Authentication / Authorisation

[blmiles]

Hi @adrianhall,

I'm looking to add access control to my app service to only allow registered users to sync data.

Users are authorised/authenticated anyway on the client side but my app service is essentially identical to your sample with limited restrictions.

I use Auth0 as the authentication/authorisation provider and once user is logged in, I have the authentication token stored locally and verify that without them logging in each time (valid for 30 days).

I'm passing that token to the App Service and am following your Access Control documentation to implement said controls...

This already runs client-side albeit I'm not handling the httpPipeLine with authProvider server-side yet...

            authProvider = new GenericAuthenticationProvider(GetTokenAsync); //I build the authProvider here
            HttpClientOptions options = new()
            {
                HttpPipeline = [authProvider],
                Endpoint = endpoint
            };
            optionsBuilder.UseHttpClientOptions(options);

		...othe builder options here (entity query params etc)

Questions:

First, am I on the right track?

The app pushes and retrieves data from 7 tables/entities in the db.
I don't want to hit the authentication service on every push/pull on every table.

Do I really need a [myentity]AccessControlProvider for each entity I have, adding each as a paramter on the respective Controller?

I'm guessing I can use something like the sample - PersonalAccessControlProvider and apply that to each Entity Controller.
Wondering if that authenticates the user on every push/pull from each table?

How would you advise a single authorization check and allow the user to sync all tables multiple times in a given timeframe? ie: keep server-side authentication alive/valid for a day or a number of days?

As mentioned above, the user is already logged in client-side and the token is valid for 30 days.

Actually I don't even need each individual user to be authenticated server-side if the app itself has a token/key of sorts that is verified against some check on the server, without it, the App Service does nothing.

All records are retrieved with userId param anyway per below...

            optionsBuilder.Entity<Team>(cfg =>
            {
                cfg.ClientName = "teams";
                cfg.Endpoint = new Uri("/tables/team", UriKind.Relative);
                cfg.Query.Where(t => t.UserId == Settings.UserId && t.SportId == Settings.SportType);
            });

Thoughts on this if you may...

Thanks

[adrianhall]

Firstly, authentication and validation of the token is pure ASP.NET Core - nothing to do with datasync on the server side. You can use the User ID in the token to do authorization using the IAccessControlProvider to limit the data transferred. Standard ASP.NET Core authentication and authorization for JWT bearers (which is what Auth0 uses) will cache results as necessary. You should set up your server to use Auth0 before adding Datasync to the mix (or at least treat it separately).

On the client side, the GenericAuthenticationProvider caches authentication tokens and re-uses them while they are still valid; it then uses a refresh token (if provided) to refresh that token when needed. As a result, you shouldn’t have to worry about reaching rate limits.

[blmiles]

Thx Adrian, I'll be back with more questions, I'm sure... :)