Question: How to stay compliant with the specification using a custom AuthenticationHandler

[VincentVrijburg]

DESCRIPTION

I'm implementing a custom AuthenticationHandler to support API Key based authentication. However, I cannot find how to stay compliant with the JSON:API specification since I don't have access to the services from JADNC at the authentication stage, within the middleware pipeline.

My question is how I should handle the authentication (error) responses through JADNC in order to stay compliant with the specification.

STEPS TO REPRODUCE

Startup.cs:

public void ConfigureServices(IServiceCollection services)
{
    // Can be any implementation which inherits from AuthenticationHandler:
    services.AddAuthentication("ApiKey").AddApiKey();
    ...
    services.AddJsonApi<DbContext>();
}

public void Configure(IApplicationBuilder app, IWebHostEnvironment env, ILoggerFactory loggerFactory)
{
    app.UseRouting();
    app.UseAuthentication();
    ...
    app.UseJsonApi();
    app.UseEndpoints(endpoints => { endpoints.MapControllers(); });
}

I had a look at the source code and found two "problems" related to my issue:

1. The serializer/deserializer is not separated and cannot be added to the pipeline before authentication (Separation of JsonApi serialization/deserialization and asp.net core #661). Meaning that I cannot return a compliant response in my custom AuthenticationHandler.
2. The ExceptionHandler of JADNC is not added to the pipeline before authentication. Meaning, obviously, that exceptions in my custom AuthenticationHandler won't be handled by JADNC. Thus, the response won't be in proper JSON:API format.

EXPECTED BEHAVIOR

Being able to handle responses, outside of regular resource controllers, through JADNC.

ACTUAL BEHAVIOR

Responses (outside of regular resource controllers) being unhandled resulting in responses which aren't compliant with the JSON:API specification.

VERSIONS USED

• JsonApiDotNetCore version: 4.0.3
• ASP.NET Core version: 3.1
• Entity Framework Core version: 3.1.12
• Database provider: PostgreSQL

[bart-degreed]

Hi @VincentVrijburg,

I don't think we've had this question before. So to answer it, we'll need to prototype an auth handler and analyze in what order things execute. I assume you mean something along the lines of https://joonasw.net/view/creating-auth-scheme-in-aspnet-core-2, right?

It would help greatly if you can provide a minimal demo project that we can debug.

[VincentVrijburg]

Hi @bart-degreed,

I know that before aspnet core 2 you could create a middleware that returned the custom authentication handler. Meaning that, in theory, you could register it after a library like JADNC. However, they changed that approach to a single-middleware setup. The current approach is adding the custom authentication handler as a scheme (just like that article you shared) and register it with the default .UseAuthentication().

Anyway, I think I'll be able to set up a quick demo project later today. I'll let you know once I have something ready!

[VincentVrijburg]

Hi @bart-degreed,

I've managed to set up a demo project using JADNC in combination with a custom authentication handler: https://github.com/VincentVrijburg/JsonApiDotNetCore.Demo.Auth

See the readme for more information about how to set it up and use it.

Note: I have used the same versions as described in the issue above

I will do some minor debugging myself out of curiosity and I'll let you know if I have something interesting to share!

[bart-degreed]

Thanks for the helpful demo project! I've tried to answer your question at VincentVrijburg/JsonApiDotNetCore.Demo.Auth#1.

Hope this helps.

[VincentVrijburg]

Simple yet effective, love it!

I wasn't sure how to tap into existing JADNC serializers and handlers but the proposed solution works for me.

I've added some additional code to my demo project in order to use the same JSON serializer settings (IJsonApiOptions) as JADNC does: VincentVrijburg/JsonApiDotNetCore.Demo.Auth@2d6b210