Service Authentication Integration (AUTH-002)
Overall Status: 100% COMPLETE ✅ Completed: 2025-12-12 Effort: 24 hours
Summary
| Component | Status | Files Modified | Lines Added |
|---|---|---|---|
| Blueprint Service | ✅ 100% | 2 files | ~140 lines |
| Wallet Service | ✅ 100% | 3 files | ~140 lines |
| Register Service | ✅ 100% | 2 files | ~140 lines |
| API Gateway | ✅ 100% | 2 files | ~15 lines |
| Configuration | ✅ 100% | 2 files | ~25 lines |
| Documentation | ✅ 100% | 2 files | ~384 lines |
| TOTAL | ✅ 100% | 13 files | ~844 lines |
JWT Bearer Authentication - COMPLETE ✅
All three core services now have JWT Bearer authentication integrated with the Tenant Service.
Blueprint Service Authentication ✅
Implementation: src/Services/Sorcha.Blueprint.Service/Extensions/AuthenticationExtensions.cs
- ✅ JWT Bearer token validation
- ✅ Token issuer:
https://tenant.sorcha.io - ✅ Token audience:
https://api.sorcha.io - ✅ Symmetric key signing (HS256)
- ✅ 5-minute clock skew tolerance
- ✅ Authentication logging
Authorization Policies:
| Policy | Description | Requirements |
|---|---|---|
| CanManageBlueprints | Create, update, delete blueprints | org_id OR service token |
| CanExecuteBlueprints | Execute blueprint actions | Authenticated user |
| CanPublishBlueprints | Publish blueprints | can_publish_blueprint OR Administrator |
| RequireService | Service-to-service operations | token_type=service |
Protected Endpoints:
/api/blueprints- Blueprint management/api/blueprints/{id}/execute- Action execution
Wallet Service Authentication ✅
Implementation: src/Services/Sorcha.Wallet.Service/Extensions/AuthenticationExtensions.cs
- ✅ JWT Bearer token validation
- ✅ Shared JWT configuration
- ✅ Authentication logging
Authorization Policies:
| Policy | Description | Requirements |
|---|---|---|
| CanManageWallets | Create, list wallets | org_id OR service token |
| CanUseWallet | Sign, encrypt, decrypt | Authenticated user |
| RequireService | Service-to-service ops | token_type=service |
Protected Endpoints:
/api/v1/wallets- Wallet management/api/v1/wallets/{id}/sign- Signing operations/api/v1/wallets/{id}/encrypt- Encryption operations
Register Service Authentication ✅
Implementation: src/Services/Sorcha.Register.Service/Extensions/AuthenticationExtensions.cs
- ✅ JWT Bearer token validation
- ✅ Shared JWT configuration
- ✅ Authentication logging
Authorization Policies:
| Policy | Description | Requirements |
|---|---|---|
| CanManageRegisters | Create/configure registers | org_id OR service token |
| CanSubmitTransactions | Submit transactions | Authenticated user |
| CanReadTransactions | Query transactions | Authenticated user |
| RequireService | Service-to-service notifications | token_type=service |
| RequireOrganizationMember | Organization member ops | org_id claim |
Protected Endpoints:
/api/registers- Register management/api/registers/{registerId}/transactions- Transaction submission/api/query/*- Query APIs/api/registers/{registerId}/dockets- Docket queries
Configuration
Shared Configuration: appsettings.jwt.json
json
{
"JwtSettings": {
"Issuer": "https://tenant.sorcha.io",
"Audience": "https://api.sorcha.io",
"SigningKey": "your-secret-key-min-32-characters",
"AccessTokenLifetimeMinutes": 60,
"RefreshTokenLifetimeHours": 24,
"ServiceTokenLifetimeHours": 8,
"ClockSkewMinutes": 5,
"ValidateIssuer": true,
"ValidateAudience": true,
"ValidateIssuerSigningKey": true,
"ValidateLifetime": true
}
}Documentation
File: docs/guides/AUTHENTICATION-SETUP.md (364 lines)
- ✅ Architecture overview with service diagram
- ✅ Configuration guide for all services
- ✅ Authentication flows (user login, service-to-service OAuth2)
- ✅ Token claims structure (user tokens, service tokens)
- ✅ Testing procedures with curl examples
- ✅ Authorization policy reference tables
- ✅ Troubleshooting guide (401/403 errors, token validation)
- ✅ Security best practices (development and production)
- ✅ Azure Key Vault integration guide
Packages Added
- ✅
Microsoft.AspNetCore.Authentication.JwtBearerv10.0.0 to all three services
API Gateway JWT Validation - COMPLETE ✅
Implementation: src/Services/Sorcha.ApiGateway/Program.csCompleted: 2026-01-31
- ✅ JWT Bearer token validation at gateway level
- ✅ Shared JWT settings via ServiceDefaults
- ✅ Authentication middleware in request pipeline
- ✅ Protected endpoints return 401 without valid tokens
- ✅ Public endpoints (health, stats) remain accessible
- ✅ Automatic token forwarding to backend services via YARP
Configuration:
- JWT settings configured via docker-compose environment variables
- Uses shared JWT signing key across all services (
x-jwt-env) - Issuer:
http://localhost(viaJwtSettings__InstallationName) - Authentication integrated without breaking existing functionality
Pending Work
- 📋 Peer Service authentication (service not yet implemented)
Back to: Development Status