1. Glenn Scamman
  2. SnapDevelop
  3. Friday, 17 December 2021 23:09 PM UTC

Hello, 

We have a client app we built with PB2019R3 build 2703 and used SnapDevelop to build an API so that we can have a cloud app where the PB client runs on the users' local machine but the database and all data-access will be on Azure in the cloud.  Let me point out we are using PowerClient to deploy the app, and we are NOT using PowerServer.  The API is running on IIS in Azure.  

The API consists of many controllers, services, and models we scaffolded from PB datawindows.  Now that I'm more knowledgable about the "stateless" nature of ASP.NET core API's and the importance of securing our API with authentication...thank you Bruce Armstrong for your Elevate 2021 sessions on Authentication... i want to add JWT Authentication to this API.  However, those sessions relied on PowerServer to automatically handle the authentication, whereas since I am not using PowerServer, I'm having to figure out some of the .NET/C# code myself.

I followed the Appeon tuturial Secure_a_Web_API_with_JWT_Token, but after many attempts, kept failing to get it adapted to my existing controllers and credentials-checking I already had in place. I could get a JWT token created, and could pass it back in the headers of the requests to the API, but nothing in the API seemed to verify the token was valid or even existed.  I finally broke down and started a new SnapDevelop project, following every step in detail to see if the sample app would actually verify the JWT token, and it did.  I see now, that the "Authorization" piece is not optional. It is tightly integrated with the "Authentication" in the Microsoft aspnetcore authentication packages.  I was hoping to just have this authentication "middle-ware" automatically verify the JWT token is valid for every single request to the API, and simply return an error if not.  But it appears that I need to utilize the Authorization and put an authorization attribute on every controller method to make the JWT Authentication work properly.

My question is, does that sound correct?  That I'll need to add an authorize attribute to all the dozens of API controller methods I have (such as the one from the tutorial shown below?

 

I also researched many other .NET tutorials out there on adding JWT authentication to ASPNET core API's, and they all got way over my head, since I'm pretty new to C# and .NET and web API's.  One looked promising in that it discussed creating an authorization policy middle-ware that maybe only requires a valid JWT Token and would automatically apply to all controller actions even if they didn't have authorize attributes specified.  I could not figure out how to translate what he showed in code snippets into what I need for my API.

Does anyone know of a way to setup an authorization policy so that the authorization attributes won't have to be added to all controller actions? Or something else that would make the process of adding JWT authentication easier?

I'm fine with adding these attributes, but thought I'd see if there was a smarter way to go about this.

Thanks,

 

Arnd Schmidt Accepted Answer Pending Moderation
  1. Saturday, 18 December 2021 14:00 PM UTC
  2. SnapDevelop
  3. # 1

Hi Glenn,

have you tried to add the rule on the top of the class declaration?

..
[Authorize(Roles = "admin,manager")]
public class yourController : ControllerBase
{
..
}

regards

Arnd

Comment
  1. Glenn Scamman
  2. Wednesday, 22 December 2021 02:18 AM UTC
Arnd, I have not yet, but it sounds like it could shorten the coding from every method to every controller at least. So I'm moving in the right direction!
  1. Helpful
There are no comments made yet.
Armeen Mazda @Appeon Accepted Answer Pending Moderation
  1. Saturday, 18 December 2021 01:44 AM UTC
  2. SnapDevelop
  3. # 2

Hi Glenn,

The tutorial you mentioned is a very simple one to introduce the concept of a token.  It is not meant to be a production-ready and complete solution for securing your REST APIs.

Yes, you are correct that at minimum you need an authorization server.  In PowerServer, we developed OAuth and JWT flavor of authorization server, but PowerServer also supports creating your own implementation.  Bruce actually shows in this Elevate session how to create your own implementation for Azure Active Directory: https://youtu.be/3Wz4mYJq5qA?t=2749

Although the above Elevate session in the context of PowerServer, but I think you should watch it as it might help you get closer to recreating this for your own REST APIs.

Best regards,
Armeen

Comment
  1. Glenn Scamman
  2. Wednesday, 22 December 2021 02:16 AM UTC
Thanks Armeen,

I understand the tutorial is simple and is not a complete solution, but it does bring up points that are the building blocks to JWT authentication and got me started down the right path. I did watch Bruce's session, but at this time we are not using Azure Active Directory to hold application user information, and so we can't implement that solution either...at least not yet. It could be in our future. I've been trying to read different sources on JWT solutions, and they vary wildly from each other, and frankly are hard to understand. I think I can get the concepts from the Appeon tutorial to work, I was just asking if there might be some short cuts to get it done on the 75 controllers I currently have.
  1. Helpful
  1. Armeen Mazda @Appeon
  2. Wednesday, 22 December 2021 03:02 AM UTC
Understand your situation. Let's see if the hands-on programmers on this forum have suggestions for you.
  1. Helpful
There are no comments made yet.
  • Page :
  • 1


There are no replies made for this question yet.
However, you are not allowed to reply to this question.