MVC 5 and WebApi2 using OWIN OAuth - asp.net-mvc

I am creating an application that will use MVC 5 to serve the initial layout, views, scripts, etc. and then I am using WebApi2 to serve data to the UI.
I want to use the OWIN OAuth bits for Authentication on the WebApi.
The WebApi lives in a DLL and the MVC 5 app is a Web Application.
I have referenced this article for the OAuth WebApi bits.
How do I setup the WebApi to run in the MVC 5 application and use the OWIN Startup class?
Or is this not possible?

I recommend you to check the VS 2013 Web API template (Web API and MVC core dependency) but with individual accounts checked as this image, I believe you are missing adding those both lines in class WebApiConfig.cs:
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
You need to suppress the default authentication (Forms Auth) then add the bearer authentication only for Web API.

Related

Reuse ASP.NET MVC 5 session cookie in ASP.NET Core Web API

I have an existing ASP.NET MVC 5 application that uses a custom authentication scheme and sessions for storing state using ASP.NET_SessionId cookie.
Now there is a requirement to put a React front-end in front of an ASP.NET Core Web API. There is an opportunity to reuse some of the service code from the API. The showstopper is the authentication.
Is it possible to reuse/share the existing cookie and authentication scheme from a React web application? JWT and IdentityServer appear to be solid options but would require a significant rewrite to the existing system.
As far as I know, if you want to share authentication cookies between ASP.NET 4.x and ASP.NET Core apps, you need to rebuild the asp.net core cookie authentication.
Since the asp.net core and asp.net use different way to encrypt the authentication cookie, so you should let them use the same way to encrypt the cookie to get the token work for both asp.net and asp.net core application and make sure there are in the same domain.
More details about how to set the application to share cookie between ASP.NET 4.x and ASP.NET Core apps I suggest you could refer to this MSFT example.
Some part of the document:
ASP.NET 4.x apps that use Katana Cookie Authentication Middleware can be configured to generate authentication cookies that are compatible with the ASP.NET Core Cookie Authentication Middleware. This allows upgrading a large site's individual apps in several steps while providing a smooth SSO experience across the site.
When an app uses Katana Cookie Authentication Middleware, it calls UseCookieAuthentication in the project's Startup.Auth.cs file. ASP.NET 4.x web app projects created with Visual Studio 2013 and later use the Katana Cookie Authentication Middleware by default. Although UseCookieAuthentication is obsolete and unsupported for ASP.NET Core apps, calling UseCookieAuthentication in an ASP.NET 4.x app that uses Katana Cookie Authentication Middleware is valid.
Katana Cookie Authentication can be used to reuse cookie among app. For more detail please find the documentation for Share Authentication Cookie among app

How to have a single asp.net mvc project with cookie authentication for mvc controllers and token authentication for API controllers

We have an existing asp.net Mvc 5 application having external login with OAuth2 providers like google, and microsoft. We are using CookieAuthenticatoin for this.
Now we need to add ApiContoller to the same application.
Is there any way to use the same cookie to authenticate ApiControllers. Can I configure both cookie authentication and tokenauthentication in Startup file?

How to share authentication between ASP.NET MVC and ASP.NET WEB API applications?

I am building an AngularJS MVC application, I need some guidance in terms of authentication. I am thinking of building the Authentication using the MVC authentication pipeline. AngularJS code will reside in the MVC application and the root SPA view would be a Razor cshtml. Here is my scenario -
Login page will call a Authenticate API that would return a token
AngularJS has the logic to get the bearer and pass to each of the API requests
There will be multiple ASP.NET WebAPI projects that will be hosted as subdomains.
I also need to call complex dynamic razor templates, this would need the authentication for the MVC controller that will return the razor views. Since MVC follows cookie based authentication, the token gives a 401 status code. How would this work wherein the authentication is shared between MVC and WEB API apps.
I think you would need to get your token from the API project, not the MVC in order to be able to securely call the API.
If you want to share identities across both the API and MVC projects, have them use the same database.
When getting the token from the API, you can get the identity details of the current user from your MVC application. At least, that is how I have done it in the past.
I blogged something along these lines here: http://blogs.msdn.com/b/martinkearn/archive/2015/03/25/securing-and-working-securely-with-web-api.aspx however this does not cover the step of using the creds from your MVC login and passing that to the API to get the token.
Hope that helps.

active directory authentication + authorization asp.net mvc + webapi

Let us say we have an asp.net mvc application that uses active directory (AD) for authentication and authorization. The views use jquery to consume restful webapi endpoints secured via AD as well. The webapi's restful endpoints may be hosted separately (e.g. not necessarily within the asp.net mvc application). Would the token created during the asp.net mvc's authentication process automatically be issued to the restful endpoints or does this have to be arranged somehow?
PS:
I have noticed that asp.net mvc can now automatically include webapi controllers. I always thought that this bad practice (i.e. to host everything in the same application).

ASP.NET Web API - Authetication in Windows Forms Application

I developed a web system using ASP.NET MVC 4 and I must perform an integration using .NET Web API and Windows Forms Application.
So far everything has been fine, but now I need to authenticate the users using Windows Forms Application and this application will be open on the internet.
My application already contains users that are registered in the database and currently are authenticated using the component 'Authorize' of ASP.NET MVC.
For data consumption through the client (Windows Forms Application) currently I use the library Microsoft ASP.NET Web Client API.
How can I accomplish this task safely?
Does anyone have any suggestions?
You can extend the HttpClient to add authentication. One example can be found here. It shows how to add a HttpMessageHandler into your pipeline for authentication using OAuth.
Here is the complete List of ASP.NET Web API and HttpClient Samples
Take a look at this Q&A which describes creating a custom AuthorizeAttribute for Web API that also authenticates the user using http basic security and grabbing the credentials from the HTTP header. Note that there is a different AuthorizeAttribute for ASP.NET Web API (System.Web.Http.AuthorizeAttribute) as opposed to the one for an MVC controller (System.Web.Mvc.AuthroizeAttribute). They have different behaviors. You do not want a call to a Web API being redirected to a logon page.

Resources