ASP.NET Core: JWT token with Scopes

0
votes

Background

I have a ASP.NET core (v2.1) project that contains an API. This API is access restricted by JWT bearer.

My server expose an endpoint for login:

POST http://example.com/api/login

After attaching the token to the request, I can call one of the server methods (GET or DELETE:

GET http://example.com/api/1234

or

DELETE http://example.com/api/1234

Target

I want to implement "another type" of token that will allow access only to specific scope. Let's say that we want to give access just for GET method. So, if you have this token - you can GET the resource but not to DELETE it.

Wondering if this is possible with JWT bearer token? If yes, how?

Thanks!

2
c#asp.netasp.net-corejwt

2 Answers

1
votes

You shouldn't do this with the token itself. The token is used to authenticate that a user is who they claim to be. You should instead look at using the roles to authorise an action and assign different users roles to restrict access to delete verbs.

This article should be able to explain further

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-2.1

1
votes

JWT Bearer token should be used for authentication mechanism but what you are talking about is Authorization and thus your approach is wrong seems. You should rather use the Authorization pipeline and implement proper Roles/Policy based authorization which will restrict access to those Api endpoints.