I would like some thoughts and advice on the following:
We have several older Service Stack (over ASP.Net) APIs that are cookie based. However, our newer APIs we have been supporting JWT Tokens.
We have a new API method that is currently sitting in the new ServiceStack project. This method supports switching of user context and as a result generates a new JWT Token. However, we would now like this method to be in the old project to be able to support both token based and cookie based API calls.
Is it possible for the old API project to generate tokens and still be able to work with cookie based clients? Or is it that if we set up a JWT Provider, then ss-pid cookies stop functioning?
Or would you advise separate API methods to support cookie based and token based clients separately?
Yes ServiceStack can supports multiple Auth Providers. It should be easy to enable after registering the JwtAuthProvider Auth Provider which will populate the BearerToken and RefreshToken when you authenticate with any of the other Auth Providers, e.g:
var authClient = new JsonServiceClient(centralAuthBaseUrl);
var authResponse = authClient.Post(new Authenticate {
provider = "credentials",
UserName = "user",
Password = "pass",
RememberMe = true,
});
var client = new JsonServiceClient(BaseUrl) {
BearerToken = authResponse.BearerToken //Send JWT in HTTP Authorization Request Header
};
var response = client.Get(new Secured { ... });
Likewise you can use UseTokenCookie if you want the JWT BearerToken returned in a HTTP Only cookie, so if you’re using the same Service Client you don’t have to copy the BearerToken over, e.g:
var authResponse = client.Send(new Authenticate {
provider = "credentials",
UserName = username,
Password = password,
UseTokenCookie = true
});
//Uses stateless ss-tok Cookie with our Session encapsulated in JWT Token
var response = client.Get(new Secured { ... });
var jwtToken = client.GetTokenCookie(); //From ss-tok Cookie