0

I have a working ASP.NET Core 3.1 Web API, and I would like to restrict access to specific actions in some of the controllers.

There are no valid human or web browser consumers of this API, so no cookies, and no need for a standard challenge/response authentication model. I just want to make sure that anyone invoking certain actions is allowed to do so.

Since the controller actions are so atomic, I was hoping I could implement something simple, or at least simpler than a complex, external, role-based identity service. That's what led me to reading about bearer tokens, where I read very helpful guides such as this stack overflow answer, and this JWT overview.

However, these models seem to treat the token as a temporary replacement credential to a permanent, conventional username/password credential.

Would it be difficult to model this with permanent bearer tokens instead? This would greatly simplify most authorization flows and management, as consuming apps would only need to request a new token if the Web API revoked them. And since the authentication is at the action level, a simple "yes/no" answer to access seems perfect for a permanent token that doesn't care about long term claim or role management.

I don't know if I'm thinking about this incorrectly or naively, but that's my question. Is it reasonable to use permanent bearer tokens, and if so, how do I implement that in ASP.NET Core 3.1?

Thanks!

Jason
  • 319
  • 5
  • 15
  • 1
    A large part of why you would want to use bearer authentication with a JWT is that it _expires_. While that may seem inconvenient to you, it does improve the security since one cannot simply copy that single token and retrieve full access to your application. Instead, one needs to properly authenticate with the external identity provider which can have better security mechanisms in place, which will ultimately protect your app better. OAuth is then often used as a protocol because it is already supported by a lot of frameworks and libraries. – poke Aug 10 '20 at 18:22
  • 2
    That being said, yes, you could roll your own authentication scheme to do whatever you want to authenticate your clients. Or you could use basic authentication because a permanent token is basically the same as a made-up username & password combination. See [this question](https://stackoverflow.com/q/35296648/216074) for details on basic authentication; and check out blowdart’s implementation if you want to see how you could roll your own authentication scheme. – poke Aug 10 '20 at 18:25
  • I appreciate the caveat and the post! Both are very helpful. – Jason Aug 10 '20 at 19:03

0 Answers0