Documentation

Authentication and authorization

Although not strictly a part of DDD, I implemented the whole authentication and authorization myself, partly because it's fun and partly because that's the best way to learn how things work.

Because I wanted to experiment with a stateless webapplication, I used a JSON Web Token (JWT) [1]Visit jwt.io for more information on the JWT standard. for authentication and authorization. Note that JWTs are not meant to be long lived, so this is not a sound idea and I would do this differently next time.

The JWT action filter

Before entering a controller, a request goes through the JwtActionFilter. There the token, if present, is parsed and validated.

The action that belongs to that request has either a Requires attribute or a GuestRoute attribute. If there's a Requires attribute the permissions of the user will be checked against the required permissions. For a guest route no check is necessary of course.

The information from the JWT is stored in an AuthContext object, containing the users information. This is attached to the HttpContext. After de filter is done with its authorization, the AuthContextActionFilter is used to pass the AuthContext information back to the Controller and the View.

Using a cookie

The JWT is passed via a cookie. The reason for that is because our frontend doesn't rely on javascript or ajax to communicate with the backend, but uses mostly just simple html links and form posts. With a cookie it's way easier to attach the token to every request.

Final note

Even if you want to use this idea, all of this is handcrafted and should not be used in production code. Please use properly audited libraries for security related matters :).