Closed stevenfirstrowinc closed 9 years ago
You still need to have an [Authorize] attribute on your Web APIs (or as a global filter).
yep, have that in all cases, but honestly I'm not 100% sure I understand why I would need that. Is it the case that UseIdentityServerBearerTokenAuthentication is saying "when authentication is required, make sure the token contains this scope?" and that is why the request continues so that the [Authorize] attribute can be evaluated?
Authentication happens first. Authorization is the job of the application layer (typically).
oh. duh! so if I want to force Authentication for all requests, I'd need to use an Authentication filter in addition to UseIdentityServerBearerTokenAuthentication (which is part of authorization)?
You mean authorization, right? The bearer token is authentication. If that works, then great, but if not then the request is anonymous. Authorization ensures that the current request is allowed. If anonymous is not allowed, then that authorization is required.
The scope is only enforced when a valid token has been found. Otherwise the request is anonymous.
You need additional authZ rules - in any case.
@brockallen that isn't what I meant, but it's clear now. This all comes down to one of my injected services that depends on an authenticated user. Now that I understand this process better I can handle the unauthenticated use case. I was thinking the UseIdentityServerBearerTokenAuthentication method would prevent the request getting all the way down the pipeline but I get it now.
I'm using the following code to ensure my access token is correct
I was expecting that any request that came through that did not have this scope would return a 404 and exit the pipeline, but instead it seems as though the pipeline continues with an unauthenticated user instead.
I'm using Owin and WebApi 2.2 and the above are the first lines in my startup class. Should I be adding this method to the end of my startup instead?