Authentication
Harmony Core supports the following authentication and authorization mechanisms:
- User authentication
- Role-based authorization on controllers & methods
- Role-based authorization on field / property visibility
To enable these features:
- Edit
regen.batand remove the comment from theENABLE_AUTHENTICATIONandENABLE_FIELD_SECURITYoptions - Regenerate code
- Change the Build Action property to Compile for PrimaryKeyGenerator.dbl and StartupCustom.dbl
- Build
- Start IdentityServer (it runs in IIS Express)
- Start Services.Host project
- Start PostMan
- Use Get Access Token (Jodah) and copy JWT
- Edit collection properties, variables, and paste the JWT into the CurrentValue field for AccessToken.
- Test any operation, all should fail with 401 (unauthorized)
- Change request authorization to Bearer Token and notice the value comes from the AccessToken variable.
Operations should now work.
Stop the server. Now we’ll restrict create, update and delete operations only to users in the Manager role (which Jodah is not)
- Edit UserDefinedTokens.tkn and uncomment the 5 ROLES_ values:
<ROLES_GET>Employee,Manager</ROLES_GET>
<ROLES_POST>Manager</ROLES_POST>
<ROLES_PUT>Manager</ROLES_PUT>
<ROLES_PATCH>Manager</ROLES_PATCH>
<ROLES_DELETE>Manager</ROLES_DELETE>
- Save the file
- Generate code
- Examine a controller
Endpoints now have Authorize attributes too.
- Build and start the server
- Have Jodah try to delete something – fails
- Get JWT for Manny and update the AccessToken variable
- Try delete again. Should work now
- Stop server