• Endpoint definition
• MinimalApi

Password

• Set password
• Reset password
• Reset password confirmation

Hello!

GREAT library!

I am just running your demo app with the instructions here: Quick Start

I see here that .AddEntityFrameworkStores<MyDbContext>() is required:

The reference of .AddEntityFrameworkStores is 'not found' until you install the nuget package: Microsoft.AspNetCore.Identity.EntityFrameworkCore

I am not sure if this is a bug, or if the user is required to install Microsoft.AspNetCore.Identity.EntityFrameworkCore themselves. I just wanted to report this.

Thanks!

Can you recommend how to add roles?

I am trying to do, as an example, [Authorize(AuthenticationSchemes = "Bearer", Roles = "Administrator")], but it is not working.

If it is not a feature, could be good to add for a future version.

The IHttpContextAccessor.HttpContext will return the HttpContext of the active request when accessed from the request thread. It should not be stored in a field or variable.
https://github.com/davidfowl/AspNetCoreDiagnosticScenarios/blob/master/AspNetCoreGuidance.md#do-not-store-ihttpcontextaccessorhttpcontext-in-a-field

Unhandled exception. System.InvalidOperationException: Unable to find the required services. Please add all the required services by calling 'IServiceCollection.AddAuthorization' in the application startup code.
   at Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.VerifyServicesRegistered(IApplicationBuilder app)
   at Microsoft.AspNetCore.Builder.AuthorizationAppBuilderExtensions.UseAuthorization(IApplicationBuilder app)

Adding IServiceCollection.AddAuthorization into ServiceCollectionExtensions.ConfigureServices may fix this issue

Services.AddAuthEndpoints<,>();

Configure default values for AuthEndpointsOptions

• Access: Secret Key
• Refresh: Secret Key
• AccessSigningOptions
• RefreshSigningOptions
• AccessValidationParameters
• RefreshValidationParameters

Hi,

This is looking very good, but the swagger could be improved by using its authorization feature. I have this working, and this is what I did.

In program.cs: after the following lines, add the "// To Enable authorization using Swagger (JWT)" section of code

var xmlFile = $"{Assembly.GetExecutingAssembly().GetName().Name}.xml";
var xmlPath = Path.Combine(AppContext.BaseDirectory, xmlFile);
options.IncludeXmlComments(xmlPath);

// To Enable authorization using Swagger (JWT)
options.AddSecurityDefinition("Bearer", new OpenApiSecurityScheme()
{
    Name = "Authorization",
    Type = SecuritySchemeType.ApiKey,
    Scheme = "Bearer",
    BearerFormat = "JWT",
    In = ParameterLocation.Header,
    Description = "JWT Authorization header using the Bearer scheme. \r\n\r\n Enter 'Bearer' [space] and then your token in the text input below.\r\n\r\nExample: \"Bearer 12345abcdef\"",
});

options.AddSecurityRequirement(new OpenApiSecurityRequirement
{
    {
            new OpenApiSecurityScheme
            {
                Reference = new OpenApiReference
                {
                    Type = ReferenceType.SecurityScheme,
                    Id = "Bearer"
                }
            },
            Array.Empty<string>()
    }
});

To use, get the bearer token, and press the green Authorize button.

In the input box type the word Bearer followed by a space and paste the bearer token. Then press the authorize button and the close button.

Features like /users/me, should now work as expected. This worked great for me, and I think should be part of the demo code.

Hope this helps.

Features:

• Write/Store JWT in httponly cookie

HttpContext.Response.Cookies.Append("access_token", "<access_jwt>", new CookieOptions { HttpOnly = true });

• Read/Validate JWT from cookie instead of headers. Or catch the request and move the token from the cookie to the header as auth bearer
• Refresh JWT in httponly cookie

Simple Two factor authentication for issuing an access token, using email

Currently, refresh tokens are not stored on the server side. There is no way to revoke refresh tokens other than changing the secret key.

Todo

1. Store refresh token in database or HttpOnly cookies
2. Update token validator services

• User create
• Email confirmation
• User resend email confirmation email
• User me
• User delete

• Can only support 1 jwt bearer authentication scheme
• Current backend can be customized/extended using AuthEndpointsBuilder to support Asymmetric implementation of jwt

• Authenticator
• Controller
  • Create
  • Destroy
• Token model
• Repository
• Token generator algorithm