invio / invio.extensions.authentication.jwtbearer Goto Github PK

Background

Right now I have one "Options" class, the JwtBearerQueryStringOptions. This is great for configuring the extension, but when it is provided to the behavior, it gives a little bit too much power.

Specifically, it lets the behavior see its own specification on the options object, which is something that should be abstracted away. It also is mutable, so the behavior can adjust the configuration while it is running. Neither of these should be allowed.

Task

Make a new JwtBearerQueryStringBehaviorOptions class that is (1) immutable, and (2) provides a subset of settings from JwtBearerQueryStringOptions that are appropriate for a IJwtBearerQueryStringBehavior to know about. It should get hydrated within the JwtBearerQueryStringMiddleware here

Background

As an alternative to "redacting" tokens from query strings, we can also remove them entirely. This will hide from the logs that a token was included at all, which may be more helpful than saying that it was included but we are redacting it from view.

Task

• Add a RemoveJwtBearerQueryStringBehavior implementation of IJwtBearerQueryStringBehavior that removes the token from the query string if it is found.
• Update QueryStringBehaviors to have a new immutable Remove property that returns this behavior.

I'm trying to use your library.
I think I followed the instructions properly.

My problem is that my HTTP GET seems to be rejected by the authentication mechanism before the token on the URL gets processed.

I took option 2 from your SO answer to confirm that the OnMessageReceived code is never called.

Does that behavior rings a bell on what could be wrong ?

Background

As an alternative to "redacting" tokens from query strings, we can also move tokens to the Authorization HTTP header. This enables code downstream to assume the token is always present in the authorization header.

An interesting use case this enables is putting the middleware in front of any authentication code rather than mutating the authentication code to allow for query strings.

Task

• Add a MoveToHeaderJwtBearerQueryStringBehavior implementation of IJwtBearerQueryStringBehavior that removes the token from the query string and puts it into the Authorization header using the Bearer authentication scheme.
• Update QueryStringBehaviors to have a new immutable MoveToHeader property that returns this behavior.
• Update README to reference the fact that this behavior can be put in front of the authentication middleware.