I decided to at least look at what the long term solution looks like. My thought process is that if we can drop-in replace the old API and start handing out Jwt tokens from SS, any old mobile clients that try to hit the API with an old token would essentially require “re-authenticating”, and then get a new SS JWT token. Somewhat transparently.
But this project uses string ids for the Users table. To make matters worse, the string is populated with a guid in the database lol.
When I went to inherit our User object from IUserAuth, I discovered this.
I’m trying to discern if I’m in for a world of hurt trying to make this work? Should I just convert to a real Guid or integer id? Or if there is a better way?
My last SS project fully replaced the IUserAuth, AuthRepository, and AuthProvider (it already had int ids for the Users). But this might be overkill.
Maybe I don’t need to inherit from IUserAuth to implement a custom AuthProvider?
Is the only time IUserAuth inheritance needed is when implementing a custom AuthRepository?
Is it even a typical scenario to inherit my Project.ServiceModel.Types.User class from UserAuth / IUserAuth?
If you want to make use of ServiceStack’s UserAuth Repository then your User table would need to inherit from IUserAuth which has an integer primary key.
You only need to implement IUserAuth if you want to use the Auth Repository, otherwise you can implement a Custom Credentials AuthProvider which validates the user and populates the Session looking at your own existing table.
You should still be able to use ServiceStack’s JWT support with a Custom Auth Provider only if you’re not using a User Auth Repository you’ll need either your Custom Auth Provider or a registered IOC dependency to implement IUserSessionSource in order to be able to use RefreshToken’s.
Nice, so I can just use bypass all of the Auth Repo stuff, and only use custom Auth providers and password hashers.
The only problem I’ve found during the IUserSessionSource implementation is that in the /access-token?refreshToken=TOKEN request to get a refresh token, the sub was never populated in the refresh token (only iat and exp). So GetAccessTokenService line 406 gives my IUserSessionSource a null authUserId when called with a refreshToken:
var userId = jwtPayload["sub"];
Do I need to populate the refresh manually somehow?
The sub is populated from the Sessions UserAuthId string property. The docs specify what’s included in JWT Tokens and how to customize the JWT body to add additional info.