Service to Service Auth using JWT

[samsp-msft]

[adityamandaleeka]

cc: @HaoK, can you glance through the auth flow in this sample to make sure it looks okay?

[samsp-msft]

@g7ed6e - in working with @mconnew, it turns out that AuthorizeRole is not hooked up to the ASP.NET claims and policies. Matt is now working on that. How are you doing authorization checks for your services?

And on the client side, what mechanism are you using to inject the header?

[samsp-msft]

Looks great but i think more low level libraries may be used in sample. I'm actually running this scenario in production with https://www.nuget.org/packages/IdentityModel/6.0.0 client side and https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer/6.0.8 server side.

I needed somewhere to get a JWT from, and so AAD was an obvious choice. The packages I used are the AD wrappers that in-turn include https://www.nuget.org/packages/Microsoft.AspNetCore.Authentication.JwtBearer on the server side and Microsoft.Identity.Client on the client side.

If there are other providers that are easier to setup, then I think having additional samples for those would also be worthwhile.

[g7ed6e]

How are you doing authorization checks for your services?

And on the client side, what mechanism are you using to inject the header?

Client side i'm using a IEndpointBehavior which is responsible to add a IClientMessageInspector to the client runtime and use the BeforeSendRequest hook. There i'm fetching a token from a memory cache or request it against the authorization server. @mconnew pointed me that this is not ideal as inspector should not contain long running code. I'm rewriting this to still use a IEnpointBehavoir but combined with a custom DelegatingHandler as described here https://github.com/dotnet/wcf/issues/2400

Server side all operation contract require the same scope thus i'm just checking the token issuer / expires_at / audience and scope. i.e i do not have the [Authorize] feature.