C#•2y ago

✅ Authorization in ASP.NET Web Api

[Authorize("MyApiUserPolicy", AuthenticationSchemes = "Bearer")]
How exactly does it check provided token if it is valid or not?
Like does it generate similar token and based on provided token it just compares it or there is something else going on?

D.Mentia•4/7/24, 7:58 PM

Depends on how you registered it, but usually somewhere you're setting up something like:

DachiOP•4/7/24, 7:58 PM

sure

DachiOP•4/7/24, 7:58 PM

i have that

D.Mentia•4/7/24, 7:58 PM

so it's validating the token given the validation info you gave it - that it can decode the token with the given key, and it has a valid issuer and audience (if you specified that it should validate those things)

D.Mentia•4/7/24, 7:59 PM

the authorization policy is separate, after authentication, and you set that up yourself somewhere too and I assume you're not asking about that

DachiOP•4/7/24, 8:00 PM

so it decodes the user token

D.Mentia•4/7/24, 8:00 PM

I'm not 100% sure but, reasonably certain. It has to, in order to get the authorization info (claims from the token)

DachiOP•4/7/24, 8:00 PM

and checks ussuer and other stuff right?

DachiOP•4/7/24, 8:01 PM

like does it decode token, or generate one with the information that you give and compares them to each other?

D.Mentia•4/7/24, 8:02 PM

decodes, pretty sure. Comparing them doesn't work because it doesn't know what claims and stuff are in that token

DachiOP•4/7/24, 8:13 PM

if it checks parts where i say ture

DachiOP•4/7/24, 8:13 PM

whats the use of SymmetricSecurityKey(Encoding.UTF8.GetBytes("YOUR_SIGNING_KEY"))

DachiOP•4/7/24, 8:13 PM

those things are publicly available in token

DachiOP•4/7/24, 8:13 PM

@TeBeCo

DachiOP•4/7/24, 8:18 PM

you mean the part where it check literally every part?