Integrating with ASP Core Identity.. about aspnetselfcreatedtokenauthexample HOT 3 CLOSED

Hi @mikecann - the identity created here is encoded into the JWT token which will be returned to the user, in effect it encapsulates all of the details of that user that you'll need to use to assess whether that user is authorised to perform an action when they make future calls to the API and present that JWT token as the authorisation header.

If you take a look in the Startup.cs, you can see that we're simply requiring that a user has a valid token in this example, however you can build up arbitrarily complex authorisation rules using the claims data you include in this identity. So for example, you could have a "Company" claim with a value of the company a user is an employee of, say "Monkey Company Plc". You could then create a policy to check if the user attempted to access an API end point to retrieve details about a company, that they were an employee of the company in question.

What Claims you create, and what meanings you ascribe to them, are completely up to your application's needs. As to whether you can derive them from the UserManager / SignInManager, I'm not sure - I've not used ASP.Net Core Identity, but looking at the code for the UserManager in ASP.Net Core it looks like it has all sorts of stuff to do with Claims going on there, so it seems like it should be able to directly support the management of the claims and generating relevant claims identity objects to be inserted into your tokens here.

from aspnetselfcreatedtokenauthexample.

Hi @mrsheepuk,

Thanks for that detailed info! Really helpful.

I was wondering, you add [Authorize("Bearer")] to methods you want protected. Its not a big issue but setting [Authorize] doesnt seem to work. Is there a way to make it generic?

Cheers,
Mike

from aspnetselfcreatedtokenauthexample.

@mikecann There almost certainly is, yes - take a look at the line in the startup.cs:

services.AddAuthorization(auth =>
{
    auth.AddPolicy("Bearer", new AuthorizationPolicyBuilder()
        .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme‌​)
        .RequireAuthenticatedUser().Build());
});

Changing this to something like:

services.AddAuthorization(auth =>
{
    auth.DefaultPolicy = new AuthorizationPolicyBuilder()
        .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme‌​)
        .RequireAuthenticatedUser().Build();
});

... Should fix it (I haven't tested this, mind).

from aspnetselfcreatedtokenauthexample.