Hello,
We have a client app we built with PB2019R3 build 2703 and used SnapDevelop to build an API so that we can have a cloud app where the PB client runs on the users' local machine but the database and all data-access will be on Azure in the cloud. Let me point out we are using PowerClient to deploy the app, and we are NOT using PowerServer. The API is running on IIS in Azure.
The API consists of many controllers, services, and models we scaffolded from PB datawindows. Now that I'm more knowledgable about the "stateless" nature of ASP.NET core API's and the importance of securing our API with authentication...thank you Bruce Armstrong for your Elevate 2021 sessions on Authentication... i want to add JWT Authentication to this API. However, those sessions relied on PowerServer to automatically handle the authentication, whereas since I am not using PowerServer, I'm having to figure out some of the .NET/C# code myself.
I followed the Appeon tuturial Secure_a_Web_API_with_JWT_Token, but after many attempts, kept failing to get it adapted to my existing controllers and credentials-checking I already had in place. I could get a JWT token created, and could pass it back in the headers of the requests to the API, but nothing in the API seemed to verify the token was valid or even existed. I finally broke down and started a new SnapDevelop project, following every step in detail to see if the sample app would actually verify the JWT token, and it did. I see now, that the "Authorization" piece is not optional. It is tightly integrated with the "Authentication" in the Microsoft aspnetcore authentication packages. I was hoping to just have this authentication "middle-ware" automatically verify the JWT token is valid for every single request to the API, and simply return an error if not. But it appears that I need to utilize the Authorization and put an authorization attribute on every controller method to make the JWT Authentication work properly.
My question is, does that sound correct? That I'll need to add an authorize attribute to all the dozens of API controller methods I have (such as the one from the tutorial shown below?
I also researched many other .NET tutorials out there on adding JWT authentication to ASPNET core API's, and they all got way over my head, since I'm pretty new to C# and .NET and web API's. One looked promising in that it discussed creating an authorization policy middle-ware that maybe only requires a valid JWT Token and would automatically apply to all controller actions even if they didn't have authorize attributes specified. I could not figure out how to translate what he showed in code snippets into what I need for my API.
Does anyone know of a way to setup an authorization policy so that the authorization attributes won't have to be added to all controller actions? Or something else that would make the process of adding JWT authentication easier?
I'm fine with adding these attributes, but thought I'd see if there was a smarter way to go about this.
Thanks,
I understand the tutorial is simple and is not a complete solution, but it does bring up points that are the building blocks to JWT authentication and got me started down the right path. I did watch Bruce's session, but at this time we are not using Azure Active Directory to hold application user information, and so we can't implement that solution either...at least not yet. It could be in our future. I've been trying to read different sources on JWT solutions, and they vary wildly from each other, and frankly are hard to understand. I think I can get the concepts from the Appeon tutorial to work, I was just asking if there might be some short cuts to get it done on the 75 controllers I currently have.