Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorization #27

Open
1 task
csharpfritz opened this issue Feb 18, 2022 · 5 comments
Open
1 task

Authorization #27

csharpfritz opened this issue Feb 18, 2022 · 5 comments
Assignees
@cmatskas
Labels
enhancement New feature or request

Comments

@csharpfritz
Copy link
Owner

csharpfritz commented Feb 18, 2022
edited

We should enable Authorization with optional entries in the InstantAPI configuration

_from @bravecobra's post on #49
[ ] allow authorization for the generated APIs and be able to specify authenticated users, required policies, etc...

  • allow Swagger authentication to be configured
@csharpfritz csharpfritz added the enhancement New feature or request label Feb 18, 2022
@csharpfritz csharpfritz mentioned this issue Feb 27, 2022
Closed
2 tasks
@cmatskas
Copy link

cmatskas commented Mar 8, 2022

I'll gladly grab this one. As discussed, if authorization is selected, we should be able to add roles-based authorization to select API endpoints. The authorization namespace is part of the BCL and therefore we don't need to take a dependency on any other libraries: Microsoft.AspNetCore.Authorization

@ScottKane
Copy link
Contributor

Is this planned to just facilitate adding Authorize attributes to specific endpoints, or do you think we could also provide a default JWT based authentication flow (supporting refresh tokens etc) as I find this is something I am constantly having to set up.

Would be nice to just have a UseAuthentication (AuthenticationMode.DefaultJwt or something) flag which gets you an out of the box api that supports user login/registration. This would allow people to add different authentication methods later.

Maybe AuthenticationMode.DefaultJwt just points to a DefaultJwtAuthentication : IAuthentication class, and we can let people pass in their own IAuthentication implementation.

@davidbuckleyni
Copy link
Contributor

As said on stream be good if jwt tokens could be handled. I still use them in my apis as extra payer of security ontop of identity login.

Maybe default end points

/JwtToken/IssueToken

/JwtToken/RefreshToken

One issue we might have is if their using other layers of security how we tell them its a bearer token etc.

@ScottKane
Copy link
Contributor

I personally go with api/identity/token and api/identity/token/refresh. I would say its just another config flag e.g options.UseJwt(timeout: DateTime.UtcNow.AddDays(2)) that enables jwt over Identity.

I'm not sure what you mean by tell them it's a bearer token? The person using InstantAPIs or a third party? Because I would assume if you opt in to using jwt, you know you get a bearer token.

@ScottKane
Copy link
Contributor

ScottKane commented Mar 24, 2022
edited

Also we would have to consider how we want to pass in a user defined signing secret.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cmatskas cmatskas

Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@csharpfritz @cmatskas @davidbuckleyni @ScottKane