Availability of Auth Services

I have managed to setup a Microservices for authenticating users and providing JWT tokens. I have now a separate SS implementation for validating JWT tokens that were issued by the Microservice.

I do wonder why:

My service has only following code in the AppHost:

        Plugins.Add(new AuthFeature(() => new AuthUserSession(),
            new IAuthProvider[]
            {
                new JwtAuthProviderReader
                {
                    HashAlgorithm = "RS256",
                    PublicKeyXml = publicKeyXml
                },
            }));

But when I get the metadata page of this Service, I see following available services:

• AssignRoles
• Authenticate
• UnAssignRoles

I am a bit confused why these services are there, and they aren’t secured.

In the Microservice I added the RegistrationFeature plugin so I see:

• AssignRoles
• Authenticate
• UnAssignRoles
• Register
• ConvertSessionToToken [secured]

Also here, why aren’t the AssignRoles, UnAssignedRoles, and (maybe) Register not secured?

Thanks for the great support in advance!

The Authenticate / AssignRoles / UnAssignRoles Services are available by default.

The AssignRoles / UnAssignRoles Services are protected, but they don’t use an attribute as the Admin role that they’re protected with can be changed with RoleNames.Admin so it’s a runtime validation check instead of being statically identified with the [Authenticate] attribute which is the only way ServiceStack metadata can tell which Services require authentication. They can be removed with:

Plugins.Add(new AuthFeature(...) {
    IncludeAssignRoleServices = false
});

The Authenticate handles the entire /auth/* route and is always available, e.g. you can use it to call /auth to find out whether the user is authenticated or not.

The RegistrationFeature adds the Register Service which allows new users to register, so it can’t require authentication.