2
I need only a few endpoints in my API to use a different token, because they will be called by a less secure application and I don’t want that other token to have access to every application equal to the default token Identity generates to use in endpoints with the [Authorize].
So far what I’ve done is:
- Manually generate a token with an algorithm I created
- Return this token through a secure endpoint for users only [Authorize]
Now to authorize the endpoints I have to do the validation also manually, rescuing from the bank and comparing the token I received, but I wish that part could at least use one [decorator] also.
- I tried to overwrite the AuthorizeAttribute, but this is no longer possible in . net core
- I tried to create a policy and call [Authorize(Policy = "NovoToken")], but before calling the policy validation already returned Unauthorized because he didn’t have the Identity token.
- And last I tried implement a IAuthorizationFilter. It even worked, but for it to work I need to use the [AllowAnonymous] together and it gets ugly to have to put these two.
Finally my questions are:
1. Has a better way to create a designer that will not fall into the default validation of Identity and let me just do my validation?
2. Or could use Identity itself to create and validate an alternate token, but leaving it with permission for specific API endpoints?
I understand that it is strange to use the [Allowanonymous] since it is using the [Authorize(Policy = "Novotoken")], but as long as it is well documented the solution is very simple. The Policy name itself can already be something that indicates customization. You found some other way to do?
– George Wurthmann
I found no other solution, but after that I did not research further. I saw that you have the authorization for
Authorization Code Grant, maybe using it I can solve my problem.– Daniel Dutra
Hello, I had a similar problem. I solved it this way. https://github.com/renatogroffe/ASPNETCore2_CRUD-API-JWT-EFInMemory
– Jersonb