TaskHub.Shared

TaskHub.Shared.Authorization.Identity - Technical Manual

The TaskHub.Shared.Authorization.Identity module provides a comprehensive, production-ready identity and access management (IAM) implementation. It bridges standard JWT-based authentication with TaskHub’s specific business requirements, such as real-time user status tracking and granular claim resolution.

🏛 Deep Architecture

1. UserStatusMiddleware: The Gatekeeper

Unlike standard JWT middleware that only validates the signature, the UserStatusMiddleware performs real-time checks on the user’s current status:

1. Token Extraction: It extracts the Bearer token from the Authorization header.
2. Identity Resolution: It uses ITokenService to parse and validate the token, populating the ClaimsPrincipal.
3. Real-Time Status Check: It queries the distributed cache (Redis) or memory cache to verify if the user account has been Blocked, Deleted, or Disabled since the token was issued.
4. Short-Circuit: If the user’s status is invalid, it immediately returns a 401 Unauthorized or 403 Forbidden with a structured Result body, preventing the request from reaching the application layer.

2. Scoped IUserService Resolution

The UserService is registered with a Scoped lifetime, ensuring it is fresh for every HTTP request:

• Claim Mapping: It maps standard OIDC claims to TaskHub primitives (e.g., UserId).
• Security Context: It provides a thread-safe way to access the current user’s ID, roles, and custom claims without manually parsing HttpContext.User in every service.

---

🛠 API Reference

IUserService

| Property / Method | Type | Description | | :— | :— | :— | | UserId | Guid | The unique identifier of the currently authenticated user. | | Roles | IEnumerable<string> | List of roles assigned to the user. | | IsInRole(string role) | bool | Helper to check role membership. | | GetClaim(string type) | string? | Retrieves a specific claim value by its type. |

ITokenService

| Method | Description | | :— | :— | | string CreateToken(User user) | Generates a new JWT token for the given user. | | ClaimsPrincipal GetPrincipal(string token) | Validates a token and returns its principal. |

---

🚀 Real-World Implementation Examples

1. Advanced Policy-Based Authorization

[Authorize(Roles = "Admin, Manager")]
[HttpPost("secure-action")]
public async Task<Result> ExecuteSecureAction()
{
    var userId = _userService.UserId;
    // ...
}

2. Manual Token Generation (Identity Service)

public async Task<ValueResult<string>> LoginAsync(LoginRequest req)
{
    var user = await _repo.GetByEmailAsync(req.Email);
    if (!PasswordHasher.Verify(user.Password, req.Password))
        return ResultFactory.OnFailed(401, "Invalid credentials");

    var token = _tokenService.CreateToken(user);
    return ResultFactory.OnSuccess(token);
}

---

⚙️ Configuration Schema (appsettings.json)

"Jwt": {
  "Issuer": "TaskHub.Identity",
  "Audience": "TaskHub.Services",
  "Key": "at-least-32-character-long-secret-key",
  "ExpiryInMinutes": 1440,
  "ValidateLifetime": true,
  "ValidateIssuer": true,
  "ValidateAudience": true
}

---

👁 Telemetry & Diagnostics

Standard Tags

Every authenticated request is tagged with:

• user.id: The ID of the authenticated user.
• user.roles: Comma-separated list of roles.

Metrics

• auth_success_total: Counter for successful authentications.
• auth_failure_total: Counter for failed attempts (tagged by reason: invalid_token, blocked_user).

---

✅ Best Practices & Anti-Patterns

🟢 Best Practices

• Long Keys: Use at least 256-bit keys for HS256 (32 characters).
• Short Expiry: Use short-lived access tokens (15-60 mins) and implement refresh tokens if needed.
• Use IUserService: Always inject IUserService instead of accessing HttpContext.User directly to ensure consistent behavior.

🔴 Anti-Patterns

• Storing Sensitive Data in JWT: Do not put passwords or PII in JWT claims; the payload is only Base64 encoded, not encrypted.
• Disabling Real-Time Checks: Do not disable the UserStatusMiddleware in production, as it is the only way to immediately revoke access for blocked users.

This site is open source. Improve this page.