active directory authentication + authorization asp.net mvc + webapi - asp.net-mvc

Let us say we have an asp.net mvc application that uses active directory (AD) for authentication and authorization. The views use jquery to consume restful webapi endpoints secured via AD as well. The webapi's restful endpoints may be hosted separately (e.g. not necessarily within the asp.net mvc application). Would the token created during the asp.net mvc's authentication process automatically be issued to the restful endpoints or does this have to be arranged somehow?
PS:
I have noticed that asp.net mvc can now automatically include webapi controllers. I always thought that this bad practice (i.e. to host everything in the same application).

Related

How to have a single asp.net mvc project with cookie authentication for mvc controllers and token authentication for API controllers

We have an existing asp.net Mvc 5 application having external login with OAuth2 providers like google, and microsoft. We are using CookieAuthenticatoin for this.
Now we need to add ApiContoller to the same application.
Is there any way to use the same cookie to authenticate ApiControllers. Can I configure both cookie authentication and tokenauthentication in Startup file?

How to share authentication between ASP.NET MVC and ASP.NET WEB API applications?

I am building an AngularJS MVC application, I need some guidance in terms of authentication. I am thinking of building the Authentication using the MVC authentication pipeline. AngularJS code will reside in the MVC application and the root SPA view would be a Razor cshtml. Here is my scenario -
Login page will call a Authenticate API that would return a token
AngularJS has the logic to get the bearer and pass to each of the API requests
There will be multiple ASP.NET WebAPI projects that will be hosted as subdomains.
I also need to call complex dynamic razor templates, this would need the authentication for the MVC controller that will return the razor views. Since MVC follows cookie based authentication, the token gives a 401 status code. How would this work wherein the authentication is shared between MVC and WEB API apps.
I think you would need to get your token from the API project, not the MVC in order to be able to securely call the API.
If you want to share identities across both the API and MVC projects, have them use the same database.
When getting the token from the API, you can get the identity details of the current user from your MVC application. At least, that is how I have done it in the past.
I blogged something along these lines here: http://blogs.msdn.com/b/martinkearn/archive/2015/03/25/securing-and-working-securely-with-web-api.aspx however this does not cover the step of using the creds from your MVC login and passing that to the API to get the token.
Hope that helps.

MVC 5 and WebApi2 using OWIN OAuth

I am creating an application that will use MVC 5 to serve the initial layout, views, scripts, etc. and then I am using WebApi2 to serve data to the UI.
I want to use the OWIN OAuth bits for Authentication on the WebApi.
The WebApi lives in a DLL and the MVC 5 app is a Web Application.
I have referenced this article for the OAuth WebApi bits.
How do I setup the WebApi to run in the MVC 5 application and use the OWIN Startup class?
Or is this not possible?
I recommend you to check the VS 2013 Web API template (Web API and MVC core dependency) but with individual accounts checked as this image, I believe you are missing adding those both lines in class WebApiConfig.cs:
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
You need to suppress the default authentication (Forms Auth) then add the bearer authentication only for Web API.

Windows authentication in MVC app calling WebAPI

We're building a Windows-authenticated ASP.NET MVC app. This will then call into an ASP.NET WebAPI layer sat on a different server.
We don't have Kerberos enabled so assume authentication with this will be via some form of Basic auth. We're also looking to use ASP.NET Membership/Identity for role management. All communication with the Membership database will be via the WebAPI.
Can anyone give guidance on how best to handle issuing authentication tokens for communication between the MVC and WebAPI apps, and how Authorize attributes may be used across both layers?
I've blogged detailed series of posts about Token based authentication in Web API using ASP.NET Identity, it should answer part of your questions, check it here

How to design and develop common asp.net identity for both asp.net mvc and asp.net web.api

We are going to start a new solution for both "desktop/mobile responsive web site" and "mobile app". Both projects (web site and mobile app) need to access same business/data layer.
The tier structure for web site is going to be something like the following:
Browser -> ASP.NET MVC Web Site -> Business Layer -> Data Layer -> Database
The tier structure for mobile app is going to be as follows:
Smart Device -> ASP.NET Web Api Service layer -> Business Layer -> Data Layer -> Database
We don't want web site to consume web api.
We also don't need to integrate with any social identity in our scenario. I heard that ASP.NET MVC discourages token approach for security (authentication and authorization) and encourages the cookie approach. However, consuming Web Api will be lot easier, if we employe token approach and cookies are obviously discouraged in REST services.
While we are fine to start with new ASP.NET Identity system, we are not quite sure on how to deal with both scenarios without rewriting and supporting code for both scenarios.
Based on the above grounds, how can we design a common security pattern which works for both of our scenarios i.e., ASP.NET MVC Web site and ASP.NET Web API.
If you self-host using OWIN, you can look at creating an OWIN middleware. If you web-host using IIS, you can create an Http module to authenticate and establish the identity by handling authenticate event. Http module can be written in such a way to look for a token and if not present, fall back to cookie. By cookie approach with MVC, I believe you mean Forms Authentication. With that, FormsAuthenticationModule comes into play. So, your module just need to be aware of this and play along nicely. Ultimately, identity is established on Http context and you can use Authorize attribute in both MVC and API controllers. Here is an example of how to create an Http module for authentication. Basic authentication is implemented here but you can modify it for tokens.

Resources