I have the following solution:
Web api project.
MVC 4 project.
I need to authenticate user by sending its credentials using a JSON request (https is a must).
is it a good approach ? and how can i authenticate the user on both web api and MVC .
is it a good approach ?
Yeah, why not.
and how can i authenticate the user on both web api and MVC .
If the Web API requires authentication you could use the same Forms Authentication as the MVC application. So you could configure Forms Authentication in the web.config of the Web API application and then decorate the actions that require authentication with the [Authorize] attribute. Then clients that need to query those methods will need to include the Forms Authentication cookie along with the request.
It is important to note that in order for the Web API to be able to decrypt the forms authentication cookie that was emitted the MVC application, both applications need to share the same machine keys.
You can use Basic Authentication. You need to create Authenticationfilter.
There is an opensource library. (WEbAPIDoddle)
https://github.com/WebAPIDoodle/WebAPIDoodle
Related
I need to develop an application in MVC 5, Xamarin Android and iOS application; as these applications have the same features, i have Web API 2 for all common operations except one! Authentication!
I would want all the above applications to use ONE authentication framework/architecture either ASP.Net Identity 2.0, Web API token based authentication or any other you suggest.
Successfully implement ASP.Net Identity 2.0 for my MVC 5 app, but couldn't authenticate the Web API with [Authorize] attribute (tried both System.Web.Http and System.Web.Mvc). Hence did not even think of trying for mobile apps yet.
Successfully implement Web API token based authentication for my Web API and MVC 5 as well, but with lots of JavaScript variable storage (which obviously not right). Tried to authenticate the MVC 5 app with [Authorize] attribute (tried both System.Web.Http and System.Web.Mvc) the page either shows 401 Unauthorized if the token is not yet granted and once the token is granted the view opens, and doesn't get authenticated even after the token's validity is expired, this works on when I use [System.Web.Mvc.Authorize] attribute. I have a sample to implement on mobile but did not try yet.
I feel that I am not implementing this part perfectly, if I get a proper tutorial to use token based authentication for all Web API, MVC and mobile applications then nothing like that.
I do not wish to use either Angular or knockOut JS. If this would be the only solution then I would opt it for sure.
Thanks :)
So we are currently looking to build out a site that utilizes a Web API for all of our authentication and communication with the database. What we are unsure of at the moment is how to persist users in our MVC application by authenticating through the Web API.
Where does this happen on the MVC side of things and how should we be authenticating with the Web API?
EDIT: Another thing I am wondering is if we can make a call to the API to get an Identity user after they are authenticated and instantiate the identity user on the MVC side of things and just store them in a session variable to persist on our application. Would this be doable and any idea what it would look like?
MVC utilizes the session for authentication. A cookie is sent to the user, and the web browser sends that cookie back with each request to enable to the server to restore the session and recognize the user as authenticated.
Web Api is REST-based and stateless. There's no concept of a session, cookies, etc. Each Web Api request must be authenticated in the request, usually by passing an Authorization header with a bearer token or similar.
If the MVC application utilizes the Web Api to authenticate, then the Web Api should return an authentication token to the MVC application. The MVC application then, should "log in" the user by setting that normal authentication cookie and save the token so that it can authenticate future Web Api requests with that. In other words, the MVC application still handles authorization as it normally does. The only difference is that the response of the Web Api determines whether or not it considers the username/password combo to be correct, rather than a database query made directly.
I want to create the web application which will be based on angularjs frontend and ASP.NET Web API. I need create the secure api but I can't use the token based authentication on the company's server where will be implemented this web application.
Is possible use the cookie based authentication for SPA and ASP.NET Web API?
How can I configure the cookie based authentication on the ASP.NET project for this scenario where I have the SPA and Web API?
The TokenBased Authentication is currently used in SPA based on BackEnd API applications is to overcome the limitation of cookiebased authentication But since you have decided to go with it then you can use OWIN cookieAuthentication middleware which will do the needful. Here's an article showing how to configure the OWIN cookie authentication middleware in Asp.net project(No matter if it's WebApi or MVC application).
I would like to create a Client application in MVC 5 with a log in page on a different domain.
What I want to achieve is a centralized authentication domain for all of my applications (MVC 5 web applications, Web Api's and Desktop applications as well).
I tried to use the example below:
http://www.asp.net/aspnet/overview/owin-and-katana/owin-oauth-20-authorization-server
I can use the token to get resources from Web Api with both client type (website and desktop application), but I would like to use the claims and properties in the website as well and reach the web api with the token provided by the authorization server.
The only problem I have is that I can't set up and MVC 5 project to redirect to authorization server domain when the user is not authorized and after a successfully authorization redirect back to original domain and use the claims and properties which are encrypted into the token provided by the authorization server.
Can you provide me a sample or some articles with which I can start implementing the upper things by usin OWIN OAuth2? Thanks in advance!
I am about to start working on a new ASP.NET MVC web application that I intend to build an iOS mobile version of as well.
I am planning on using MVC 4 Web API as a service layer that will sit in front of the business layer and be accessed by both the web application and the mobile application.
I am a little confused however about how I will implement authentication and authorization in this architecture.
Normally in an MVC application, once a user submits proper credentials, I would make a call to
FormsAuthentication.SetAuthCookie(username, false);
Which will create a cookie that will then be passed back and forth from one request to another to maintain a user's session in the application.
I'm confused as to how this will function through a service layer when accessed from the web application. Or how it will function when the service is called from the mobile application.
You could design your Web API in such a manner that it would require the forms authentication cookie should be sent on each request. You would then use this cookie to extract the username of the currently authenticated user from it.
But when designing an API it is usually better to use some other means of authentication than cookies. For example you could use the Authorization HTTP header where the client will be required to send the encrypted value of a forms authentication ticket.
You might also take a look at the following article about token based security.