All geek questions in one place

Authorization with Asp.Net Core WebAPI

Admittedly, this is the first blow to the creation of the App.Net Core web api project. One of the requirements is OAuth2 support. Api Server and Identity are two separate projects, both of which start with an empty Asp.Net template.

The authentication server is up and running, and tokens are provided through the flow of the resource owner. Getting the token in order, scope, and the corresponding access_token data look right.

When I issue a request for the endpoint of my resource, first I get the following:

info: Microsoft.AspNetCore.Hosting.Internal.WebHost[1] Request starting HTTP/1.1 GET http://localhost:12886/v1/mystuff info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[2] Successfully validated the token. info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[3] HttpContext.User merged via AutomaticAuthentication from authenticationScheme: Bearer. info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[8] AuthenticationScheme: Bearer was successfully authenticated. info: IdentityModel.AspNetCore.ScopeValidation.ScopeValidationMiddleware[0] Scopes found on current principal: scope: stuffdetails, scope: stuffmover info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[8] AuthenticationScheme: Bearer was successfully authenticated. info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[1] Authorization was successful for user: 939d72dd-654c-447f-a65d-d0426b1eca59.

So, I can say that middleware checks my token, reading areas and token authentication. However, right after the initial success, I get authorization errors.

 info: Microsoft.AspNetCore.Authorization.DefaultAuthorizationService[2] Authorization failed for user: 939d72dd-654c-447f-a65d-d0426b1eca59. info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[1] Authorization failed for the request at filter 'Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter'. info: Microsoft.AspNetCore.Mvc.ChallengeResult[1] Executing ChallengeResult with authentication schemes (). info: Microsoft.AspNetCore.Authentication.JwtBearer.JwtBearerMiddleware[13] AuthenticationScheme: Bearer was forbidden. info: Microsoft.AspNetCore.Mvc.Internal.ControllerActionInvoker[2] Executed action TestApi.StuffController.GetStuff (TestApi) in 32.4439ms info: Microsoft.AspNetCore.Hosting.Internal.WebHost[2] Request finished in 1207.1769ms 403

This is what I consider to be the appropriate bits in the startup process.

ConfigureServices ...

 services.AddMvcCore() .AddAuthorization(opts => { opts.AddPolicy("stuffdetails", policy => policy.RequireClaim("stuffdetails")); } ) .AddJsonFormatters(); services.AddOptions();

Customization - Please note that I know that my configuration settings are correct because the first token task was successful.

 var authServerOptions = new IdentityServerAuthenticationOptions { Authority = configOptions.Value.AuthServerSettings.AuthServerURI, RequireHttpsMetadata = configOptions.Value.AuthServerSettings.RequiresHttpsMetaData, ApiName = configOptions.Value.AuthServerSettings.ApiName, AllowedScopes = configOptions.Value.AuthServerSettings.AllowedScopes, SupportedTokens = IdentityServer4.AccessTokenValidation.SupportedTokens.Jwt, AuthenticationScheme = "Bearer", SaveToken = true, ValidateScope = true }; app.UseIdentityServerAuthentication(authServerOptions); app.UseMvc();

Content controller

 [Route("v1/[controller]")] [Authorize(ActiveAuthenticationSchemes = "Bearer")] public class StuffController : Controller { [HttpGet] [Authorize(Policy = "stuffdetails")] public JsonResult GetStuff() { return new JsonResult(new { Message = "You've got stuff.." }); } }

If I remove the Authorize attribute from the GetStuff method, everything will be fine, because, as the log showed, the carrier token is allowed.

Questions:

  • Authorization error, because my policy is incorrect, and if so, how to configure it?
  • If I want to check a token containing the correct statements and was allowed, is it correct to use policies like mine?
  • Am I making a mistake trying to use UseIdentityServerAuthentication instead of UseJwtBearerAuthentication?

Any help is appreciated.

+6
source share
2 answers

Authorization error, because my policy is incorrect, and if so, how should it be installed?

What you have looks correct, but you can easily check by simply deleting part of the β€œpolicy” of your Authorize attribute: if it works now, the problem is with your policy, if it still fails, a wider problem than just your policy. I assume that you add the requirement "stuffdetails" to your access_token with your own implementation of IProfileService ?

If I want to check a token containing the correct requirements and is authorized, is it correct to use policies like mine?

Yes, it seems like this is the main aspnet way for user authorization.

Am I making a mistake trying to use UseIdentityServerAuthentication instead of UseJwtBearerAuthentication?

I am using UseIdentityServerAuthentication with the ResourceOwnerPassword stream. I would be interested to know if the UseJwtBearerAuthentication approach is UseJwtBearerAuthentication or offers other features.

+2
source

The error on my part was how I created my policy:

 opts.AddPolicy("stuffdetails", policy => policy.RequireClaim("stuffdetails"));

Must be:

 opts.AddPolicy("stuffdetails", policy => policy.RequireClaim("scope","stuffdetails"));

The policy was supposed to confirm that areas include "stuffdetails". A great resource for anyone who has a problem is a message from damienbod, Authorization Policies and Data Protection with IdentityServer4 in ASP.Net Cable

+1
source

Source: https://habr.com/ru/post/1015003/

More articles:


All Articles