I have a umbraco site where my frontend users is created as members in umbraco, and is logged in with the membership provider, pretty straight forward.
Now i want to add an API, not a umbracoapicontroller, but a normal web api in .net core, running in a different domain. The web api is callled server to server.
What i would like to do is to assign different levels of access in the api based on the groups the member is in in umbraco.
What i am currently thinking of doing is when the member creates a New profile or logs in, i create a jwt token in umbraco with the members groups etc. This token is set either in session or as a cookie and attached as a bearer token when calling the API.
In the api i want to verify the token and signature using the secrets used to sign it in umbraco. And then check the role claims for access.
Is it the wrong way to go about doing something like that?
Check out AuthU, it will get you at least part of the way there, we use it for mobile app authentication against our umbraco, and now that it supports a newer JWT, it is more compatible with other things as well.
Umbraco as authorization server
Hi,
I have a umbraco site where my frontend users is created as members in umbraco, and is logged in with the membership provider, pretty straight forward.
Now i want to add an API, not a umbracoapicontroller, but a normal web api in .net core, running in a different domain. The web api is callled server to server.
What i would like to do is to assign different levels of access in the api based on the groups the member is in in umbraco.
What i am currently thinking of doing is when the member creates a New profile or logs in, i create a jwt token in umbraco with the members groups etc. This token is set either in session or as a cookie and attached as a bearer token when calling the API.
In the api i want to verify the token and signature using the secrets used to sign it in umbraco. And then check the role claims for access.
Is it the wrong way to go about doing something like that?
Does functionality to do this already exists?
Any suggestions to achieve this?
Check out AuthU, it will get you at least part of the way there, we use it for mobile app authentication against our umbraco, and now that it supports a newer JWT, it is more compatible with other things as well.
Thanks John, i will give it a look
is working on a reply...