Building and Securing Web APIs with ASP.NET Core 3.0

Happy to hear this! :slight_smile:

Thanks to you for this great feedback! :smiley:

1 Like

All the praise belongs to @andrea.chiarelli! Happy to hear that @jsauve!

1 Like

Hi @jsauve, do you happen to have any code snippets or advice for how you got the scoped permissions to work? I tried combining the article/quickstart as well, but couldn’t get it to work using the HasScopeHandler and HasScopeRequirements via the authorization service from the quick start example. Any advice or direction you have would be greatly appreciated!

1 Like

Hi @vince.rogers. I did this in my Startup.cs:

services.AddAuthorization(options =>
{
    foreach (var scope in GetScopes())
        options.AddPolicy(scope, policy => policy.Requirements.Add(new HasScopeRequirement(scope, auth0AudienceBaseAddress)));
}); 

…where auth0AudienceBaseAddress = https://{your auth0 subdomain}.auth0.com/api/v2/.
(I load mine from appsettings.json)

And GetScopes() looks like this:

List<string> GetScopes()
{
    var result = new List<string>();
    var scopesJson = string.Empty;

    using (var stream = Assembly.GetExecutingAssembly().GetManifestResourceStream("TwinPortsPulse.WebApi.Resources.scopes.json"))
        using (var reader = new StreamReader(stream))
            scopesJson = reader.ReadToEnd();

    if (!string.IsNullOrWhiteSpace(scopesJson))
        result.AddRange(JsonConvert.DeserializeObject<List<string>>(scopesJson));

    return result;
}

…where TwinPortsPulse.WebApi is my namespace and Resources is a folder under my project and scopes.json has its properties set to be an embedded resource.

JSON file looks like this:

[
    "venue:read:published",
    "venue:read:mine",
    "venue:read:all",
    "venue:create",
    "venue:update:mine",
    "venue:update:all",
    "venue:delete",
    ...more permission scopes...
    "event:read:published",
    "event:read:mine",
    "event:read:all",
    "event:create",
    "event:update:mine",
    "event:update:all",
    "event:delete"
]

(Ignore the strange markdown formatting. The bold means nothing.)

Setup all those scopes in the Auth0 portal for your app, and then assign those permissions to your various roles. I find it VERY helpful to first create a spreadsheet of all my permission scopes and roles and put a checkmark for each role that should have each permission. This helps me organize the complexity before translating it into the roles and permissions in the Auth0 portal.

4 Likes

Thanks a lot @jsauve for sharing that!

2 Likes

Thank you for the amazingly detailed response. I’ll work through your example and report back!

2 Likes

I’m missing something here. I’ve secured the api and can get the token from my dashboard and it works with curl and postman but if I have a frontend in REACT and the user authenticates how does the user get authorized? How do they get the JWT token? How do I connect the front end to the back end?

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.

Hi @joshisplutar,
you have to integrate your React app with Auth0 as well so that the user authenticates and gets the access token to use the API.
You can take a look at this article to understanding how to integrate your React app with Auth0.
I hope this helps.