feature request: Provide a tutorial when protecting API resource

[kjbtech]

What problem did you meet?

In my case, I have a kind of SPA that calls a Proxy API that redirect calls on backends APIs.
SPA need to auhenticate itself on the Proxy API. That works fine.
Then, the proxy API forwards HTTP calls to APIs that he protects.
In that matters, Proxy API wants to use the token that authenticate SPA, and forward it to the backends API.

To do so, regarding the fact that the example use Cookies to store the issued token, when forwarding, I have to get the access token for resources.

You have a tutorial part about API protecting (see https://github.com/logto-io/csharp/blob/master/src/Logto.AspNetCore.Authentication/docs/tutorial.md#api-resources).
However, I do not understand how it could work (maybe because I'm not an expert at OIDC).

Describe what you'd like Logto to have

A working example or an explanation on what I had wrong.

[kjbtech]

I succeeded to make it worked thanks to the below code.

On the Proxy API that forward calls:

var accessTokenForResource = await context.GetTokenAsync(LogtoParameters.Tokens.AccessTokenForResource);

// Add JWT token in 'Authorization' header
context.Request.Headers["Authorization"] = $"Bearer {accessTokenForResource}";;

On a backend API:

builder.Services.AddAuthentication()
    .AddJwtBearer(options =>
    {
        options.Authority = "https://xxxx.logto.app/oidc";
        options.Audience = "https://localhost:YYYY";
    });
builder.Services.AddAuthorization();

I can provide a full working example if you want to.

[gitekDev]

Hey @kjbtech for the Backend API it would be cool to see how it works.

[gao-sun]

hi @kjbtech can you check the new Blazor WASM sample? the readme includes the sample for fetching JWT for API resources.

[kjbtech]

Hi @gao-sun ,
I can for sur, but where is it exactly?

[kjbtech]

Hi @gao-sun,
I checked your example, it is not what I achieved here.

Your samples shows more how to use LogTo in the front-end directly.
Whereas what I suggest here is to not inject LogTo configuration to the frontend application, to force developers to use a backend proxy.

[kjbtech]

Hey @gao-sun,
I added a pull request here https://github.com/logto-io/csharp/pull/28/files.

It covers a working example with the wasm sample that you provided.