Elsa Server v3 custom authentication not working about elsa-core HOT 3 CLOSED

To integrate your company's identity provider with Elsa endpoints and ensure that your custom authorization and authentication schemes work correctly with Elsa, you need to configure the authentication and authorization middleware in your Program.cs or Startup.cs file, depending on which version of ASP.NET Core you are using.

Since you are using Elsa v3, which is compatible with .NET 6 and above, you should be configuring your services in the Program.cs file. Here's a general approach to how you can integrate your custom authentication and authorization with Elsa:

1. Configure your JWT Bearer authentication as you have described.
2. Configure your authorization policies as needed.
3. Ensure that the Elsa services are registered after your authentication and authorization services.
4. Configure NSwag to use your custom JWT Bearer authentication.
5. Apply the [Authorize] attribute to your custom controllers as needed.

Here's an example of how you might configure your Program.cs:

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.
builder.Services.AddAuthorization(options =>
{
    // Your custom authorization policies
    options.AddMarlinAuthorizationPolicies();
});

builder.Services.AddAuthentication(options =>
{
    options.DefaultAuthenticateScheme = "Asymmetric";
    options.DefaultChallengeScheme = "Asymmetric";
})
.AddJwtBearer("Asymmetric", options =>
{
    // Your JWT Bearer options
});

// Add Elsa services.
builder.Services.AddElsa(elsa =>
{
    // Elsa configurations
});

// Configure NSwag to use your custom JWT Bearer authentication.
builder.Services.SwaggerDocument(options =>
{
    // Your NSwag configuration
});

var app = builder.Build();

// Configure the HTTP request pipeline.
app.UseAuthentication();
app.UseAuthorization();

// Use Elsa's API endpoints.
app.UseElsaApiEndpoints();

app.Run();

Make sure that the UseAuthentication() and UseAuthorization() middleware are called before UseElsaApiEndpoints() in the pipeline.

If you are still encountering a 403 Forbidden status when accessing Elsa endpoints, it could be due to a number of reasons, such as:

• The token you are using does not have the correct claims or scopes required by the Elsa API.
• The authorization policies defined in your application do not match the requirements of the Elsa API.
• There may be a misconfiguration in the way the JWT Bearer authentication is set up.

To further diagnose the issue, you can enable logging to see more details about the failure. Additionally, you can check the Elsa documentation and source code to understand how Elsa handles authentication and authorization internally.

If you need more specific guidance, please provide additional details about your configuration and any error messages you are seeing.

from elsa-core.

That's exactly what we're doing, except i think it's now app.UseWorkflowsApi() instead of UseElsaApiEndpoints()? Can you elaborate on the claims/scopes we need for the Elsa API?

from elsa-core.

I got it to work by digging deep into the source code and adding "Permissions": "*" as a Claim in our IdentityProvider.

The docs on this could use some work, or exist for that matter :D

from elsa-core.