I have an existing MVC app with a custom authorize attribute overriding System.Web.Mvc.AuthorizeAttribute.
I now need to add Web API to the project, but only allow access to authorized users.
If I add my custom authorize attribute to the API controller, it seems to be getting ignored and allows anyone unrestricted access.
After a bit of reading, I have found that to authorize users for Web API, you have to use System.Web.Http.AuthorizeAttribute version of the authorise attribute.
However, after adding the Http version of the authorize attribute to my API controller, and keeping the Mvc version of the authorise attribute to my Mvc controllers, my requests to the API are now always returning 401 - Unauthorised, even when logged in.
I then tried removing my custom [Mvc] authorise attribute and use the standard version instead and got the same issue.
This question describes a similar problem, and tries to resolve it by merging the classes from both namespaces. This doesn't sound like a great solution to me, as I don't really need to customise the API authorize attribute.
What am I doing wrong here?
You can only share authorization with MVC basic authentification if MVC application is in the same project as Web API.
If not then you must create CustomAuthorize Attribute in Web API (inheriting http.AuthorizeAttribute) and implement basic authentification on WebAPI.
This way every request to WebAPI should pass userName and pass in AuthHeader of HTTP Request
I think the problem was that I was trying to call the API in server side code. (Don't ask, I know it doesn't sound logical).
Obviously, the server side request would not be impersonating the users credentials.
I tried setting <Identity Impersonate="true"/> in web.config but this had no effect.
To work abound this issue, I have moved the request to a JQuery ajax call on document ready which I should have just done in the first place.
Related
I have got a simple application using Identity server, Web API and Angular. The issue is with the Identity Server redirection. The goal is to exclude some paths for instance: https://localhost:5000/test from auto redirection to login page without authorization and directly open the Angular component on this url. Is there any way to achieve this?
Your request must be more detailed with a code sample of your controller to reproduce and understand. Maybe you should also specify .NET and IDS4 version, if it is IdentityServer4 ?
Because for an IDS4 and according to the documentation, you have to choose between different workflow to authenticate. The most common way and the safer one is to use authorization code
To find which workflow are supported on your IDS4 call this URL :
http://YOUR_SEVER/.well-known/openid-configuration
The login redirection depend on IDS4 setting for a UI behavior, so if you try to call directly your [AllowAnonymous] route with a browser, you will not be redirected normally and get your response directly.
I'm having an issue with a website plus API I'm writing. These are in the same project, if that matters.
Reduced to its simplest form, it's a catalogue website and API. You have products in a database and pages which display product information. You also have other pages which allow editing this information and adding new products, etc.
There are three ways you can do this:
Anonymous users can list products and view public information about them on the website.
Signed-in users can list, view (including private info), edit, create and delete products on the website.
Users with a valid API key can list, view (including private info), edit, create and delete products using the API.
The problem I'm having is that the website uses AJAX calls to the API, and these only work if the user of the website is authenticated. Calling the API without an authentication cookie or an API key fails by design.
What would be the recommended way of identifying the unauthenticated website to the back-end API in a secure way that allows it to work?
The ideas I've had include:
A special API key for the website, but it would by necessity be visible to the world at large somewhere in the Javascript code and therefore something someone could use to access the API themselves and bypass any rate limiting I wanted to implement.
I considered setting something in the session on the web controllers which could then be verified in the API controllers, but I encountered issues where unauthenticated calls to the API redirect to the login page on the Account controller, which then sets the relevant session variable, which means subsequent API calls succeed whether legitimately authenticated or not. This seems like the most promising option, but I'm not familiar enough with ASP.NET Core's workings to make it robust.
You should use Jason Web Token Authentication, to implement one in your API please check the following the link:
https://medium.com/#adegokesimi/implementing-jwt-and-refresh-token-in-net-core-2-2-web-api-b21ef6de2a19
By using JWT authentication in the pipe line of your WebApi your problem will be solved.
Also, you can use a ASP.NET Core identity system for things like roles that can be implemented on specific controller methods, for example, "EDIT" can be allowed only to role admin, etc.
Kind regards,
.js
I'm building a website that has an API service that dumb clients use to get and submit data. I'm building it using ASP.NET MVC6 and EF7.
The service is still in a prototyping stage, however I'm currently using the [Authorize] attribute on controller classes and methods and the default User Manager found in the MVC6 template (ASP.NET Identity?). It works pretty well for the website itself and for the purposes for the prototype and testing I've simply put [AllowAnonymous] attribute on the API methods that I need to access from the unauthorized machines.
However I think I need to basically pass a session token to these dumb clients that last only x hours that they can use to submit with GET and POST requests so they can be pre-authorized without having to pass around some master user/pass.
Note: I'm fairly new to MVC6 and do not have full knowledge of how ASP.NET / MVC security is handled.
I need to create a website in asp.net, where user registrations required and also need to create a WebApi code for mobile app users.
Currently user registration is created in asp.net Webform, and login works fine(used basic authenication), but when I tries to login using WebApi code
it shows error 400 bad request(token based authentication), all parameters passed are correct.
Is this happens because I used basic authentication in Webform ?
Do I need to use basic authentication in WebApi also? if yes then how does it work for login?
Please help.
I would use the same authentication model for both use cases. So to implement basic authentication in WebApi there is a good article from Mike Wasson. You can find the source code here. It's too much to copy it here.
Create your own [BasicAuthentication] Attribute and add it to your controller classes. I would not use cookies, instead send your credentials every time you call the Api within the Authentication-Header of your HTTP call. But make sure you use HTTPS!
And to answer your question about mobile apps: Yes of course, adding an authentication header is possible within any mobile application. Same advice here about using HTTPS...
You should be able to use the same basic auth for webapi that you use for webforms (both cookie based).
The current project my team is working on uses webforms asp.net and are unable to at this point in development move to MVC or WebAPI.
We have started to use a WebAPI style approach using javascript client side functionality for most the page work and using webmethods for CRUD style functionality.
The issue I am having is finding a simple clean method for checking authorisation of these webmethods being called. We currently use a custom made role based security that stores a list of pages that a role has access to and on page pre init checks if the users role has access to the page and if not redirects.
My ideal solution would be to use a custom attribute like WebAPI's authorize that I could create that checks the authorisation and if fails, throws an exception and never enters the webmethod.
Is this possible, and if so how is the best way to approach?
If not has anyone else come across a similar situation that they resolved cleanly. The last thing I would like is having to add extra parameters into a webmethod just to check the authorisation.