RE: Clarification of some confusions

@dan Thank you for your response! I spent some time reading and understanding a lot more about OAuth2 and everything you covered makes sense now.

With regards to our frontend, I read some of the excellent documentation and we're going with the JWT refresh token approach you've described here. It looks like ASP.NET Core doesn't really want to act as an intermediary out-of-the-box, so I'll have to investigate further and maybe write out those methods myself.

If you'd like I can take what I learned and make a pull request on the ASP.NET Core examples repo to demonstrate JWT auth for ASP.NET Core APIs.

Thanks again!

Just to give some clarification on my clarification questions,

In question #1,

With that in mind, is the token sent by FusionAuth is therefore outside of the scope of OpenID since it contains a few extra claims, as listed here.

should read as a question:

With that in mind, is the token sent by FusionAuth is therefore outside of the scope of OpenID since it contains a few extra claims, as listed here?

Likewise, in question #2 I'm just wondering what could be the cause of this behaviour.

I apologize for my early mid-coffee post that may have been just as confusing to you!

Thanks again!!

Hello!

I'd like to start by thanking you for creating FusionAuth! We were looking for a solution we can keep on the same AWS subnet for faster and more reliable authentication calls, in addition to maintaining ownership of the user data on our own Postgres database. While the concepts are complex, I was able to grasp the general idea and implement JWT auth in ASP.NET Core, but I still have a few things I need to clarify. As an aside, I would be happy to share this code so you can have an example of how to do API security in ASP.NET Core!

Below are some thing I would deeply appreciate some clarification on. I think other .NET Core developers would also be sharing some similar questions, so I hope your answers will help them as well!

1. Is FusionAuth using OpenID Connect?

From my research & reading (this page helped a lot), it appears that OpenID is a standardized set of claims that should be included in OAuth2 tokens. With that in mind, is the token sent by FusionAuth is therefore outside of the scope of OpenID since it contains a few extra claims, as listed here. So, am I correct in saying that FusionAuth is not using OpenID connect?

2. How long does it take for role changes to come into effect?

Recently I was testing access levels. I assigned myself "Admin" and performed some endpoint tests in Swagger. Then I changed my role to one of lesser permissions, but I was still able to use the admin-only endpoints. It was only after I logged out & logged back in that the new permissions took effect. I'm not sure if this is an oversight of my understanding of OAuth2, or a configuration setting I haven't changed, or something with how ASP.NET Core JWT middleware handles token validation.

3. Should the frontends be talking to FusionAuth directly?

The confusion here stems from the documentation in the React demo page, specifically here. It states that our frontends shouldn't be talking to the FusionAuth directly, but rather pipe through a backend. To give some background on our project, we have a monolithic backend API that's going to serve data to serve a frontend written in React. The backend endpoints are secured with JWT. We want users to be able to sign-in with username & password, but also CarbonCure company employees to sign in with their Google account. We also have tinier smaller AWS lambdas that will also be periodically running and talking to this endpoint. I'm just not sure what role our monolithic backend server plays into all this. How do we get the nifty sign-in page on the frontend when we need to hide all the secrets and the like in the backend? Is this something we even have to do?

Once again, thank you for this product. We look forward to using the premium features as we grow!