InstantAPIs icon indicating copy to clipboard operation
InstantAPIs copied to clipboard

Published 20 hours ago verified publisher icon csharpfritz

Authorization

Open csharpfritz opened this issue 3 years ago • 5 comments

We should enable Authorization with optional entries in the InstantAPI configuration

_from @bravecobra's post on #49 [ ] allow authorization for the generated APIs and be able to specify authenticated users, required policies, etc...

  • [ ] allow Swagger authentication to be configured

csharpfritz avatar Feb 18 '22 22:02 csharpfritz

I'll gladly grab this one. As discussed, if authorization is selected, we should be able to add roles-based authorization to select API endpoints. The authorization namespace is part of the BCL and therefore we don't need to take a dependency on any other libraries: Microsoft.AspNetCore.Authorization

cmatskas avatar Mar 08 '22 19:03 cmatskas

Is this planned to just facilitate adding Authorize attributes to specific endpoints, or do you think we could also provide a default JWT based authentication flow (supporting refresh tokens etc) as I find this is something I am constantly having to set up.

Would be nice to just have a UseAuthentication (AuthenticationMode.DefaultJwt or something) flag which gets you an out of the box api that supports user login/registration. This would allow people to add different authentication methods later.

Maybe AuthenticationMode.DefaultJwt just points to a DefaultJwtAuthentication : IAuthentication class, and we can let people pass in their own IAuthentication implementation.

ScottKane avatar Mar 23 '22 13:03 ScottKane

As said on stream be good if jwt tokens could be handled. I still use them in my apis as extra payer of security ontop of identity login.

Maybe default end points

/JwtToken/IssueToken

/JwtToken/RefreshToken

One issue we might have is if their using other layers of security how we tell them its a bearer token etc.

davidbuckleyni avatar Mar 24 '22 00:03 davidbuckleyni

I personally go with api/identity/token and api/identity/token/refresh. I would say its just another config flag e.g options.UseJwt(timeout: DateTime.UtcNow.AddDays(2)) that enables jwt over Identity.

I'm not sure what you mean by tell them it's a bearer token? The person using InstantAPIs or a third party? Because I would assume if you opt in to using jwt, you know you get a bearer token.

ScottKane avatar Mar 24 '22 01:03 ScottKane

Also we would have to consider how we want to pass in a user defined signing secret.

ScottKane avatar Mar 24 '22 01:03 ScottKane