Convenience methods for authorizing daemon to daemon scopes

[benjaminsampica]

Describe the feature request?

It would be great to have more convenience methods around verifying daemon to daemon communication has the required scopes. Currently, this has to all be created by hand if you want anything greater than a simple Authorize attribute for Okta. Example of a simple policy checking for a scope today.

        options.AddPolicy("require_scopes", builder => builder
                .AddAuthenticationSchemes(OktaDefaults.ApiAuthenticationScheme)
                .RequireAuthenticatedUser()
                .RequireAssertion(context =>
                {
                    if (context.Resource is HttpContext httpContext)
                    {
                        var header = httpContext.Request.Headers.Authorization.ToString();

                        if (header is null or "") return false;

                        var formattedToken = header.Replace("Bearer ", string.Empty);

                        var token = new JwtSecurityTokenHandler().ReadJwtToken(formattedToken);

                        return token.Claims.Any(c => c.Value == "my_scope");
                    }
                }));

Instead, it would be great to have one or more ways of reading the JWT and doing this under the hood.

.NET Version

.NET Core

Provide a documentation link if applicable

Microsoft via Azure AD has similar convenience methods like HttpContext.VerifyUserHasAnyAcceptedScope(), RequireScope attributes, or is mapping scopes across to HttpContext claims. https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles?tabs=aspnetcore

Additional Information?

No response

[laura-rodriguez]

Hi @benjaminsampica,

Thanks for your feedback. We'll keep monitoring interest in this feature.