Stateless API, Message Queue & JWT

Is it possible to pass a bearer token with a message queue request?

Our clients\applications communicate with our stateless API via JWT, and some events are deferred to the message queue to be handled in the background. We’d like those tasks to be executed as the invoking user via the passed JWT.

Right now, our custom authorization implementation ignores any request with the MessageQueue flag and that’s just too open for our requirements.

Any suggestions?

That’s not explicitly built into ServiceStack but we show how you can execute an MQ Request with a User Session in the docs.

I’ve just added a helper to make it easier to create a Users Session from a JWT Token so you should be able to do something like pass a JWT Token in your Request DTO and use it to populate the Users Session for the request with something like:

mqServer.RegisterHandler<AuthOnly>(m => {
    var req = new BasicRequest { Verb = HttpMethods.Post };
    var jwt = m.GetBody().BearerToken;
    var jwtAuth = (JwtAuthProvider)AuthenticateService.GetAuthProvider(JwtAuthProvider.Name);
    var session = jwtAuth.ConvertJwtToSession(req, jwt);
    req.Items[Keywords.Session] = session;
    var response = ExecuteMessage(m, req);
    return response;

The ConvertJwtToSession() API is available from v4.5.9 that’s now available on MyGet.