Hi, sorry. I need to clarify my understanding of ServiceStack Auth again. Got myself in a twist the last few days.
I am retrofitting ServiceStack to an existing app, that we are hollowing out, and I just need some concrete pointers to straighten out my way forward.
I have a front end web server serving server-side razor and client JSApp code (reactjs), and a bunch of backend APIS services, also SS services. I want the frontend server to be the AutnN server and generate JWT tokens given username+password creds, and then return me the JWT so that the JSApp can access the backend API with the JWT. Backends just use the JwtAuthProviderReader to verify the token, and use the claims within it.
I already have my own username+password tables and user profiles tables in a production database, that I need to maintain. I don’t want sessions. Just JWT. Ideally, I could do without any CustomAuthUserSession as well if possible, and just leave everything I need in the JWT, or look it up from existing tables if I do need it.
So, I am struggling to find the right combo of custom pieces that I need on the frontend server.
I think that all I need is this:
AuthFeature + JwtAuthProvider + CustomCredentalsAuthProvider
Where my CustomCredentialsAuthProvider does my username+password lookup.
Is that all I should need?
Do I actually need a CustomAuthUserSession as well? If, so to do what?
Do I actually need a CustomAuthRepository at all? given that I already have user profile info in existing production tables?
Do I need to store sessions or AuthUser stuff at all in our repository?
I know that there must be a handy SS sample that demonstrates this, but not sure which one it is these days.
I implemented IUserSessionSourceAsync (v.5.10.0 does not have IUserSessionSource) on my CustomCredentialAuthProvider and also implemented it on a standalone class that I registered in the container explicitly.
Neither approach worked, perhaps there is a property on the AuthFeature or on the JwtAuthProvider that is getting in the way?
I presumed that my custom IUserSessionSourceAsync implementation would have been called during an authentication flow to produce a refresh token in the Autheticate response, but it is not called at all? and there is no refreshToken in that response.
If it’s configured correctly it should only generate the tokens on authentication, does your Custom AuthProvider call base.OnAuthenticatedAsync() or the alternative to save your session and mark the authentication request?
OK, so I implemented both IUserSessionSource and IUserSessionSourceAsync in my CustomCredentialsAuthprovider and, I now get a called at IUserSessionSource.GetUserSession() AND there is now a value in the refreshToken in the response to Authenticate.
OK, thank you very much for that sleuthing.
I’ll upgrade on next version of ServiceStack to remove IUserSessionSource implementation.