2

My setup consist of 3 components:

Auth0, where I add users and manage their permissions.
My front-end SPA web page, which serves as a shell for my API.
My API, made with ServiceStack.

Here's the authentication flow, as I imagine it:

The user clicks "log in with Auth0" in the client application.
The user is then redirected to Auth0, where he logs in and receives a JWT.
This JWT is stored on the client, and added to each request to my API.
My API (ServiceStack) verifies the JWT by checking that it matches the certificate given to me by Auth0.
My API (ServiceStack) checks if the user has the required permissions, as managed by Auth0 and included in the JWT.

Ideally this should be as simple as adding [Authorize] and [RequiredPermission] tags to the services to configure what permissions are required to access which services.

I have tried to achieve this in many different ways, but I'm starting to think my entire approach is flawed, so it's hard to add any code snippets to illustrate the problem. Am I misunderstanding something fundamentally, or is this something that should be possible to set up in ServiceStack? I'm able to get and verify the JWTs from Auth0 as being correct by using http://jwt.io/, the problem is just integrating this verification in ServiceStack.

Dan
  • 153
  • 1
  • 9

1 Answers1

0

Auto0 has published a number of docs and articles on integration with ServiceStack:

For JWT integration I've found a Custom OAuth0 Provider at:

Or see this answer on integrating with an Auth0 OAuth Provider

mythz
  • 141,670
  • 29
  • 246
  • 390
  • I'm still quite confused. Most of those articles seem to suggest the canonical way of doing authentication with servicestack is that the client has to log in through /auth/, which will in turn save the log-in info onto the user's session. What I was hoping for, was to have stateless authentication, so that it works across various microservices. Your JWT gist seems more along the lines I was thinking. But the code seems quite dated, and I'm having a hard time getting it to work. "JWT" and "HttpContext" are unknown names. Do you know of a more up to date version? – Dan Jun 09 '18 at 21:23
  • @Dan They're just different ways I've found to authenticate ServiceStack with Auth0. I didn't write any of the linked articles, you can try leaving a comment on the gist asking if they have a version that works with .NET Core. `HttpContext` is only available from classic ASP.NET on the .NET Framework, ASP.NET Core use their own HttpRequest abstractions. – mythz Jun 09 '18 at 22:47
  • 1
    I went ahead and used the built-in JwtAuthProviderReader, which seems to have everything I need for now. – Dan Jun 11 '18 at 07:11