I'd like to start by thanking you for creating FusionAuth! We were looking for a solution we can keep on the same AWS subnet for faster and more reliable authentication calls, in addition to maintaining ownership of the user data on our own Postgres database. While the concepts are complex, I was able to grasp the general idea and implement JWT auth in ASP.NET Core, but I still have a few things I need to clarify. As an aside, I would be happy to share this code so you can have an example of how to do API security in ASP.NET Core!
Below are some thing I would deeply appreciate some clarification on. I think other .NET Core developers would also be sharing some similar questions, so I hope your answers will help them as well!
1. Is FusionAuth using OpenID Connect?
From my research & reading (this page helped a lot), it appears that OpenID is a standardized set of claims that should be included in OAuth2 tokens. With that in mind, is the token sent by FusionAuth is therefore outside of the scope of OpenID since it contains a few extra claims, as listed here. So, am I correct in saying that FusionAuth is not using OpenID connect?
2. How long does it take for role changes to come into effect?
Recently I was testing access levels. I assigned myself "Admin" and performed some endpoint tests in Swagger. Then I changed my role to one of lesser permissions, but I was still able to use the admin-only endpoints. It was only after I logged out & logged back in that the new permissions took effect. I'm not sure if this is an oversight of my understanding of OAuth2, or a configuration setting I haven't changed, or something with how ASP.NET Core JWT middleware handles token validation.
3. Should the frontends be talking to FusionAuth directly?
The confusion here stems from the documentation in the React demo page, specifically here. It states that our frontends shouldn't be talking to the FusionAuth directly, but rather pipe through a backend. To give some background on our project, we have a monolithic backend API that's going to serve data to serve a frontend written in React. The backend endpoints are secured with JWT. We want users to be able to sign-in with username & password, but also CarbonCure company employees to sign in with their Google account. We also have tinier smaller AWS lambdas that will also be periodically running and talking to this endpoint. I'm just not sure what role our monolithic backend server plays into all this. How do we get the nifty sign-in page on the frontend when we need to hide all the secrets and the like in the backend? Is this something we even have to do?
Once again, thank you for this product. We look forward to using the premium features as we grow!