Good day everyone.
Today I decided to setup Auth0 to be able to generate JWT used to authorize access to an API written in ASP.NET Core 2.2, I did so following this wonderful tutorial.
However, when the time came to Authorize access to my API in each endpoint based off the permissions I encountered something interesting, the class HasScopeHandler
was using scope
instead of permissions
.
For context, this is the original class:
public class HasScopeHandler : AuthorizationHandler<HasScopeRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, HasScopeRequirement requirement)
{
// If user does not have the scope claim, get out of here
if (!context.User.HasClaim(c => c.Type == "scope" && c.Issuer == requirement.Issuer))
return Task.CompletedTask;
// Split the scopes string into an array
var scopes = context.User.FindFirst(c => c.Type == "scope" && c.Issuer == requirement.Issuer).Value.Split(' ');
// Succeed if the scope array contains the required scope
if (scopes.Any(s => s == requirement.Scope))
context.Succeed(requirement);
return Task.CompletedTask;
}
}
However, when I downloaded one of the SPA examples provided to be able to get a JWT token for a given user (if it’s possible to generate one from the dashboard please let me know), I realized the JWT structure was a little different, its scope
property doesn’t contain the permissions, these are listed in their own property permissions
.
{
"iss": "https://my-application.auth0.com/",
"sub": "auth0|5d2921e518fa750db74f7559",
"aud": [
"https://someendpoint.azurewebsites.net",
"https://my-application.auth0.com/userinfo"
],
"iat": 1562986382,
"exp": 1563072782,
"azp": "WXnuME1d5o84FNqTuUKc5Ms16tjm1MTs",
"scope": "openid profile email",
"permissions": [
"view:itemcategories"
]
}
So of course no request will ever work because it will look for the permission inside of the scope
property. Changing the class mentioned previously to look inside the permissions
property works just fine.
public class HasScopeHandler : AuthorizationHandler<HasScopeRequirement>
{
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, HasScopeRequirement requirement)
{
// If user does not have the scope claim, get out of here
if (!context.User.HasClaim(c => c.Type == "permissions" && c.Issuer == requirement.Issuer))
return Task.CompletedTask;
// Split the scopes string into an array
var scopes = context.User.FindFirst(c => c.Type == "permissions" && c.Issuer == requirement.Issuer).Value.Split(' ');
// Succeed if the scope array contains the required scope
if (scopes.Any(s => s == requirement.Scope))
context.Succeed(requirement);
return Task.CompletedTask;
}
}
So I guess at this point my question is, was there a change in how the permissions are set in the JWT since the tutorial was published? And, is it fine to just leave my class as it is so it looks inside the permissions
property?
Thanks a lot for your time!