ASP.NET Web API Forms Authentication Sub Application - asp.net-mvc

I have 2 ASP.NET MVC web applications setup under the same domain. One is just a standard MVC website. The other is a Web API project. For now I am just setup locally.
* http://localhost/myapp
* http://localhost/api
I am using forms authentication to login in to the web application and then accessing the api application via a jQuery $.get request. Is there a way to share the forms authentication from the web app with the API app? Again these are 2 separate applications but are sharing the same root domain.

I found the answer. I just needed to add a matching machineKey element to the web.config file for both of my applications.
<machineKey validationKey="..."
decryptionKey="..."
validation="SHA1"
decryption="AES"
/>

Related

active directory authentication + authorization asp.net mvc + webapi

Let us say we have an asp.net mvc application that uses active directory (AD) for authentication and authorization. The views use jquery to consume restful webapi endpoints secured via AD as well. The webapi's restful endpoints may be hosted separately (e.g. not necessarily within the asp.net mvc application). Would the token created during the asp.net mvc's authentication process automatically be issued to the restful endpoints or does this have to be arranged somehow?
PS:
I have noticed that asp.net mvc can now automatically include webapi controllers. I always thought that this bad practice (i.e. to host everything in the same application).

Using .NET MVC/WebAPI, Is it possible to share an auth cookie between two projects of the same solution? If so, how?

My solution is structured like this:
Web Project (Default, ASP.NET MVC)
API Project (ASP.NET MVC using WebAPI controllers)
When deployed to a server, the web project will be the root and the api project will live in root\api.
I am authenticating users in the web app using FormsAuthentication.SetAuthCookie("foo",false); and so of course within a controller of the web project I have no problem reading the cookie back (HttpContext.User.Identity.Name).
I would like to be able to do the same in my API project when an ajax request is made from a page in the web project so that I can check that the user is authenticated before remitting a service.
Is this possible?
Update
I followed this MSDN article for creating authentication across applications, and I still can not read my auth cookie in the API context. I am wondering if it is because I am running in local host while the Forms node in the web configs expect a domain name:
<forms loginUrl="login.aspx"
name=".ASPXFORMSAUTH"
protection="All"
path="/"
domain="contoso.com"
timeout="30" />
I tried setting the domain to localhost:XXXX but that didn't work either. The machine keys in both applications match.

MVC form application access from mobile device

I have this MVC web application that generates and return XML file as a result. I also have mobile application that gets xml file from MVC web application.
I have simplemembership as authentication for mvc web app and I want to use it with my mobile application without using web browser. How do I approach to implement such process?
One approach is to use basic authentication where you send the credentials in the header of the HTML request. You need to use SSL/HTTPS on the server to make this secure. Here is an article on how to use basic authentication with SimpleMembership.

ASP.NET Web API - Authetication in Windows Forms Application

I developed a web system using ASP.NET MVC 4 and I must perform an integration using .NET Web API and Windows Forms Application.
So far everything has been fine, but now I need to authenticate the users using Windows Forms Application and this application will be open on the internet.
My application already contains users that are registered in the database and currently are authenticated using the component 'Authorize' of ASP.NET MVC.
For data consumption through the client (Windows Forms Application) currently I use the library Microsoft ASP.NET Web Client API.
How can I accomplish this task safely?
Does anyone have any suggestions?
You can extend the HttpClient to add authentication. One example can be found here. It shows how to add a HttpMessageHandler into your pipeline for authentication using OAuth.
Here is the complete List of ASP.NET Web API and HttpClient Samples
Take a look at this Q&A which describes creating a custom AuthorizeAttribute for Web API that also authenticates the user using http basic security and grabbing the credentials from the HTTP header. Note that there is a different AuthorizeAttribute for ASP.NET Web API (System.Web.Http.AuthorizeAttribute) as opposed to the one for an MVC controller (System.Web.Mvc.AuthroizeAttribute). They have different behaviors. You do not want a call to a Web API being redirected to a logon page.

Using Forms authentication cross domain

here is our problem..
We have built an MVC Web-api that uses Forms authentication with cookies to handle sessions.
When we use our front-end webpage on the same domain (localhost or web-server) as the web-api, all works fine. (We use JQuery $.get and $.post to communicate with the web-api).
Though the front-end is in the future supposed to be a standalone html5 app, not located on the same domain as the web-api.
This isn't working unfortunately.
The web-api does return an authentication cookie to the client, BUT the cookie isn't brought back to the web-api when the front-end sends it's requests.
When both web-api and front-end are on the same domain, the cookie is automatically sent with the request.
We've tried setting
"Access-Control-Allow-Origin: *" and "Access-Control-Allow-Authentication: true" in the web-api webconfig file.
What you need is a single-sign-on(SSO) feature.
Browser will only cookies to the same domain, that is the reason why it was not working when applications are located on different domains.
There a nice article in CodeProject on implementing SSO in ASP.NET - http://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic it applies to ASP.Net MVC too.

Resources