Authorize api and identity pages

Question

Authorize api and identity pages

Jay San 1

I try to authorize by role Identity pages and API controllers and it doesn't work as expected.

I use Identity for security and i want to authorize the identity register page by role i want to authorize api controllers also.
If I use just this code, I can authorize identy pages:

services.AddAuthentication().AddIdentityServerJwt();

But if i use this code:

services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => {}.AddIdentityServerJwt()

I can authorize api but I can't authorize identity page. Does anyone has any ideea how can I authorize both?

AdamJachocki 6 Reputation points

2021-09-07T14:21:33.35+00:00

What do you mean by "server jwt doesn't work"? And where is the actual question?
AgaveJoe 22,626 Reputation points

2021-09-07T14:26:13.233+00:00

Can you explain what "doesn't work" means? Web API authorization is not working as expected? Is Web API hosted with Identity Server?
AgaveJoe 22,626 Reputation points

2021-09-08T11:13:30.293+00:00

I can authorize api but I can't authorize identity page. Does anyone has any ideea how can I authorize both?

I assume your edited post is asking how to add authorization to a Razor Page not Web API??? Razor pages do not use JWTs they use an authentication cookie.

Razor Pages authorization conventions in ASP.NET Core
Jay San 1 Reputation point

2021-09-08T12:37:02.17+00:00

@AgaveJoe if I use this .AddIdentityServerJwt(); Razor pages use jwts.. I think you are suggesting me another method to authoriuze pages
AgaveJoe 22,626 Reputation points

2021-09-08T13:31:32.267+00:00

if I use this .AddIdentityServerJwt(); Razor pages use jwts.. I think you are suggesting me another method to authoriuze pages

I think you are making assumptions.

JWTs are sent in the Authorization header as a bearer token to authorize access to secured Web API resources. The client, code, is responsible for passing the token in the HTTP request. The JWT middleware reads the token and creates the user principal.

Razor Pages use cookie authentication because the client is always a browser which handles cookies automatically. The Identity framework uses cookie authentication middleware (default) to read the cookie and setup the principal.

Please read the link in my first post which illustrates these concepts. Also please visit the links on the left.

If you still have question, please clarify what yo u are trying to do and provide sample code that reproduces the unwanted behavior.
Jay San 1 Reputation point

2021-09-09T13:29:59.973+00:00

Okay, I'll explain what I'm trying to do:
1.To do role-based authorization on razor pages (and here I mean identity pages)
2.To do role-based authorization on API (ie the controllers that manage the requests that come from the client)

In order to do this, as the first method I use this piece of code:
services.AddAuthentication().AddIdentityServerJwt();

When I use this method the Identity pages are properly authorized and the authorization function returns what is needed depending on the roll claim on the token (cookie you want), instead on the normal API controller it always returns false even if claim the controller is correct.
AgaveJoe 22,626 Reputation points

2021-09-09T18:10:05.523+00:00

instead on the normal API controller it always returns false even if claim the controller is correct.

That indicates the token is missing the role/claim. Get a copy of the token and take a look at the claims. How is the token generated? Did you write the logic to populate the token?

If you are hosting Identity Server and want to get the user roles into a claim, then you need to implement the IProfileService. There are several SO posts on this subject as well.
Jay San 1 Reputation point

2021-09-10T11:02:14.903+00:00

On API, I Have this claim on token:
{http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Admin}
On Razor, this claim:
{role: Admin}

This is the only difference
Jay San 1 Reputation point

2021-09-10T11:06:15.35+00:00

IOf course, I implemented IProfileService. Know? If I talk about claims, it is clear that I added them.

returns false even if claim the controller is correct.
AgaveJoe 22,626 Reputation points

2021-09-10T12:50:42.983+00:00

I can't reproduce this issue. Unfortunately you have not provided enough information to figure out what you're doing.

When I add a role claim to a token and pass it to a Web API end point, authorization simply functions as expected. There must be other issues with your configuration that we cannot see. Is there anyway you can post your code on GitHub or share enough code to reproduce this issue?
Rakesh Jagatap 6 Reputation points

2021-10-08T18:23:25.33+00:00

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

AdamJachocki 6 Reputation points

2021-09-07T14:21:33.35+00:00

What do you mean by "server jwt doesn't work"? And where is the actual question?
AgaveJoe 22,626 Reputation points

2021-09-07T14:26:13.233+00:00

Can you explain what "doesn't work" means? Web API authorization is not working as expected? Is Web API hosted with Identity Server?
AgaveJoe 22,626 Reputation points

2021-09-08T11:13:30.293+00:00

I can authorize api but I can't authorize identity page. Does anyone has any ideea how can I authorize both?

I assume your edited post is asking how to add authorization to a Razor Page not Web API??? Razor pages do not use JWTs they use an authentication cookie.

Razor Pages authorization conventions in ASP.NET Core
Jay San 1 Reputation point

2021-09-08T12:37:02.17+00:00

@AgaveJoe if I use this .AddIdentityServerJwt(); Razor pages use jwts.. I think you are suggesting me another method to authoriuze pages
AgaveJoe 22,626 Reputation points

2021-09-08T13:31:32.267+00:00

if I use this .AddIdentityServerJwt(); Razor pages use jwts.. I think you are suggesting me another method to authoriuze pages

I think you are making assumptions.

JWTs are sent in the Authorization header as a bearer token to authorize access to secured Web API resources. The client, code, is responsible for passing the token in the HTTP request. The JWT middleware reads the token and creates the user principal.

Razor Pages use cookie authentication because the client is always a browser which handles cookies automatically. The Identity framework uses cookie authentication middleware (default) to read the cookie and setup the principal.

Please read the link in my first post which illustrates these concepts. Also please visit the links on the left.

If you still have question, please clarify what yo u are trying to do and provide sample code that reproduces the unwanted behavior.
Jay San 1 Reputation point

2021-09-09T13:29:59.973+00:00

Okay, I'll explain what I'm trying to do:
1.To do role-based authorization on razor pages (and here I mean identity pages)
2.To do role-based authorization on API (ie the controllers that manage the requests that come from the client)

In order to do this, as the first method I use this piece of code:
services.AddAuthentication().AddIdentityServerJwt();

When I use this method the Identity pages are properly authorized and the authorization function returns what is needed depending on the roll claim on the token (cookie you want), instead on the normal API controller it always returns false even if claim the controller is correct.
AgaveJoe 22,626 Reputation points

2021-09-09T18:10:05.523+00:00

instead on the normal API controller it always returns false even if claim the controller is correct.

That indicates the token is missing the role/claim. Get a copy of the token and take a look at the claims. How is the token generated? Did you write the logic to populate the token?

If you are hosting Identity Server and want to get the user roles into a claim, then you need to implement the IProfileService. There are several SO posts on this subject as well.
Jay San 1 Reputation point

2021-09-10T11:02:14.903+00:00

On API, I Have this claim on token:
{http://schemas.microsoft.com/ws/2008/06/identity/claims/role: Admin}
On Razor, this claim:
{role: Admin}

This is the only difference
Jay San 1 Reputation point

2021-09-10T11:06:15.35+00:00

IOf course, I implemented IProfileService. Know? If I talk about claims, it is clear that I added them.

returns false even if claim the controller is correct.
AgaveJoe 22,626 Reputation points

2021-09-10T12:50:42.983+00:00

I can't reproduce this issue. Unfortunately you have not provided enough information to figure out what you're doing.

When I add a role claim to a token and pass it to a Web API end point, authorization simply functions as expected. There must be other issues with your configuration that we cannot see. Is there anyway you can post your code on GitHub or share enough code to reproduce this issue?
Rakesh Jagatap 6 Reputation points

2021-10-08T18:23:25.33+00:00

Hi, if the posted answer resolves your question, please mark it as the answer by clicking the check mark. Doing so helps others find answers to their questions.

Authorize api and identity pages

Activity