Open csharpfritz opened 2 years ago
I'll gladly grab this one. As discussed, if authorization
is selected, we should be able to add roles-based authorization to select API endpoints. The authorization namespace is part of the BCL and therefore we don't need to take a dependency on any other libraries: Microsoft.AspNetCore.Authorization
Is this planned to just facilitate adding Authorize
attributes to specific endpoints, or do you think we could also provide a default JWT based authentication flow (supporting refresh tokens etc) as I find this is something I am constantly having to set up.
Would be nice to just have a UseAuthentication (AuthenticationMode.DefaultJwt or something) flag which gets you an out of the box api that supports user login/registration. This would allow people to add different authentication methods later.
Maybe AuthenticationMode.DefaultJwt
just points to a DefaultJwtAuthentication : IAuthentication
class, and we can let people pass in their own IAuthentication
implementation.
As said on stream be good if jwt tokens could be handled. I still use them in my apis as extra payer of security ontop of identity login.
Maybe default end points
/JwtToken/IssueToken
/JwtToken/RefreshToken
One issue we might have is if their using other layers of security how we tell them its a bearer token etc.
I personally go with api/identity/token
and api/identity/token/refresh
. I would say its just another config flag e.g options.UseJwt(timeout: DateTime.UtcNow.AddDays(2))
that enables jwt over Identity.
I'm not sure what you mean by tell them it's a bearer token? The person using InstantAPIs
or a third party? Because I would assume if you opt in to using jwt, you know you get a bearer token.
Also we would have to consider how we want to pass in a user defined signing secret.
We should enable Authorization with optional entries in the InstantAPI configuration
_from @bravecobra's post on #49 [ ] allow authorization for the generated APIs and be able to specify authenticated users, required policies, etc...