I'll try to describe my problem, It's a bit complicated to explain, but I'll try.
I have an XData server that has several Service Operations + CRUD access:
ILoginService - used to login an get the JWT that will be used for other services. Based on the login, the user gets two different scopes "easy" (for the app) and "webshop" (for the IWebShopService)
IWebShopService - for webshop access - only a few functions. User must have the "webshop" scope
IEasyService - for operations acces - only for scope "easy".
I also want to have direct CRUD access (only List and Get) for my own applications (scope must be "easy"). I've set the XDataServer.DefaultEntitySetPermissions to [List,Get]. So CRUD must be visible only to logged users with the "easy" scope.
The login and JWT works OK, I marked the IWebShopService like this
I've set a breakpoint and it's hit, I think getting the scope "easy" is OK.
Yes, it works. Even more - it works also unlogged user - it seems like the EntityAuthorizeScopes is ignored.
I can send you the code and a dump of the MySQL database if it helps. Could be a problem, because I create a "main" dataset module and then a Dataset module for each DB... I don't know. All the security around CRUD and Service operations it's working weirdly... Probably my fault, but I can't find it where
I don't understand. First you said the service doesn't work (returns 403 forbidden). Now you say it works, it's even hit by a breakpoint. What is the real, detailed situation?
Aren't you getting "Unknown custom attribute" warning? Have you added XData.Security.Attributes unit to your uses clause?
I finally managed all the mess :) It was a combination of errors, so I just write them here, so anyone could get some help from my experience.I experimented so much with the attributes that I messed up claims, scopes an everything.
About CRUD: I forgot to add XData.Security.Attributes, I tought aurelius.Mapping.Attributes was enough.
About service operations: I mistakenly saved scopes in the wrong claim