We have a client application (with logged in user) and daemon services (just API no users) accessing a Web API.

The Web API methods need to check users role claims and scopes before executing the operation.

services.AddAuthorization(options =>
            {
                options.AddPolicy("AssetPolicy", policy =>
                {
                    // checks the scope
                    policy.Requirements.Add(new ApiScopeRequirement("AssetServicFullScope"));
                });

                // checks the user's claim
                policy.RequireClaim("AssetAdmin", true);
            });

However, using this policy in the Web API would only allow access to the client app. The daemon app would fail because its access token not having user claims.

We use OpenIddict to implement the authentication server.

The question is what is the best way to allow authentication of both client apps and daemon apps using ASP.NET Core policies?

CodePudding user response：

It's just the question of what unique scope or claim does the daemon's tokens have. You need some data from the token to make that authorization decision — that the API can be sure that it is dealing with a daemon and that it can authorize the request. Once you know what claim or scope that is you can use a function to fulfill a policy or implement a handler.

I think something like this should work:

services.AddAuthorization(options =>
{
    options.AddPolicy("AssetPolicy", policy =>
        policy.RequireAssertion(context => context.User.HasClaim(c =>
            c.AssetAdmin == "true" || c.IsDaemon == "true")));
});

CodePudding user response：

You must implement Client Credentials Oauth2 flow for authentication of daemons (machine to machine). This is available out of the box in most Identity Servers, including OpenIddict