages",\n    "django.contrib.staticfiles",\n    "radiusApp",\n]
\n

Once you have added it, go over to the urls.py file in the same directory, modify the urlpatterns and include the apps url location.

\n

radiusAuth/urls.py

\n
from django.contrib import admin\nfrom django.urls import path, include\n\nurlpatterns = [\n    path('admin/', admin.site.urls),\n    path('', include('radiusApp.urls'))\n]
\n

User Registration and Authentication

\n

Remember, we said that there is a webpage LoginRadius automatically created for you: an Auth Page (IDX), which already has registration and authentication implemented. You will utilize this web page to meet your registration and authentication needs.\nHow would you do that?

\n

You can access your registration and login page with the following URLs.

\n

Registration Page URL:

\n
https://{APP_NAME}.hub.loginradius.com/auth.aspx?action=register&return_url={RETURN_URL}
\n

Login Page URL:

\n
https://{APP_NAME}.hub.loginradius.com/auth.aspx?action=login&return_url={RETURN_URL}
\n\n

So, what you will do now is to create links or buttons that users can click to access these URLs.\nFirst, create a view that will be responsible for displaying your registration and login page.\nEdit the views.py file of the radiusApp application and add the following code:

\n

radiusApp/views.py

\n
from django.shortcuts import render\n\ndef register_n_login(request):\n    return render(request, 'index.html')
\n

All this view does is render an HTML page as a response. Now, you need to add the URL pattern for this view.

\n

In the urls.py file of your radiusApp application, add the following code:

\n

radiusApp/urls.py

\n
from django.urls import path\nfrom . import views\n\nurlpatterns = [\n    path('', views.register_n_login, name="access"),\n]
\n

The register_n_login view can now be accessed by a URL. It's time to create a template for your view. But before you do that, let me introduce some basic styling you will use in your application.

\n

Create a static directory and a style.css file in your app directory.\nOpen your terminal and type the following command:

\n

radiusAuth/radiusApp

\n
$ mkdir static\n$ cd static\n$ type nul > style.css
\n

Open the style.css file and the following CSS styles:

\n
*{\n    margin: 0;\n    border: 0;\n}\n\nbody{\n    background-color: hsl(210, 15%, 95%);\n}\n\n.wrapper{\n    width: 90%;\n    height: 100vh;\n    margin: 0 auto;\n    display: flex;\n    align-items: center; \n    flex-direction: column;\n    justify-content: center;\n}\n\n.choice{\n    text-align: center;\n    line-height: 30px;\n}\n\n.choice span{\n    color: hsl(207, 37%, 76%);\n}\n\n.choice span:nth-child(1){\n    font-size: 1.3rem;\n    color: hsl(210, 7%, 55%);\n}\n\n\n.access{\n    width: 100%;\n    max-width: 400px; \n    height:150px;\n    display: flex;\n    justify-content: space-evenly;\n    flex-direction: column;\n    align-items: center;\n    background-color: white;\n    margin-bottom: 20px;\n    font-size: 1.2rem;\n}\n\n.access button{\n    width: 90%;\n    padding: 0.7rem 0.4rem;\n    background-color: hsl(207, 73%, 30%);\n    color: white;\n}\n\n.profile{\n    width:100%; \n    max-width: 400px; \n    min-height: 300px;\n    background-color: white;\n    display: flex;\n    flex-direction: column;\n    justify-content: space-between;\n}\n\n.profile__head{\n    width: inherit;\n    flex: 0.3;\n    background-color: hsl(207, 73%, 30%);\n    display:flex;\n    align-items:center;\n    justify-content: center;\n}\n\n.profile__head h4{\n    font-size: 36px;\n    font-weight: 400px;\n    color: white;\n}\n\n.profile__details{\n    width: 90%;\n    margin: 0 auto;\n    line-height: 35px;\n    flex: 0.5;\n}\n\n.profile__details span{\n    font-size: 1.2rem;\n}\n\n.label{\n    color: hsl(210, 7%, 55%);\n}
\n

Now, create the template for your register_n_login view.

\n

Create a templates directory and a index.html file in your app directory.

\n

Open your terminal and type the following command:

\n

radiusAuth/radiusApp

\n
$ mkdir templates\n$ cd templates\n$ type nul > index.html
\n

Open the index.html file and add the following HTML

\n

templates/index.html

\n
{% load static %}\n \n <!DOCTYPE html>\n <html>\n     <head>\n         <meta charset="utf-8">\n         <meta name="viewport" content="width=device-width, initial-scale=1.0">\n         <title>Registration and Login page</title>\n         <link rel="stylesheet" href="{% static 'style.css' %}">\n     </head>\n \n     <body>\n         <div class="wrapper">\n \n             <div class="access">\n                 <span>Open an account with us</span>\n                 <button onclick="window.location.href='https://{APP_NAME}.hub.loginradius.com/auth.aspx?action=register&return_url=http://127.0.0.1:8000/';">\n                     Register\n                 </button>\n             </div>\n             <div class="choice">\n                 <span>OR</span><br>\n                 <span>If you already have account</span>\n             </div>\n             <div class="access">\n                 <span>Log into your account</span>\n                 <button onclick="window.location.href='https://{APP_NAME}.hub.loginradius.com/auth.aspx?action=login&return_url=http://127.0.0.1:8000/profile/';">\n                     Login\n                 </button>\n             </div>\n \n         </div>\n     </body>\n </html>
\n

We used an onclick event on both the register and login buttons, which when clicked changes the window's location to the Auth Page (IDX) register and login page respectively.

\n

NOTE: Don’t forget to replace the {APP_NAME} placeholder with your LoginRadius app name.

\n

Also, in the register and login link, we replaced the {RETURN_URL} parameter with http://127.0.0.1:8000/profile/, which is the user profile page you are going to create shortly.

\n

Run the development server and open http://127.0.0.1:8000/, you will see a page like this:

\n

\"Register

\n

Now, when you click the register or login button, you will see a page like this:

\n

\"Auth

\n
\n

When LoginRadius successfully authenticates a user, it attaches an access token in the query string as a token parameter to the REDIRECT_URL.

\n
\n

Retrieve User Data using Access Token

\n

In this section, you are going to retrieve the authenticated user data using access token. But first you need to initialize LoingRadius SDK with your APIKEY and APISECRET.

\n

Intializing LoginRadius SDK

\n

Create a new config.py file in your radiusApp directory.

\n

Open your terminal and type this command:

\n

radiusAuth/radiusApp

\n
$ type nul > config.py
\n

Open the config.py file and add the following lines of code:

\n

radiusApp/config.py

\n
from LoginRadius import LoginRadius as LR\n\nLR.API_KEY = "API_KEY"\nLR.API_SECRET = "API_SECRET"\nloginradius = LR()
\n

Replace APIKEY and APISECRET with your respective LoginRadius API credentials.

\n

Now, create the view that will be responsible for retrieving user data.

\n

Open the views.py file in your radiusApp directory and add the following lines of code:

\n

radiusApp/views.py

\n
from django.shortcuts import render, redirect\nfrom django.http.response import HttpResponse\nfrom .config import loginradius\n\ndef register_n_login(request):\n#...\n\ndef profile(request):\n\n    if request.GET.get('token'):    \n        try:\n            user_data = loginradius.authentication.get_profile_by_access_token(request.GET.get('token'))\n        except Exception as inst:\n            return HttpResponse(inst)\n    else:\n        return redirect('access')\n\n    return render(request, 'profile.html', {'user_data':user_data})
\n

In this code snippet, we imported the initialized LoginRadius class from the config.py file and also imported redirect and HttpResponse from there respective modules.

\n

We also introduced a new function called profile. In this function we did the following:

\n\n

Now, add the URL pattern and also create a template for your views.

\n

Modify the urls.py file in the radiusApp directory.

\n

radiusApp/urls.py

\n
urlpatterns = [\n    #...\n     path('profile/', views.profile, name="profile")\n ]
\n

Head over to the templates directory in the radiusApp directory and create a profile.html file.

\n

In the termainal type:

\n

radiusApp/templates

\n
$ type nul > profile.html
\n

Open your profile.html file and add the following HTML code:

\n

templates/profile.html

\n
{% load static %}\n \n <!DOCTYPE html>\n <html>\n     <head>\n         <meta charset="utf-8">\n         <meta name="viewport" content="width=device-width, initial-scale=1.0">\n         <link rel="stylesheet" href="{% static 'style.css'%}">\n         <title>Profile</title>\n     </head>\n \n     <body>\n \n         <div class="wrapper">\n             <div class="profile">\n                 <div class="profile__head">\n                     <h4>profile details</h4>\n                 </div>\n \n                 <div class="profile__details">\n                     <span>\n                     <span class="label">Provider: </span> {{user_data.Provider}}<br>\n                     {% for i in user_data.Email %}\n                         <span class="label">Email: </span>{{i.Value}}<br>\n                     {% endfor %}\n \n                     <span class="label">Number of login:</span> {{user_data.NoOfLogins}}\n                     </span>\n                 </div>\n             </div>            \n         </div>\n \n     </body>\n </html>
\n

Here we displayed the Provider, Email and NoOfLogins from the user_data. These are just some of the data present in the user_data.

\n

Now, if you run your development server, and then register and login a user, you should see a page like this:

\n

\"Profile

\n

To see the entire data present in the user_data, you can do something like this in your profile.html, file:

\n
{% load static %}\n\n<!DOCTYPE html>\n<html>\n    <head>\n        <meta charset="utf-8">\n        <meta name="viewport" content="width=device-width, initial-scale=1.0">\n        <link rel="stylesheet" href="{% static 'style.css'%}">\n        <title>Profile</title>\n    </head>\n\n    <body>\n\n        {{user_data}}\n\n    </body>\n</html>
\n

Conclusion

\n

In this tutorial, we discussed how to use LoginRadius for registration and authentication in Django. We started by introducing LoginRadius, what it is, its benefits, and how to get started with it. Then, we illustrated building a demo application with Django and implemented registration and authentication using LoginRadius.

\n

GitHub repo: radiusAuth

\n","frontmatter":{"date":"July 30, 2021","updated_date":null,"description":"In this tutorial, you will learn how to implement user registration and authentication in Django using LoginRadius.","title":"How to Implement Registration and Authentication in Django?","tags":["Django","Authentication","User Registration"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.3333333333333333,"src":"/static/daa847118d28c3abd060b8eb7a833f23/58556/coverImage.webp","srcSet":"/static/daa847118d28c3abd060b8eb7a833f23/61e93/coverImage.webp 200w,\n/static/daa847118d28c3abd060b8eb7a833f23/1f5c5/coverImage.webp 400w,\n/static/daa847118d28c3abd060b8eb7a833f23/58556/coverImage.webp 800w,\n/static/daa847118d28c3abd060b8eb7a833f23/99238/coverImage.webp 1200w,\n/static/daa847118d28c3abd060b8eb7a833f23/7c22d/coverImage.webp 1600w,\n/static/daa847118d28c3abd060b8eb7a833f23/9d54b/coverImage.webp 4032w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Taminoturoko Briggs","github":"tammibriggs","avatar":null}}}},{"node":{"excerpt":"11 Tips for Managing Remote Software Engineering Teams The software developer role is among the top 5 remote-oriented jobs in the world…","fields":{"slug":"/engineering/guest-post/tips-for-managing-remote-software-engineering-teams/"},"html":"

11 Tips for Managing Remote Software Engineering Teams

\n

The software developer role is among the top 5 remote-oriented jobs in the world. After the pandemic, 92% of people expect to work at least 1 day per week from home, and 80% expect to work at least 3 days from home. Accordingly, fostering an environment and working conditions for software engineers to work remotely is inevitable. In fact, 75% of engineers want to work remotely, primary reasons being the lack of an annoying commute and a better work-life balance .

\n

If companies fail to create an effective remote working environment, their developers will eventually find another employer who can meet their needs to work remotely effectively.

\n

This article will give you 11 tips for managing remote software engineering teams, so you can adjust and improve your hiring, communication, and your team's collective output.

\n

Why Hire Remote Developers?

\n

The first and most obvious reason to hire remote developers is that your addressable talent pool is global . Utilizing a recruitment platform allows you to tap into a vast array of talent options. It's actually a good thing you don't have to deal with visas and relocation packages.

\n

Another reason is that many good developers are already in remote jobs. They have become used to a certain remote lifestyle and likely won't change that. As an employer, you must adapt to the growing market of digital nomads.

\n

What are the Challenges in Managing Remote Teams?

\n

Probably the biggest challenge with managing remote teams is asynchronous communication or a complete lack of communication. This can cause delays, duplicate work, or even wrong requirements being implemented in the product.

\n

In an attempt to counter that, developers sometimes change their working schedules to have a bigger time overlap with their team members. However, this can easily lead to irregular working schedules and overworking.

\n

Tips on How to Manage a Remote Software Developer Team

\n

Luckily, you can surmount all these challenges by establishing some rules for the team. Stand-up meetings are a widely practiced SCRUM ceremony and have proven to be a very effective communication method.

\n

It's also a good idea to hire developers who actually have worked in remote roles since they likely have more experience of self-management and are more goal-oriented than work-hours oriented.

\n

Trust in the team, frequent communication, and feedback make a huge difference. Next, we're looking at 11 specific tips that you can implement to foster a more effective remote working culture within your software development team.

\n

1. Stand-up Meetings and Scheduled Communication

\n

Establish a stand-up meeting time and make sure to include all team members . Since the team is fully remote, you have to utilize video conferencing or text chat software like Slack to hold a stand-up meeting. This will allow for quick feedback loops on your progress throughout the day while also providing valuable face-to-face interaction with remote employees. A well-run stand-up meeting should take no more than 15 minutes so that participants can still get their work done afterward.

\n

Schedule regular communication times during which people can discuss ideas, decisions, and general feelings about what is happening inside of your organization; this could be as small as one hour per week or as frequent as daily depending on what kind of information needs to flow between team members.

\n

However, be cautious of video fatigue. The team at Solitaired improved their development team output and speed by moving their stand-up meetings to a written format. In the video meetings they had, they started writing email summaries and clearly outlining responsibilities.

\n

2. Over-communication is Crucial for Remote Teams

\n

One tip for managing remote software development teams is to \"over-communicate.\" What does this mean? Don't just communicate as little as you can, which can create a feeling of insecurity among team members. Communication is critical when managing a remote team because you don't have the same level of informal rapport as in face-to-face interactions.

\n

Another thing you can do is send follow-up emails after VoIP phone calls. This helps to ensure that all points are covered and that nobody has any unanswered questions.

\n

3. Time Zones and \"Common Time\" for Synchronous Conversations

\n

One of the biggest challenges is timezones. You need to decide whether you want a consistent \"common time\" or if it's acceptable for team members to work off-hours . The advantage of common time is that all team members are on at once and can have conversations in real-time , which means more collaboration and less miscommunication.

\n

4. Look for Proof of Self-Management When Hiring

\n

One of the essential qualities to look for in a software engineer is self-management. You want somebody who can think critically and find solutions instead of being told what to do. Self-managers also can see through other people's advice and execute accordingly; they are not chained by following others' instructions blindly without understanding why they're doing it this way or that.

\n

5. Clear Onboarding and Product Vision

\n

Straightforward onboarding and product vision is a necessity for remote teams. Clear communication about what the team will be working on, how they will work together, and their managers can help reduce confusion among teammates.

\n

By providing clear expectations of roles and responsibilities and establishing an understanding of company goals early on in the process (even as early as employee training), you allow your new employees to hit the ground running with less stress.

\n

6. Goals Above Working Hours; Goals That Inspire Results

\n

Goals are more important than the number of hours your team works. You will never get a team to work harder by working them more hours. You don't want your employees to feel like they're on a hamster wheel. Instead, you want your team to pursue goals that inspire results. This is important because research has shown that employees will work harder and report to be 46% more productive when staff goals are aligned with organizational priorities.

\n

Make sure your team knows what they're working on: Communicate with your remote teams (or any team) so that everyone is clear about the objectives of their projects. Make a habit out of updating them regularly on progress made or obstacles encountered. This way, you'll avoid getting blindsided when someone emails asking for an update; instead, you can proactively provide updates as they happen.

\n

7. Tools That Support or Hinder Engineers

\n

Good tools are a must for remote software engineering teams. These tools should allow for instant messaging, time tracking, file sharing, and scheduling.

\n

A few in the list of great remote software engineering team tools are:

\n\n

8. Invest in a Team Lead and Celebrate Small Accomplishments

\n

When managing a remote software engineering team, it is crucial to have an onsite person who can connect with the whole team. This person should be able to take over tasks when necessary and provide updates proactively. It will also be helpful for this lead engineer to help celebrate small accomplishments to keep morale high among team members who are far away from one another. One way could be giving rewards to team members who have gone the extra mile or finished a critical job in time. It's good for team morale to give praise publicly, in front of the entire team.

\n

9. Team Feedback Goes a Long Way

\n

When managing a remote software engineering team, it is crucial to actively solicit feedback from the group. This will help build trust and understanding among team members. It can also prevent misunderstandings when regular staff members get back onsite or new hires arrive to understand their role within the company and expectations.

\n

10. Building Trust With Remote Team Members

\n

Since team members on a remote software engineering team lack in person interactions, it is vital to put emphasis on building trust with each other. This can be done through regular conference calls and short meetings for everyone to get acquainted with how they work together.

\n

Another way of building rapport is by providing online tools that allow team members to share thoughts or inputs and provide feedback and encourage self-management among employees who are not always on-site.

\n

11. Annual Get-Togethers, Even If Everyone Can't Make It

\n

To be successful, remote software engineering teams need natural ways of building trust. This includes annual get-togethers for the team to mingle and socialize with one another in a casual setting to chat about their projects on an individual level. This is a great opportunity for team-building activities and events.

\n

Bonus Tip

\n

Team One-on-One Communication

\n

Team one-on-one communication is just essential as team cohesion. This allows your team members to talk about any difficulties, they're scared to bring up in group sessions. It's also a good moment to check in with team members about their role and whether it aligns with their overall career ambitions.

\n

Key Takeaways for Managing Remote Software Engineering Teams

\n

Managing remote software engineering teams is a critical part of the equation for creating a positive impact in your company. The challenge with handling remote teams can be people, time, or budget constraints. By following these best practices for managing remote software development teams and by investing wisely in your team members' success, you can work through any obstacles you face on the journey to becoming more successful as a business owner or a team lead.

\n","frontmatter":{"date":"July 26, 2021","updated_date":null,"description":"This article will give you 11 tips for managing remote software engineering teams, so you can adjust and improve your hiring, communication, and your team's collective output.","title":"11 Tips for Managing Remote Software Engineering Teams","tags":["Remote Work","Developer","Software Engineering"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.3333333333333333,"src":"/static/893230b3bae69ab7ab6759eced0fd6c1/58556/cover.webp","srcSet":"/static/893230b3bae69ab7ab6759eced0fd6c1/61e93/cover.webp 200w,\n/static/893230b3bae69ab7ab6759eced0fd6c1/1f5c5/cover.webp 400w,\n/static/893230b3bae69ab7ab6759eced0fd6c1/58556/cover.webp 800w,\n/static/893230b3bae69ab7ab6759eced0fd6c1/99238/cover.webp 1200w,\n/static/893230b3bae69ab7ab6759eced0fd6c1/7c22d/cover.webp 1600w,\n/static/893230b3bae69ab7ab6759eced0fd6c1/5e947/cover.webp 5184w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Erkki Muuga","github":null,"avatar":null}}}},{"node":{"excerpt":"It is scientifically proven that helping others makes people happy. Probably no one knows this better than the developer community around…","fields":{"slug":"/engineering/loginradius-sponsorship-freecodecamp/"},"html":"

It is scientifically proven that helping others makes people happy. Probably no one knows this better than the developer community around the world, which continues to amaze by contributing extensively to free and open source software.

\n

And there is freeCodeCamp community, a nonprofit started in 2014 by Quincy Larson. It has been helping thousands of aspiring developers learn web development and find their first software jobs. The community features a self-paced learning platform that helps learn various web technologies, including Bootstrap, D3, jQuery, and React, among many others.

\n

Being a nonprofit, freeCodeCamp entirely works based on charitable donations and contributions of developers to maintain its learning platform. In fact, it is so efficient that with every $5 in donation, it can provide more than 250 hours of learning. And it is so effective that some of its alumni work for marquee tech companies like Apple, Google, Microsoft, and Amazon, among others.

\n

In 2013, just a year before freeCodeCamp was established, we founded LoginRadius with a vision to secure every identity on this planet. From our early beginnings, we have developed LoginRadius CIAM to empower developers to build more secure applications and simplify the implementation of customer identity and access management on their production applications to save development and maintenance time. Today, burgeoning startups to Fortune 500 companies trust LoginRadius, and we're now collectively handling 1.17 billion user identities for our customers worldwide.

\n

We are as obsessed as freeCodeCamp to support and enable the developer community to do much more and make this world a better place. And we wanted to continuously help the freeCodeCamp community in any way possible.

\n

Today, we are a proud sponsor of freeCodeCamp and supporting the community's developers.

\n

Signup here if you're a developer from the freeCodeCamp community. And we'll offer $200 credits so you can leverage LoginRadius CIAM — beyond the free developer tier — to implement highly secure, user-centric customer identity and access management.

\n

This is indeed a moment of joy and pride for everyone at LoginRadius. We would like to extend our gratitude to freeCodeCamp for letting us be a part of its journey in strengthening the developer community.

\n

By the way, if you want to share your expertise with the developer community, please feel free to write for the LoginRadius Blog portal. We have an open for contributions policy so anyone around the world can contribute. Find more details on our public GitHub repo.

\n

\"Squad

\n","frontmatter":{"date":"July 16, 2021","updated_date":null,"description":"LoginRadius now supports the freeCodeCamp community through a sponsorship program. We also offer $200 credits to freeCodeCamp developers to help them rapidly implement world-class customer identity and access management in their applications.","title":"One Vision, Many Paths: How We’re Supporting freeCodeCamp","tags":["LoginRadius","sponsorship","freeCodeCamp"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.3333333333333333,"src":"/static/e2d9670f74a3203d6424fc773fbaf35b/58556/cover.webp","srcSet":"/static/e2d9670f74a3203d6424fc773fbaf35b/61e93/cover.webp 200w,\n/static/e2d9670f74a3203d6424fc773fbaf35b/1f5c5/cover.webp 400w,\n/static/e2d9670f74a3203d6424fc773fbaf35b/58556/cover.webp 800w,\n/static/e2d9670f74a3203d6424fc773fbaf35b/cc834/cover.webp 1024w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Raghunath Reddy","github":"raghunath-r-a","avatar":null}}}},{"node":{"excerpt":"Introduction In C# 9.0, there are multiple features introduced. One of them is the Init-Only setters property feature. To use this feature…","fields":{"slug":"/engineering/csharp-init-only-setters-property/"},"html":"

Introduction

\n

In C# 9.0, there are multiple features introduced. One of them is the Init-Only setters property feature. To use this feature, there are two pre-requisite.

\n
    \n
  1. You should have the .NET 5 SDK installed in your system. If not, you can download and install it from here.
    2. \n
  2. You should have at least a 16.7 version or the latest version of Visual Studio 2019. If not, then you have to update your Visual Studio 2019 to the latest version.
    3. \n
\n

After this setup, you are ready to go with the Init-Only setters property feature.

\n

Before knowing more about this feature, first, we will understand how we are using properties currently in C#.

\n

How we are using the properties currently

\n
public int Id { get; set; }
\n

This is the way how we are using the properties, but whenever if we don't want to change the value of a property outside of a class and make them readable publicly, then we generally define the property as below.

\n
public int Id { get; private set; }
\n

In that case, the Id property can not be set outside of the class, and to set this property, we have to introduce a constructor or a public method that can set the value of the Id field. Like below

\n
public class Company\n{\n    public int Id { get; private set; }\n\n    public Company(int id) // Constructor\n    {\n        Id = id;\n    }\n    public void SetId(int id) //Public method\n    {\n        Id = id;\n    }\n}
\n

Below are the problems which arise by using the above method

\n
    \n
  1. We are not able to set the property value by using the object initialization
    2. \n
  2. If we want to set the property as immutable (Value can not be changed), then we can not achieve this because any public method can change the value of that property, so here the property is mutable (Value can be changed).
    3. \n
\n

To fix those issues, In C# 9.0 Init-Only setters property feature was introduced. Have a look at this.

\n

Init-Only Setters Property

\n

Init-Only setters property gives us the flexibility to set the value of a property by using the object initializer as well the property is also immutable. So that will resolve the above issues, which were with the private set property.

\n
public class Company\n{\n    public int Id { get; init; }\n}
\n
Company comp=new Company{\n    Id=1\n}; // It works fine if we initialize here
\n

As we can, it is perfectly fine to set the value during object initialization.

\n
public class Company\n{\n    public int Id { get; init; }\n\n     public Company(int id)\n    {\n        this.Id = Id;\n    }\n}
\n

We can define the constructor as well to initialize the Init-Only setters property.

\n

If we will try to create a method in the class and want to change the value Init-Only setters property, then it will give us the compile-time error.

\n
public class Company\n{\n    public int Id { get; init; }\n\n    public void SetId(int Id)\n    {\n        this.Id = Id; // Compile-time Error\n    }\n}
\n

Conclusion

\n

In this article, we learned how we are setting the properties in C# currently and the new C# 9.0 feature Init-Only Setters Property. Also, we understood how this feature helps us to set the property value with the object initialization.

\n","frontmatter":{"date":"July 15, 2021","updated_date":null,"description":"In this article, we will talk about Init-Only Setters Property in C#.","title":"C# Init-Only Setters Property","tags":["C#","Properties","Init"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":1.5037593984962405,"src":"/static/879023ad1196d757394d7314a2cb202d/58556/coverimage.webp","srcSet":"/static/879023ad1196d757394d7314a2cb202d/61e93/coverimage.webp 200w,\n/static/879023ad1196d757394d7314a2cb202d/1f5c5/coverimage.webp 400w,\n/static/879023ad1196d757394d7314a2cb202d/58556/coverimage.webp 800w,\n/static/879023ad1196d757394d7314a2cb202d/99238/coverimage.webp 1200w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Hemant Manwani","github":"hemant404","avatar":null}}}}]},"markdownRemark":{"excerpt":"Introduction Ever wondered how apps like Spotify, Netflix, or Slack manage seamless login experiences across devices? Many of them use JWT…","fields":{"slug":"/engineering/how-to-integrate-jwt/"},"html":"

Introduction

\n

Ever wondered how apps like Spotify, Netflix, or Slack manage seamless login experiences across devices? Many of them use JWT, or JSON Web Tokens, a compact, stateless method for securely transmitting user identity and session data across services.

\n

With JWT token authentication, identity information is embedded in a signed token, allowing you to maintain user sessions without server-side storage. This approach is highly scalable and ideal for modern architectures like SPAs, mobile apps, and microservices.

\n

In this blog, we’ll walk you through what is JWT, why use it, and how to implement JWT authentication using LoginRadius.

\n

You’ll learn what JWT is, why it’s effective, and how it works in real-world applications. We'll cover both integration methods (IDX and Direct API), generating your signing key, managing sessions, storing the JWT token securely, and applying best practices throughout.

\n

Whether you're a developer, product manager, or IAM architect, this guide offers a complete foundation for implementing JWT token authentication into your application stack.

\n

What is JWT?

\n

JSON Web Token (JWT) is an open standard (RFC 7519) used to transmit information securely between parties as a JSON object. It’s compact, self-contained, and digitally signed, making it a reliable format for authentication and authorization across modern applications.

\n

A JWT consists of three parts:

\n
    \n
  1. Header – Contains metadata like the type of token and signing algorithm (e.g., HS256).
    2. \n
  2. Payload – Stores the actual data or “claims,” such as user ID, roles, and token expiry.
    3. \n
  3. Signature – A cryptographic hash that ensures the token hasn’t been tampered with.
    4. \n
\n

Example of a token structure:

\n

<base64Header>.<base64Payload>.<signature>

\n

Why Use JWT?

\n\n

How JWT Works?

\n

\"Flowchart

\n
    \n
  1. A user logs in with credentials.
    2. \n
  2. Your app (or identity provider like LoginRadius) issues a signed JWT.
    3. \n
  3. The client stores the token and sends it with each request (usually in the Authorization header).
    4. \n
  4. The server validates the token’s signature and claims.
    5. \n
  5. If valid, access is granted — without any session stored on the backend.
    6. \n
\n

JWT simplifies identity verification, especially when you're building apps that talk to APIs or need to scale without centralized session storage.

\n

JWT Authentication with LoginRadius: Overview

\n

LoginRadius provides robust support for JWT (JSON Web Token) authentication, which allows for flexible and secure access control across different digital platforms. Whether you're building a fully custom identity flow or using a pre-built interface, the platform supports various integration approaches depending on your architecture.

\n

If you're looking to understand how to implement JWT token authentication effectively, LoginRadius offers two primary implementation models that cater to different levels of customization and control:

\n

1. IDX Implementation – JWT through a Hosted Login Page

\n

The IDX-hosted login approach enables secure, standards-compliant, JWT-based authentication without requiring you to build a custom login interface. This is a strategic option for fast, compliant, and user-friendly deployments.

\n\n

Configuration Steps:

\n
    \n
  1. Enable JWT Login
    2. \n
  2. Go to authentication configuration settings and enable JWT Login in the Admin Console.
    3. \n
\n

\"Screenshot

\n
    \n
  1. Specify your signing algorithm and expiry policy, and define your JWT Secret Key.
    2. \n
  2. Input a secure JWT signing key.
    3. \n
  3. Specify token expiry duration (e.g., 15–60 minutes)
    4. \n
  4. Select the desired algorithm —HS256 for symmetric signing (same key signs and verifies)
    5. \n
  5. RS256 for asymmetric signing, where LoginRadius securely stores the private key used to sign the JWT.
    6. \n
  6. Your app or backend service uses the public key to validate the token signature.
    7. \n
  7. LoginRadius provides a JWKS (JSON Web Key Set) endpoint to dynamically fetch and rotate public keys, ensuring trust without key exposure.
    8. \n
  8. Update IDX Template for Callback
    9. \n
  9. Modify your IDX login page template to retrieve the JWT post-login. You can access the token via redirect URL parameters or secure JavaScript callbacks.
    10. \n
\n

Example Response:

\n

{

\n

\"access_token\": \"eyJhbGciOiJIUzI1NiIsInR...\",

\n

\"expires_in\": 1800

\n

}

\n

This integration approach works best for all teams that want effective identity workflows without the complexity of building proprietary login screens, something that is crucial for customer portals, onboarding of mobile applications, and even managing access for business partners.

\n

2. Direct API Implementation – Self Managed Login

\n

If you’re building a custom login UI or working in a headless environment, LoginRadius lets you generate and handle JWTs directly through its Authentication APIs. Here’s how you can programmatically perform token authentication using the classic method:

\n\n

Configuration Steps:

\n

Step 1: Authenticate via API:

\n\n

Include the user’s credentials (email + password) in the request body.

\n

Step 2: Get JWT in Response

\n\n

{

\n

\"access_token\": \"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...\",

\n

\"expires_in\": 3600

\n

}

\n

Step 3: JWT Decoding and Validation

\n\n

Step 4: Set Custom Claims (Optional)

\n

With LoginRadius, it is possible to customize the payload to include user roles and/or any additional metadata. You can set custom JWT claims on the Admin Console.

\n

With this method, you have complete customization over login flows while using LoginRadius to issue signed JWTs for user session management.

\n

NOTE- With either method, LoginRadius ensures that JWTs are securely signed, optionally short-lived, and compatible with standard token validation libraries, making integration seamless for everyone.

\n

To get started with JWT implementation, you can read our complete developer documentation.

\n

Hosted Login vs Direct API

\n

\"Illustration

\n

What is Session Management and How It Works with JWT

\n

Session management is how your app keeps track of a user after they log in so they don’t have to prove who they are with every request.

\n

In traditional apps, sessions are stored on the server using session IDs. Every time a request comes in, the server checks that session ID to verify the user.

\n

In modern apps, especially SPAs and APIs, JWTs are used to manage sessions without needing server-side storage; this is called stateless session management. The token itself carries the user’s identity, roles, and expiration details. As long as the token is valid, the user stays logged in.

\n

Good session management ensures:

\n\n

How LoginRadius Handles Session Management with JWT:

\n
    \n
  1. \n

    User Logs In

    \n\n
    2. \n
  2. \n

    Client Stores the Token

    \n\n
    3. \n
  3. \n

    Access Token Expiry

    \n\n
    4. \n
  4. \n

    Token Renewal

    \n\n
    5. \n
  5. Logout and Token Revocation Strategy
    6. \n
\n

When the user logs out, both the access token and refresh token should be cleared from client storage.

\n\n

Combining these strategies gives you greater control over token misuse and enables a robust, enterprise-grade logout flow.

\n

\"illustration

\n

How to Store JWT Tokens?

\n

When you implement JWT-based authentication, the client (browser or mobile app) needs a way to store the access token and, optionally, the refresh token after they are issued by the authentication server. This stored token is then attached to every subsequent request to prove the user's identity.

\n

Choosing where to store the JWT is a crucial security decision. The most common storage options are:

\n\n

Each option has trade-offs between security, accessibility, and persistence, and the right choice depends on your application's architecture and threat model.

\n

Recommended Storage Strategy

\n\n

Best Practices for Storing JWTs

\n
    \n
  1. Never store sensitive tokens (like refresh tokens) in localStorage or sessionStorage.
    2. \n
  2. Use Secure and HttpOnly flags with cookies to prevent JavaScript access and ensure transmission only over HTTPS.
    3. \n
  3. Set the SameSite=Strict or Lax attribute on cookies to protect against CSRF.
    4. \n
  4. Use short-lived access tokens and rotate refresh tokens regularly.
    5. \n
  5. Implement CSP (Content Security Policy) to reduce XSS risk.
    6. \n
  6. Avoid storing any tokens in frontend code (e.g., hardcoded in JS files).
    7. \n
\n

Conclusion

\n

JWT authentication with LoginRadius offers a modern, stateless approach to managing sessions across distributed systems. The IDX integration is ideal for rapid deployment, while the Direct API model is best for organizations needing deep customization and integration flexibility.

\n

With robust token signing, refresh capabilities, and centralized control, LoginRadius provides a future-ready foundation for secure, scalable identity architecture. Contact us to know more about JWT authentication and implementation guide.

\n

FAQs

\n

1. What is JWT authentication used for?

\n

A: JWT authentication securely verifies user identities, enabling stateless session management across web, mobile apps, and microservices without server-side session storage.

\n

2. How does LoginRadius simplify JWT integration?

\n

A: LoginRadius simplifies JWT integration by offering hosted IDX login pages and direct API-based authentication methods, enabling rapid deployment and deep customization.

\n

3. Is JWT authentication secure?

\n

A: Yes, JWT authentication is secure when implemented with best practices like short-lived tokens, secure storage methods, signature validation, and refresh token rotation.

\n

4. Can JWT tokens be revoked with LoginRadius?

\n

A: Yes, LoginRadius allows revocation of JWT refresh tokens explicitly, and supports strategies like short-lived tokens and key rotation to manage token lifecycles securely.

\n","frontmatter":{"date":"April 15, 2025","updated_date":null,"description":"Discover JWT (JSON Web Token) authentication, its advantages, and how to integrate it seamlessly using LoginRadius' hosted IDX and Direct API methods for secure, scalable identity management.","title":"JWT Authentication with LoginRadius: Quick Integration Guide","tags":["JWT","JSON Web Token","Authentication","Authorization"],"pinned":null,"coverImage":{"childImageSharp":{"fluid":{"aspectRatio":0.7782101167315175,"src":"/static/4cedb7829f98208cbc6d5a9aea4e983d/58556/how-to-integrate-jwt.webp","srcSet":"/static/4cedb7829f98208cbc6d5a9aea4e983d/61e93/how-to-integrate-jwt.webp 200w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/1f5c5/how-to-integrate-jwt.webp 400w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/58556/how-to-integrate-jwt.webp 800w,\n/static/4cedb7829f98208cbc6d5a9aea4e983d/1cc9f/how-to-integrate-jwt.webp 896w","sizes":"(max-width: 800px) 100vw, 800px"}}},"author":{"id":"Kundan Singh","github":null,"avatar":null}}}},"pageContext":{"limit":6,"skip":48,"currentPage":9,"type":"//engineering//","numPages":53,"pinned":"5c425581-f474-5ae9-abe7-cf5342db2aaa"}},"staticQueryHashes":["1171199041","1384082988","2100481360","23180105","528864852"]}