NowAround.SharedKernel.Api.Authentication 0.3.0
NowAround.SharedKernel.Api.Authentication
Shared authentication primitives for internal NowAround HTTP service calls.
The package supports two cases:
- User initiated service-to-service calls with a short-lived NowAround access token.
- Autonomous service-to-service calls with a service API key.
Configuration
{
"InternalJwt": {
"Issuer": "nowaround",
"Audience": "nowaround-internal-services",
"SigningKey": "replace-with-a-long-secret",
"LogEvents": false,
"AccessTokenLifetimeMinutes": 60
},
"InternalServiceApiKey": {
"HeaderName": "X-NowAround-Service-Key",
"LogEvents": false,
"ApiKeys": {
"area-service": "replace-with-area-service-key",
"venue-service": "replace-with-venue-service-key"
}
}
}
Register Token Issuing and Authentication
Token issuing only. Use this in an upstream service that only needs to create user access tokens for outgoing HTTP calls:
builder.Services.AddNowAroundAccessTokenIssuer();
Downstream API accepts user-initiated bearer access tokens:
builder.Services.AddNowAroundUserAccessTokenAuthentication();
Downstream API accepts autonomous service API keys:
builder.Services.AddNowAroundAutonomousServiceApiKeyAuthentication();
Downstream API accepts both user access tokens and autonomous service API keys:
builder.Services.AddNowAroundUserOrAutonomousServiceAuthentication();
When both are registered, the default scheme chooses API key authentication if the configured API key header exists; otherwise it uses bearer token authentication.
app.UseAuthentication();
app.UseAuthorization();
Create a User Access Token
using NowAround.SharedKernel.Api.Authentication.AccessToken;
using NowAround.SharedKernel.Api.Authentication.AccessToken.Extensions;
using NowAround.SharedKernel.Api.Authentication.AccessToken.Models;
var context = new NowAroundAccessTokenContext
{
InternalUserId = userId,
Email = email,
Subject = subject,
AccountState = NowAroundAccountState.Active,
AdminAccountId = adminAccountId,
CorporateAccountId = corporateAccountId
};
context
.SetExtension("tenant_code", tenantCode)
.SetExtension("is_impersonated", false)
.SetJsonExtension("source", new { app = "bff", sessionId });
var token = accessTokenService.CreateAccessToken(context);
Extensions are optional. Services should read and write them through the helper methods instead of manually editing the dictionary.
Roles
Access token authentication creates normal ASP.NET Core role claims, so [Authorize],
policies, and FastEndpoints Roles() checks work with these values:
na.userna.adminna.corpna.service
User access tokens receive na.admin when AdminAccountId exists, na.corp when
CorporateAccountId exists, otherwise na.user. Service API key authentication receives
na.service.
Read the Caller
The bearer handler stores the parsed access token context in HttpContext.Items.
The API key handler stores the service actor in HttpContext.Items.
using NowAround.SharedKernel.Api.Authentication;
using NowAround.SharedKernel.Api.Authentication.AccessToken.Extensions;
if (HttpContext.TryGetNowAroundAccessTokenContext(out var tokenContext))
{
var internalUserId = tokenContext.InternalUserId;
if (tokenContext.TryGetJsonExtension<SourceInfo>("source", out var source))
{
// use source
}
}
if (HttpContext.TryGetNowAroundServiceActor(out var service))
{
var serviceName = service.ServiceName;
}
You can also parse HttpContext.User directly:
if (User.TryGetNowAroundUser(out var user))
{
var roles = user.Roles;
}
if (User.TryGetNowAroundService(out var service))
{
var serviceName = service.ServiceName;
}
Endpoint Schemes
With AddNowAroundUserOrAutonomousServiceAuthentication(), default [Authorize]
accepts either bearer token or service API key.
To force one mechanism:
[Authorize(AuthenticationSchemes = NowAroundAuthenticationSchemes.AccessToken)]
public sealed class UserOnlyController : ControllerBase
{
}
[Authorize(AuthenticationSchemes = NowAroundAuthenticationSchemes.ServiceApiKey)]
public sealed class ServiceOnlyController : ControllerBase
{
}
Showing the top 20 packages that depend on NowAround.SharedKernel.Api.Authentication.
| Packages | Downloads |
|---|---|
|
NowAround.Identity.Client
Package Description
|
11 |
|
NowAround.Area.Client
Typed HTTP client for the NowAround Area API.
|
11 |
|
NowAround.Identity.Client
Typed Refit client and service registrations for the NowAround Identity service.
|
8 |
|
NowAround.Area.Client
Typed HTTP client for the NowAround Area API.
|
8 |
|
NowAround.Identity.Client
Typed Refit client and service registrations for the NowAround Identity service.
|
7 |
|
NowAround.Identity.Client
Typed Refit client and service registrations for the NowAround Identity service.
|
6 |
|
NowAround.Area.Client
Typed HTTP client for the NowAround Area API.
|
6 |
|
NowAround.Identity.Client
Typed Refit client and service registrations for the NowAround Identity service.
|
5 |
|
NowAround.Area.Client
Typed HTTP client for the NowAround Area API.
|
4 |
|
NowAround.Identity.Client
Typed Refit client and service registrations for the NowAround Identity service.
|
3 |
|
NowAround.Area.Client
Typed HTTP client for the NowAround Area API.
|
3 |
|
NowAround.Identity.Client
Typed Refit client and service registrations for the NowAround Identity service.
|
2 |
|
NowAround.Identity.Client
Typed Refit client and service registrations for the NowAround Identity service.
|
1 |
.NET 10.0
- Microsoft.AspNetCore.Authentication.JwtBearer (>= 10.0.0)
| Version | Downloads | Last updated |
|---|---|---|
| 0.3.0 | 30 | 06/03/2026 |
| 0.2.1-ci.254 | 3 | 06/01/2026 |
| 0.2.0 | 11 | 06/01/2026 |
| 0.2.0-ci.235 | 5 | 05/30/2026 |
| 0.2.0-ci.218 | 11 | 05/26/2026 |
| 0.1.1-ci.214 | 2 | 05/23/2026 |
| 0.1.0 | 15 | 05/19/2026 |
| 0.0.1 | 21 | 05/15/2026 |