As per the recent servicestack release notes and the updated docs Asp.Net Core Identity Auth will be recommended apprach to implement security in ServiceStack.
In my API project I am currently using ServiceStatck’s Authentication And Authorization mechanism to secure my APIs.
I am new to Asp.Net Core Identity Auth, never used it, never learned it. Considering this I have couple of questions appreciate your kind response.
Q1: Shall I consider that in future versions (slowly and gradually) you will fully decommission ServiceStack’s Authentication and Authorization feature and will only and only use Asp.Net Core Identity Auth or can I use the same in .NET 8 based projects.
Q2: Actually, in my .NET 8 based API only project I want to use Asp.Net Core Identity Auth and want to achieve the same functionality and ease which is provided by ServiceStatck’s built in Authentication and Authorization such as in my .NET 6 based API only project I am using these security settings.
appHost.Plugins.Add(new AuthFeature(() => new CustomUserSession(),
new IAuthProvider[] {
new BasicAuthProvider(appSettings),
new JwtAuthProvider(appSettings)
{
AuthKeyBase64=appSettings.GetString("jwt.AuthKeyBase64"),
UseTokenCookie=false,
RequireSecureConnection=false,
ExpireTokensIn=TimeSpan.FromDays(365),
ExpireRefreshTokensIn=TimeSpan.FromDays(400),
}
}));
With the above settings I am able to do the following
Register the user using Register API
Assign Roles/UnAssignRole
Secure the Services
Is there any good example or sample project where I can see how you are using Asp.Net Core Identity Auth in servicestack?
ServiceStack Auth will continue to be supported, but new projects will be configured to use ASP .NET Identity Auth by default.
But they’re different Auth Models, so you would have to choose one or the other. So if you want to use Identity Auth you’re no longer using ServiceStack Auth, but a lot of the integration endpoints are still available but re-implemented with Identity Auth, e.g. Enable Optional ServiceStack Auth Services lets you enable both ServiceStack’s Register API and Assign/UnAssignRoles APIs:
Plugins.Add(new AuthFeature(IdentityAuth.For<ApplicationUser>(options => {
// Include ServiceStack's Register API
options.IncludeRegisterService = true;
// Include ServiceStack's AssignRoles and UnAssignRoles APIs
options.IncludeAssignRoleServices = true;
));
One thing you to re-evaluate is whether to use JWT as Microsoft’s default templates use Application Cookies which I’d also recommend using since it’s the default and functions similar to JWT Cookies (since both are stored in cookies). E.g. Your clients can continue to Authenticate with ServiceStack’s Authenticate API which returns an auth cookie that is reused for subsequent requests so a lot of the time clients wont need updating.
To migrate I’d recommend starting with a new project configured with Identity Auth then copying your existing App onto it. If you need to migrate existing users checkout the approach we used in Migrating to ASP .NET Core Identity Auth docs. Basically you’d just need to create a new Identity Auth User for every App User then copy over the password hashes.
I have tried my best to get my hands dirty and to use the asp net core identity with new SS project and application cookies as recommended by @mythz. However it seems still I am missing some pieces of the puzzle. Let me try to explain what I have done so far and you are kindly requested to respond (in easy way so that I can understand things) as per your convenience.
Removed Sqlite database references and libraries and added Npgsql.EntityFrameworkCore.PostgreSQL -Version 8.0.0 as I am using Postgres database
Adjusted the connection string to use Postgres.
Executed migrations and created the identity schema successfully.
Launched the app in VS 2022 and successfully registered a new user admin@gmail.com
In the project there is sample service Hello. When I tried to access this service prior registering the user it was accessible. Later I decorated the Hello service with [Authenticate] attribute and now it is not accessible and throwing 401 Unauthorized . Which is clear and understood.
Some screenshots FYR.
Successfully Registered the user from the application.
If you see the screenshot there is ss-pid highlighted in yellow color. Is this the cookie you want me to send from postman or while executing the Hello service and to get authenticated successfully.
I am working on a pure API based project no UI is required. I understand that I have to create identity related API endpoints to allow register/login/assign/unassign roles separately.
This is how I am trying to send the cookie from the postman but getting 401 Unauthorized code.
ss-* cookies are only used by ServiceStack Auth, ASP .NET Identity uses the .AspNetCore.Identity.Application Cookie which you would use instead.
Also note that you can still use the same ServiceStack Authenticate Request DTO or /auth/credentials route to Authenticate, which is implemented using ASP .NET Identity classes instead.
) as per your convenience.
