CODEWITHSUNDEEP
servicestack
Brian Ogden
Brian Ogden

Reputation: 19212

Why does using ServiceStack JwtAuthProviderReader add auth endpoints to my resource API?

I have set up an authentication server that issues JWT Tokens.

I now have setup my first resource service that will authenticate/authorize using the bearer token provided in a request. This service is not my auth server, it is a resource server.

I added the ServiceStack JwtAuthProviderReader to my resource service:

Plugins.Add(new AuthFeature(() => new AuthUserSession(),
new IAuthProvider[] {
    new JwtAuthProviderReader() {
        HashAlgorithm = "HS256",
        AuthKeyBase64 = AuthSettings.JwtAuthKeyBase64
    },
}));

Why does my resource server now have all the auth server endpoints, I am using the JwtAuthProviderReader, not the JwtAuthProvider that my auth service does. As the documentation states, my resource service is only validating tokens.

enter image description here

Upvotes: 3

Views: 227

Answers (1)

mythz
mythz

Reputation: 143319

These aren't limited to just the JWT AuthProvider, they're ServiceStack's built-in Auth Services for handling any ServiceStack Authentication, i.e. when registering the ServiceStack's AuthFeature plugin.

If you're not using Assign/Unassign Roles Services, they can be disabled with:

Plugins.Add(new AuthFeature(...) {
    IncludeAssignRoleServices = false
});

You can also hide Services from showing up in the metadata pages and Services by dynamically adding Exclude attributes in the AppHost's constructor, e.g:

public AppHost() : base("MyApp", typeof(MyServices).Assembly)
{
    typeof(Authenticate)
        .AddAttributes(new ExcludeAttribute(Feature.Metadata));
}

Which is equivalent to adding the attribute on the Request DTO, e.g:

[Exclude(Feature.Metadata)]
public class Authenticate { ... }

Upvotes: 2

Related Questions