Passing a JWT into Headless APIs
Explore the process of securing headless web APIs by passing JSON Web Tokens as bearer tokens. Understand how to configure ASP.NET Core middleware to authenticate and authorize API requests using OAuth 2.0 and OpenID Connect. Learn how client applications handle token retrieval and transmission to API endpoints for secure access.
Because web API applications are headless, they cannot initiate the OIDC authentication flow; a client application does this. However, we still need to make sure that only authorized requests can access our web API endpoints. To do so, we will need to use a bearer token.
A bearer token is a type of access token that is used to authorize and authenticate HTTP requests in token-based security protocols like OAuth 2.0. It's called a "bearer" token because whoever possesses or bears the token is granted access to certain resources or functionalities.
Bearer tokens are typically transmitted in HTTP headers (e.g., Authorization header) and do not inherently contain any identifying information about the entity that requested the token. Instead, they serve as proof of authorization to access specific resources. When a server receives a request with a bearer token, it validates the token to determine whether the requester has the necessary permissions to perform the requested action.
OIDC setup with bearer token pass-through
The following playground demonstrates how a JWT is passed as a bearer token from an application with a user interface to a headless web API application:
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*"
}...