Skip to content

Service to Service Auth using JWT#21

Draft
samsp-msft wants to merge 5 commits intomainfrom
samsp/auth1
Draft

Service to Service Auth using JWT#21
samsp-msft wants to merge 5 commits intomainfrom
samsp/auth1

Conversation

@samsp-msft
Copy link
Collaborator

@samsp-msft samsp-msft commented Aug 23, 2022

No description provided.

Sam Spencer added 2 commits August 23, 2022 12:21
@samsp-msft samsp-msft requested a review from mconnew August 23, 2022 23:10
adityamandaleeka
adityamandaleeka reviewed Aug 24, 2022
View reviewed changes
@adityamandaleeka
Copy link

adityamandaleeka commented Aug 24, 2022

cc: @HaoK, can you glance through the auth flow in this sample to make sure it looks okay?

g7ed6e
g7ed6e reviewed Aug 24, 2022
View reviewed changes
Copy link
Collaborator

@g7ed6e g7ed6e left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks great but i think more low level libraries may be used in sample. I'm actually running this scenario in production with https://www.nuget.org/packages/IdentityModel/6.0.0 client side and https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer/6.0.8 server side.

@samsp-msft
Copy link
Collaborator Author

samsp-msft commented Aug 24, 2022

@g7ed6e - in working with @mconnew, it turns out that AuthorizeRole is not hooked up to the ASP.NET claims and policies. Matt is now working on that. How are you doing authorization checks for your services?

And on the client side, what mechanism are you using to inject the header?

@samsp-msft
Copy link
Collaborator Author

samsp-msft commented Aug 24, 2022

Looks great but i think more low level libraries may be used in sample. I'm actually running this scenario in production with https://www.nuget.org/packages/IdentityModel/6.0.0 client side and https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer/6.0.8 server side.

I needed somewhere to get a JWT from, and so AAD was an obvious choice. The packages I used are the AD wrappers that in-turn include https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer on the server side and Microsoft.Identity.Client on the client side.

If there are other providers that are easier to setup, then I think having additional samples for those would also be worthwhile.

@g7ed6e
Copy link
Collaborator

g7ed6e commented Aug 24, 2022

How are you doing authorization checks for your services?

And on the client side, what mechanism are you using to inject the header?

Client side i'm using a IEndpointBehavior which is responsible to add a IClientMessageInspector to the client runtime and use the BeforeSendRequest hook. There i'm fetching a token from a memory cache or request it against the authorization server. @mconnew pointed me that this is not ideal as inspector should not contain long running code. I'm rewriting this to still use a IEnpointBehavoir but combined with a custom DelegatingHandler as described here dotnet/wcf#2400

Server side all operation contract require the same scope thus i'm just checking the token issuer / expires_at / audience and scope. i.e i do not have the [Authorize] feature.

g7ed6e
g7ed6e reviewed Aug 25, 2022
View reviewed changes
Copy link
Collaborator

@g7ed6e g7ed6e left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@samsp-msft you may use the demo duende identity server for you sample which is available there https://demo.duendesoftware.com/. It provides configured clients.

g7ed6e
g7ed6e reviewed Jan 2, 2023
View reviewed changes
Scenarios/Authentication/Service-to-service-JWT-using-Azure-AD/Readme.md

# Using JWT with WCF Services

The WS-* specifications which define the SOAP protocol and form the basis for WCF were developed long before JWT came onto the scene as the preferred form of web authentication. For this reason the WCF client APIs don't include direct support for JWT-based authentication or authorization. However, JWT is implemented over http by supplying the token as a base64-encoded string as the `Authorization` header. These samples add that header and validate it as part of the service call.
Copy link
Collaborator

@g7ed6e g7ed6e Jan 2, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

http header is: Authorization: Bearer <access_token>

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@g7ed6e g7ed6e g7ed6e left review comments

@mconnew mconnew Awaiting requested review from mconnew

+1 more reviewer

@adityamandaleeka adityamandaleeka adityamandaleeka left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@samsp-msft @adityamandaleeka @g7ed6e