Security

• Built in support for JWT bearer token
• Built in support for permission, claim and role based security
• Easy configuration for secure-by-default

Also integrated into OpenApi support.

Jwt

Add the following lines of code. See complete example for context on where they go.

builder.Services.AddWebApiEndpointAuthorization(typeof(AssemblyHook).Assembly);
builder.Services.AddAuthenticationJwtBearer(builder.Configuration["Jwt:Issuer"], builder.Configuration["Jwt:Audience"], builder.Configuration["Jwt:Key"]);

.EnableWebApiEndpointJwtForOpenApi()

application.UseAuthentication();
application.UseAuthorization();

Setup Complete Example

Log.Logger = new LoggerConfiguration()
             .Enrich.FromLogContext()
             .WriteTo.Console(outputTemplate: "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}")
             .CreateBootstrapLogger();

try
{
    Log.Information("Application starting up");

    var builder = WebApplication.CreateBuilder(args);

    builder.Host.UseSerilog((hostBuilderContext, loggerConfiguration) =>
                                loggerConfiguration.WriteTo.Console(outputTemplate: "[{Timestamp:HH:mm:ss.fff} {Level:u3}] {Message:lj}{NewLine}{Exception}")
                                                   .ReadFrom.Configuration(hostBuilderContext.Configuration));

    builder.Host.ConfigureServices(serviceCollection =>
    {
        serviceCollection.RegisterModule(new WebApiEndpointModule(typeof(AssemblyHook).Assembly));

        serviceCollection.RegisterModule<ApplicationModule>();
    });

    builder.Services.AddEndpointsApiExplorer();
    builder.Services.AddSwaggerGen(options => options.EnableWebApiEndpointForOpenApi("WebApiEndpoint Samples", WebApiEndpointVersions.V1_0, WebApiEndpointVersions.V2_0)
                                                     .EnableWebApiEndpointJwtForOpenApi());

    builder.Services.AddWebApiEndpointAuthorization(typeof(AssemblyHook).Assembly);
    builder.Services.AddAuthenticationJwtBearer(builder.Configuration["Jwt:Issuer"], builder.Configuration["Jwt:Audience"], builder.Configuration["Jwt:Key"]);

    var application = builder.Build();

    application.UseAuthentication();
    application.UseAuthorization();

    if (application.Environment.IsDevelopment())
    {
        application.UseSwagger();
        application.UseSwaggerUI(options => options.UseWebApiEndpointOpenApiUI("WebApiEndpoint Samples", WebApiEndpointVersions.V1_0, WebApiEndpointVersions.V2_0));
    }

    application.UseHttpsRedirection();

    application.UseWebApiEndpoints();

    application.Run();
}
catch (Exception exception)
{
    Log.Fatal(exception, "Application start-up failed");
}
finally
{
    Log.Information("Application shut down complete");
    Log.CloseAndFlush();
}

Permission, Claim and Role based security

These are configured per route.

Easy configuration for secure-by-default

There is a global configuration that will be default make all WebApiEndpoints require authorization.

var webApiEndpointConfiguration = WebApiEndpointConfiguration.Default with { SecureByDefault = true };

serviceCollection.RegisterModule(new WebApiEndpointModule(webApiEndpointConfiguration, typeof(AssemblyHook).Assembly));

NOTE: A route configuration will override this default if specified.