Currently building an API using .NET CORE 3.1 and Identity to manage our authentication / authorization within it. We're looking to use generated API keys rather than short life tokens that need to be refreshed (it doesn't suit our use case scenario).
What we want to do is provide the option for users/third parties to generate API keys and allow them to assign Identity Roles to the API key rather than a user. That way we could still use the [Authorize] attribute to grant / restrict their access to particular endpoints.
We have a Users table that handles authentication / authorization within the core application itself and have a table that stores the generated API keys. One user can generate multiple API keys (one with read only permission to endpoints and one with write, for example). We just need to link the API keys to Identity Roles and utilise the [Authorize] attribute when said API key is passed in via the Request Header.
Does anybody have any ideas / advice about how to make this work? Or any advice as to whether this is a bad idea and how it could be done better? Any advice appreciated.