Share a single account across multiple clients.

Question

0.00/5 (No votes)

See more:

Hi, I have an asp.net core 8 webassembly solution with two clients and an API server, one of the clients (noAuthJWT) is public and must have no authentication for users, the other is back-office and protected with JWT authentication. Wanting to use a hidden account on the client (noAuthJWT) with minimal privileges that would be the same for everyone, I wonder what possible problems this setting can generate. I specify that the transactions generated by the client (noAuthJWT) are discriminated and based on the user name which is requested outside the solution's Identity platform. Furthermore, the reason why I would like to do this fictitious authentication is aimed at further limiting access to the server APIs among which there are also two signalR HUBs.

What I have tried:

I tried opening multiple simultaneous sessions with the same account on the second client, and it seems to work correctly, but I would like to have the opinion of someone with more experience:
Have you ever done something like this?
Do you think there could be any problems?
Sorry if perhaps I'm asking something trivial, but I really would like to make sure I don't make any gross mistakes.
Thanks to anyone who can tell me anything about this topic.

Posted 23-Feb-24 8:37am

MaMon2010

Updated 23-Feb-24 8:50am

PIEBALDconsult

v2

Add a Solution

Comments

[no name] 23-Feb-24 15:00pm

Sounds like the definition of a "guest" account.

MaMon2010 23-Feb-24 15:25pm

Yes, a sort of Guest, but with a bearer token shared with other Guest users.

MaMon2010 23-Feb-24 15:51pm

I can also add that the expiration time of the token is different between the various "Guest" users, as I have verified that each one is given its expiration time based on the moment in which they log in.

[no name] 24-Feb-24 3:31am

How can a "shared token" have "different" expiry times? And a guest is not anonymous in that sense; it's a session. Which is different from other sessions.

MaMon2010 24-Feb-24 9:43am

As mentioned, it is a WebAssembly solution and, as my code is set up, each "Guest" client logs in in a hidden way with the same account (single for everyone), upon login the Token is the same but the expiration time is regenerated. Therefore the duration of the Token becomes individual for each individual client. I checked this in Debug. However, I agree that at the session level, things are also distinct for the server and this is precisely the objective I am trying to verify with you.

[no name] 24-Feb-24 10:40am

At some point, you have to convince yourself "that it works" if it's new territoty. That said, if I can't tell when a "guest" is being a bad actor; and I can't tell who, when or where (e.g. IP); that is a problem.

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)