Auth
Authentication—the process of verifying who a user is—is the front door to your application. Getting it right is absolutely critical for security. Building a secure authentication system from scratch is notoriously difficult and fraught with potential pitfalls, from insecure password storage to complex credential management.
That’s why SliceFlow takes a modern, security-first approach: it doesn’t handle authentication itself.
Instead of reinventing the wheel, SliceFlow is designed to integrate seamlessly with specialized, external identity providers. Think of services like Auth0, Azure Active Directory, Zitadel, or IdentityServer. These services are built by security experts, are battle-tested across thousands of applications, and take on the heavy lifting of user authentication for you. This approach means:
- You never store passwords: This eliminates a massive security risk.
- You don’t manage credentials: No need to worry about password policies or reset flows.
- You leverage proven security: Your application’s security is backed by teams of experts.
SliceFlow’s role is to securely validate the information (in the form of a JWT, or JSON Web Token) that these providers give you, and then use that information to manage user sessions and permissions within your application.
Setting Up Your Front Door
Configuring authentication in SliceFlow is a simple, two-step process.
Step 1: Configure Authentication Services
First, you tell your application to use SliceFlow’s authentication services by adding one line to your Program.cs file:
builder ... .ConfigureAuth() ...Step 2: Connect to Your Identity Provider
Next, you need to tell SliceFlow where to find your chosen identity provider. You do this in your appsettings.json file:
{ "Auth": { "Jwt": { "Authority": "https://your-identity-provider.com", "Audience": "your-client-id" } }}Authority: This is the URL of your identity provider. It’s how SliceFlow knows who to trust.Audience: This is an identifier for your application, ensuring that the tokens it receives are intended for it and not for some other application.
Automatic User Management: The Magic Inside
Here’s where SliceFlow’s integration really shines. When a user logs in through your identity provider and their browser sends a request to your API, a carefully orchestrated process happens automatically:
- Token Validation: SliceFlow intercepts the incoming JWT and performs a series of rigorous security checks. It verifies that the token was issued by your trusted
Authority, is intended for yourAudience, hasn’t expired, and is, in all ways, a legitimate token. - User Sync: The system then looks at the unique identifier for the user within the token.
- If it’s a user SliceFlow has seen before, it retrieves their profile from the database.
- If it’s a brand-new user, it automatically creates a new user account for them in your database, ready to go.
- Permission Injection: Once the user is identified, SliceFlow fetches all of their assigned permissions and dynamically injects them into the user’s session.
This means that from the very first request, you have a fully-formed user profile, complete with all their permissions, ready to use.
A Richer, More Secure Session
This process of enhancing the user’s session with your internal data is incredibly powerful. It means that for any subsequent request, you can instantly:
- Get the user’s internal database ID.
- Check if they have a specific permission.
You can do this directly from the user’s context in your code, without needing to make extra database calls on every request. This is not only more efficient but also simplifies your application logic.
For example, checking if a user has permission to list all other users is as simple as:
if (User.HasClaim("Permissions", "User.ListAll")){ // The user is authorized, proceed with the logic.}By delegating the complexities of authentication to the experts and providing a seamless, automatic bridge to your application’s user and permission models, SliceFlow gives you a secure, scalable, and developer-friendly foundation for your application.