Convenience methods for authorizing daemon to daemon scopes #242
Description
Describe the feature request?
It would be great to have more convenience methods around verifying daemon to daemon communication has the required scopes. Currently, this has to all be created by hand if you want anything greater than a simple Authorize attribute for Okta.
Example of a simple policy checking for a scope today.
options.AddPolicy("require_scopes", builder => builder
.AddAuthenticationSchemes(OktaDefaults.ApiAuthenticationScheme)
.RequireAuthenticatedUser()
.RequireAssertion(context =>
{
if (context.Resource is HttpContext httpContext)
{
var header = httpContext.Request.Headers.Authorization.ToString();
if (header is null or "") return false;
var formattedToken = header.Replace("Bearer ", string.Empty);
var token = new JwtSecurityTokenHandler().ReadJwtToken(formattedToken);
return token.Claims.Any(c => c.Value == "my_scope");
}
}));
Instead, it would be great to have one or more ways of reading the JWT and doing this under the hood.
.NET Version
.NET Core
Provide a documentation link if applicable
Microsoft via Azure AD has similar convenience methods like HttpContext.VerifyUserHasAnyAcceptedScope(), RequireScope attributes, or is mapping scopes across to HttpContext claims. https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-verification-scope-app-roles?tabs=aspnetcore
Additional Information?
No response