Git Product home page Git Product logo

Comments (7)

brockallen avatar brockallen commented on May 28, 2024

You still need to have an [Authorize] attribute on your Web APIs (or as a global filter).

from identityserver3.accesstokenvalidation.

stevenfirstrowinc avatar stevenfirstrowinc commented on May 28, 2024

yep, have that in all cases, but honestly I'm not 100% sure I understand why I would need that. Is it the case that UseIdentityServerBearerTokenAuthentication is saying "when authentication is required, make sure the token contains this scope?" and that is why the request continues so that the [Authorize] attribute can be evaluated?

from identityserver3.accesstokenvalidation.

brockallen avatar brockallen commented on May 28, 2024

Authentication happens first. Authorization is the job of the application layer (typically).

from identityserver3.accesstokenvalidation.

stevenfirstrowinc avatar stevenfirstrowinc commented on May 28, 2024

oh. duh! so if I want to force Authentication for all requests, I'd need to use an Authentication filter in addition to UseIdentityServerBearerTokenAuthentication (which is part of authorization)?

from identityserver3.accesstokenvalidation.

brockallen avatar brockallen commented on May 28, 2024

You mean authorization, right? The bearer token is authentication. If that works, then great, but if not then the request is anonymous. Authorization ensures that the current request is allowed. If anonymous is not allowed, then that authorization is required.

from identityserver3.accesstokenvalidation.

leastprivilege avatar leastprivilege commented on May 28, 2024

The scope is only enforced when a valid token has been found. Otherwise the request is anonymous.

You need additional authZ rules - in any case.

from identityserver3.accesstokenvalidation.

stevenfirstrowinc avatar stevenfirstrowinc commented on May 28, 2024

@brockallen that isn't what I meant, but it's clear now. This all comes down to one of my injected services that depends on an authenticated user. Now that I understand this process better I can handle the unauthenticated use case. I was thinking the UseIdentityServerBearerTokenAuthentication method would prevent the request getting all the way down the pipeline but I get it now.

from identityserver3.accesstokenvalidation.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.