Sessionless authentication


I’ve read the JWT Sessionless Authentication article and I am still not sure if its functionality can be used to get the following. If it is possible, I will appreciate a code example.

We have microservices API where each request is expected to include a valid token which can be checked for claims vs. some 3rd party. It is up to client to get the token and send it within the request.
We do not want to have auth request requirement. We do want to check the token for specific claim(s) depending on the request before we process the request.
The suggested solution is not good due its complexity. Instead of adding and removing stuff it is simpler just to implement pre-request filter that will do the whole authorization logic. However, if something like above can be achieved by using JWT Auth it will be even better.

So, can we?

Thank you,

Well you can use a custom JWT token for this but you wont be able to use ServiceStack’s JWT Auth Provider which is used for embedding a Users Session in a JWT Token, however you may find some of the JwtAuthProvider.cs implementation useful which shows how to create a JWT Token. The JWT Auth tests that call CreateJwtPayload shows what code is used to create a JWT Token. After creating a custom JWT Token you’ll need to validate it which the JwtAuthProvider does with VerifyPayload.

In short you’ll likely need a custom JWT implementation but hopefully some of the existing implementation and tests will server useful. Note: Creating, Signing and Verifying JWT Tokens using an AES Key is simpler than Signing/Verifying JWE Tokens with an RSA Key which I’d recommend for a custom token.