I have some .net core APIs that will be accessed by a web client and also will be invoked using a browser or Postman.
to access the API from the client we send a Bearer token in the http header and using AddJwtBearer we can validate the token and authorize the user.
But how can we secure the API if someone tries to invoke from outside the app? in that case I want to use OPenIdConnect default scheme. How can I use both Bearer token when a token is provided and when I can use an authentication scheme when no Bearer token is provided.
It’s a broad question to discuss here, but some possible ways are:
- if you don’t have many users, who will be using postman for testing, then you can just create an oauth service app for each of them, which will use client_credentials flow to get a token from the same authZ server which your API service use
- other way can be creating an app using implicit flow, which will return you back access token right away after calling /authorize on your authZ server
everything else is more a question to .net community, I think, as it’s not specific to okta service