Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Developers can easily work with JWT bearer authentication for API apps during development

See original GitHub issue

Basic idea is to do for JWT bearer authentication what we did for HTTPS in development, i.e. make it extremely easy to configure apps to use JWT bearer authentication in development, without the need for a discrete token issuing server.

  • Enable the management of a cert for signing and verification of dev-time JWTs via dotnet dev-certs jwt. Like the HTTPS cert this would be initialized during SDK setup/first-run
  • Enable the management of JWTs for a given project via a new CLI tool dotnet dev-jwts which is similar to the existing dotnet user-secrets tool but for issuing and managing JWTs
  • Ensure the default AuthenticationBuilder.AddJwtBearer() overloads configure the application to accept dev JWTs as valid when in the development environment
  • Leverage improvements from #39855 and #39840

Example Minimal APIs using dev JWTs

> dotnet new webapi -minimal -o MyApi
> cd MyApi
MyApi> dotnet dev-jwts list
Could not find the global property 'UserSecretsId' in MSBuild project 'MyApi/MyApi.csproj'. Ensure this property
is set in the project or use the 'dotnet user-secrets init' command to initialize this project.
MyApi> dotnet user-secrets init
Set UserSecretsId to '4105052b-5b99-4fff-8fc1-9d6c59887d0a' for MSBuild project 'MyApi/MyApi.csproj'.
MyApi> dotnet dev-jwts list
No tokens configured for this application.
MyApi> dotnet dev-jwts create
Token created for user "damian":
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4iLCJpYXQiOjE1MTYyMzkwMjJ9.
MyApi> dotnet dev-jwts create --name privileged --claim scope="myapi:protected-access"
Token created for user "privileged":
jHy8bGciOiJIUzIR5cCI61NiIsInIkpXVCIxMjM0NTweiuI6IkpvakwIiwiJ9.eyJzdWIiOibmFtZSG4iLCJpYMTYyMzkwMjJ9XQiOjE1.
MyApi> dotnet dev-jwts list
User        Issued               Expires    
------      -------------------  -------------------
damian      2022-01-28 17:37:34  2022-07-28 17:37:34
privileged  2022-01-28 17:37:48  2022-07-28 17:37:48

var builder = WebApplication.CreateBuilder(args);

builder.Authentication.AddJwtBearer();

var app = builder.Build();

app.MapGet("/hello", () => "Hello!");

app.MapGet("/hello-protected", () => "Hello, you are authorized to see this!")
    .RequireAuthorization(p => p.RequireClaim("scope", "myapi:protected-access"));

app.Run();

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:11
  • Comments:10 (8 by maintainers)

github_iconTop GitHub Comments

5reactions
martincostellocommented, Mar 31, 2022

Making a variant of this work for automated integration test scenarios too, like with Mvc.Testing, would be most welcome.

A very very very off-the-top-of-my-head idea of what I’m getting at is something like this:

WebApplicationFactory<Program> webApplicationFactory = ...;

HttpClient httpClient = webApplicationFactory
   .CreateDefaultClient()
   .WithBearerJwtAuthorization(x => x.WithClaim(ClaimTypes.NameIdentifier, "john-smith"));

// The below call to the protected endpoint succeeds because there's a valid JWT
// for the john-smith user in the Authorization header on the HttpClient
string html = await httpClient.GetStringAsync("/admin-secrets");
1reaction
captainsafiacommented, Jun 6, 2022

The initial version of user-jwts shipped in preview5. We are tracking some follow-ups in #41820 and #41888.

Read more comments on GitHub >

github_iconTop Results From Across the Web

JWT authentication: Best practices and when to use it
A guide for using JWT authentication to prevent basic security issues.
Read more >
JWT authorization code flow
A JWT credential can be generated within the RingCentral Developer Console, and be used in place of a username and password when establishing ......
Read more >
API keys vs JWT authorization: Which is best?
Both API key and JWT are used for authentication and authorization, but they do it differently. ... API keys authenticate and authorize using...
Read more >
In token-based authentication, who should create the JWT ...
1 Answer 1 ... Depending on the project requirements/budget/timeline, the JWT can be created by the developer, or it can be managed by...
Read more >
JWT App Type Deprecation FAQ
Open API requests made with JWT authentication method; Meeting SDK for Web apps that have not migrated to SDK and Oauth app type;...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[Question] `HttpContext.TraceIdentifier` vs `Activity.Current.Id`

Next page

Simplify Authentication and Authorization configuration when using WebApplicationBuilder