The REST API demonstrates Authentication and Authorization with JWT token. It also shows how to use different Authorization policies in minimal API endpoints and how to add custom claims using middleware, all implemented using Clean Architecture and various design patterns.
Example API allows to:
- register user
- login user
- change user role
- get user and service info
Endpoints use different types of authorization policies.
Simply Run Auth.API and try it.
- Go to Tests/HttpDebugTests folder and open debug-tests.http file (in VS2022
- Send Login request
- Obtain jwtToken from response and use it in another requests in Authorization header
Main motivation is to write practical example of Authorization and Authentication with minimal API and Clean Architecture.
The project follows Clean Architecture, but the application layer is split into Core and Domain projects. The Core project holds the business rules, while the Domain project contains the business entities..
As Minimal API allows for injecting handlers into endpoint map methods, I decided not to use MediatR. Nonetheless, every endpoint still has its own request and handler.The solution folows the CQRS pattern, , meaning that handlers are separated into commands and queries; command handlers handle command requests, and query handlers handle query requests. Additionally, repositories, following the (Repository pattern), are also separated into commands and queries..
Instead of throwing exceptions, the project uses the Result pattern (using FluentResuls package). For returning precise HTTP responses, every handler returns data wrapped in an HttpDataResponse object, which also contains a collection of error messages and the HTTP response code.
Solution contains four layers:
- Auth.Api - entry point of the application, top layer
- Endpoints
- Middlewares (or Filters)
- API Configuration
- Auth.Infrastructure - layer for communication with external resources like database, cache, web service..
- Repositories Implementation - access to database
- External Services Proxies - proxy classes implementation - to obtain data from external web services
- Infastructure Specific Services - services which are needed to interact with external libraries and frameworks
- Auth.Core - business logic of the application
- Request Handlers/Managers/.. - business implementation
- Abstractions - besides abstractions for business logic are there abstractions for Infrastructure layer (Service, Repository, ..) to be able use them in this (core) layer
- Auth.Domain - all what should be shared across all projects
- DTOs
- General Extensions