Authorization

[csharpfritz]

We should enable Authorization with optional entries in the InstantAPI configuration

_from @bravecobra's post on #49 [ ] allow authorization for the generated APIs and be able to specify authenticated users, required policies, etc...

• [ ] allow Swagger authentication to be configured

[cmatskas]

I'll gladly grab this one. As discussed, if authorization is selected, we should be able to add roles-based authorization to select API endpoints. The authorization namespace is part of the BCL and therefore we don't need to take a dependency on any other libraries: Microsoft.AspNetCore.Authorization

[ScottKane]

Is this planned to just facilitate adding Authorize attributes to specific endpoints, or do you think we could also provide a default JWT based authentication flow (supporting refresh tokens etc) as I find this is something I am constantly having to set up.

Would be nice to just have a UseAuthentication (AuthenticationMode.DefaultJwt or something) flag which gets you an out of the box api that supports user login/registration. This would allow people to add different authentication methods later.

Maybe AuthenticationMode.DefaultJwt just points to a DefaultJwtAuthentication : IAuthentication class, and we can let people pass in their own IAuthentication implementation.

[davidbuckleyni]

As said on stream be good if jwt tokens could be handled. I still use them in my apis as extra payer of security ontop of identity login.

Maybe default end points

/JwtToken/IssueToken

/JwtToken/RefreshToken

One issue we might have is if their using other layers of security how we tell them its a bearer token etc.

[ScottKane]

I personally go with api/identity/token and api/identity/token/refresh. I would say its just another config flag e.g options.UseJwt(timeout: DateTime.UtcNow.AddDays(2)) that enables jwt over Identity.

I'm not sure what you mean by tell them it's a bearer token? The person using InstantAPIs or a third party? Because I would assume if you opt in to using jwt, you know you get a bearer token.

[ScottKane]

Also we would have to consider how we want to pass in a user defined signing secret.