❔ The built-in authentication is not working
Hi, for some time now I've been learning ASP.NET Core as I have ambitions to build my own technology stack using React + .NET. I'm currently in the process of building a simple API for an online store as part of my basic .NET learning. I've encountered an issue with authorization - despite the settings I've put together from various tutorials, posts, etc.
When sending a request to the server with a JWT token in the Cookies, which contains a claim 'admin' with a value of 'true', I receive a server response with a 401 status code. However, when I remove the '[Authorize(Policy = "AdminOnly")]' attribute from the endpoint, everything works correctly. I've been searching for the possible cause of the error and I have no idea where the issue might lie.
The JWT token contains a claim 'admin' with a value of 'true'.
The JWT token is valid when sending the request.
Here is the 'GenerateToken' method responsible for generating the JWT token, which is saved in Cookies during login:
https://github.com/rafalzzz/online-store-api/blob/b613c92b4cb0fb021ddde5c88ee8efc0d308878c/Services/JwtService.cs#L29
Here is the authentication configuration:
https://github.com/rafalzzz/online-store-api/blob/add-authorization/Configuration/AuthenticationConfiguration.cs
Here is the authorization configuration:
https://github.com/rafalzzz/online-store-api/blob/add-authorization/Configuration/AuthorizationConfiguration.cs
Middleware for checking the JWT token in the cookie:
https://github.com/rafalzzz/online-store-api/blob/add-authorization/Middleware/CookieAuthenticationMiddleware.cs
And the settings in the Program.cs file:
https://github.com/rafalzzz/online-store-api/blob/add-authorization/Program.cs
Could someone take a look at this and tell me where the issue might be? I've already spent several hours researching and trying different solutions, but without success.
Thank you in advance.
GitHub
online-store-api/AuthenticationConfiguration.cs at add-authorizatio...
Contribute to rafalzzz/online-store-api development by creating an account on GitHub.
GitHub
online-store-api/AuthorizationConfiguration.cs at add-authorization...
Contribute to rafalzzz/online-store-api development by creating an account on GitHub.
GitHub
online-store-api/CookieAuthenticationMiddleware.cs at add-authoriza...
Contribute to rafalzzz/online-store-api development by creating an account on GitHub.
GitHub
online-store-api/Program.cs at add-authorization · rafalzzz/online-...
Contribute to rafalzzz/online-store-api development by creating an account on GitHub.
GitHub
online-store-api/JwtService.cs at b613c92b4cb0fb021ddde5c88ee8efc0d...
Contribute to rafalzzz/online-store-api development by creating an account on GitHub.
16 Replies
My .env file looks like this:
best skill for you to learn early: problem-solving
never work AROUND a problem, WORK the problem
your probpem is the 401 response
which is generated by the Authorization Middleware
and as you've identifier, in particular, the "AdminOnly" policy you applied to that endpoint
that's where the problem is coming from, so that's where we're gonna go
let's see that policy
is that line in config the entirety of it?
Yes, but today I continued working on this issue and created a class that takes over the context after the "CookieAuthenticationMiddleware" and checks if the user's claims contain claims of type "Role" with the value "Admin". I have no idea if this approach is good.
https://github.com/rafalzzz/online-store-api/blob/master/Authentication/CookieAuthenticationMiddleware.cs
https://github.com/rafalzzz/online-store-api/blob/master/Authorization/AdminOnly.cs
GitHub
online-store-api/CookieAuthenticationMiddleware.cs at master · rafa...
Contribute to rafalzzz/online-store-api development by creating an account on GitHub.
GitHub
online-store-api/AdminOnly.cs at master · rafalzzz/online-store-api
Contribute to rafalzzz/online-store-api development by creating an account on GitHub.
Currently, I am checking the user's permissions in the following way:
https://github.com/rafalzzz/online-store-api/blob/df927eaa2f98f3764e2eacce800fd8ca0d79a151/Controllers/UserController.cs#L106
GitHub
online-store-api/UserController.cs at df927eaa2f98f3764e2eacce800fd...
Contribute to rafalzzz/online-store-api development by creating an account on GitHub.
rolling your own middleware for something that is trivially supported by the built-in middleware is definitely not the right approach
but perfectly reasonable for debugging, if you've exhausted other options
is this custom middleware now working?
or, uhh
this
IAuthorizationFilter?Yes, everything is functioning correctly - in your opinion, can I leave it as it is?
IMO, no, I wouldn't
but it's your call
Ok, I'll change this 🙂
I would want to know why the original thing you had wasn't working
Probably because in the authentication middleware, I was passing the token to the 'authorization' header instead of decrypting the token and passing the claims to the 'User' or even 'Role' contex
I think I will be able to do it now using the built-in authorization middleware - I will test it later and let you know the details
Now, using the built-in middleware, everything works correctly 🙂
https://github.com/rafalzzz/online-store-api/pull/6/files
wait, you WEREN'T using the built-in middleware?
like, originally?
you were configuring it on your IoC container
but you weren't actually using it in the pipeline?
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.Yes - for this reason, because I overcomplicated the flow and the authorization itself 😦
that'll do it then
and don't feel too bad about that, the built-in auth middlewares are beastly
they're not terribly complicated, but there's a LOT of moving parts to be aware of
Was this issue resolved? If so, run
/close - otherwise I will mark this as stale and this post will be archived until there is new activity.