TLDR I need a working example of a dotnet webapi handling the scope checking of a client-credentials token. All examples seem to use the context.User, but in my test app, that is null. I can see the scopes from the jwt token in the authorization header if I check it manually, but how can I do it in the middleware of a dotnet webapi?
We have a monolithic webforms app that has been built up over about 15 years. We have many customers that login to our site and create jobs, that then progress through various states, from pending to complete, as their job is manufactured. The customer can login and check their jobs in our site.
Our task is to extend our site via an api to these customers, so they can create/view jobs via their own in-house bespoke apps. So for example they will have a site where their users login to and they can view the status of their jobs in their own app.
So I am thinking I need to create a client-credentials login to our app for them (one each).
I have done that but when I try to access the api, it is always unauthorized. I can see the right data in the jwt token if I check the authorization header, but the middleware is trying to validate their claims via context.User.Claims, which is empty.
We need to validate the request and then work out which client it is, so we can filter the jobs they can read to only that customer. I assume we do this match through the azp value in the jwt token, matched to the customerid we use, in a table we hold locally. Is this the right way to architect this?
I would be fine to do it with a user token but it seems wrong here as we don’t want them to have to grant consent to anything. But it would be so much easier if we could set up a user with a customer id that they access the api through.
If it is the right way to architect this, is there a working example of a dotnet web api validating client credentials requests and checking their permissions/scope? I cannot find that.
Failing that, is there someone who is an expert in this stuff that is willing to talk to me online for 30 minutes?