ASP.NET Core Web API JWT bearer authentication for multiple areas

Question

I have a Web API backend that several client applications are using. The API is secured with JWT authentication, based upon the following example: https://github.com/mrsheepuk/ASPNETSelfCreatedTokenAuthExample.

Since I am not yet very comfortable with all the concepts of token based authentication I could use some guidance in this. I need my applications to utilize the same API, but to limit access for each application to a specific area or controller.

According to the example I can protect methods within an area with:

[Authorize("Api")]

A policy is added in startup with

    authOptions.AddPolicy("Api", new AuthorizationPolicyBuilder()
        .AddAuthenticationSchemes(JwtBearerDefaults.AuthenticationScheme) // "Bearer" scheme
        .RequireAuthenticatedUser().Build());

For secured requests from the client I typically have an Angular 2 app that simply adds the JWT in the headers like so:

headers.append('Authorization', 'Bearer ' + jwt);

I don't know of all the mechanics here but I am assuming that when a secure method is requested, the "Api" attribute decoration is what decides/limits which policy is to be used with a certain route in the API.

How do I extend this to work with individually accessible sections?

Answer 1

You can create an ActionFilterAttribute for Authorization and use it on all the actions.

You can implement the FrameworkAuthorise filter methods as per your requirements.

Global.ApiKey is the unique code for your application to identity you have access to that application or not.

[FrameworkAuthorise(Global.ApiKey, AuthorisationType.None)]
 public async Task<IHttpActionResult> Get()        
{ 
    // code goes here
}

[FrameworkAuthorise(Global.ApiKey, AuthorisationType.Bearer)]
public async Task<IHttpActionResult> Post()        
{ 
    // code goes here
}