A project on ASP.NET MVC 6 and a separate project on Web Api. Need to do authentication. The only question is how? In the controller, in the MVC application, there is an [Autorize] attribute, it [Autorize] to the application authorization page, the controller with the authorization method is successfully invoked on Web Api, and a successful confirmation arrives and I save the cookie in the user's browser. But now when I request another page, for example, a personal account, where a user must be authorized by me, in the ASP.NET MVC application, authorization already passes, and the Web Api again has the [Autorize] filter. What to do in this case?
Nicolas Chabanovsky ♦
38.1k 54 gold marks 222 silver marks 438 bronze marks
Yevgeniy Polyakov Yevgeniy Polyakov
46 5 bronze marks
|
2 answers
Do I understand correctly that the business logic layer is on the Web.API (Api) side, and ASP.NET MVC6 (Client) is just a client? And the whole logic of authorization / retrieval of private data should go through the API ?
In this case, you can use the following scheme: 1) The request for authorization is transmitted to Api . The Api response should be an access token ( access_token ), its lifetime, and possibly some kind of user identification data. 2) After you get the access_token there are several options for how to use it. For example, if you want to use the classic [Authroize] attribute on the Client side, you can authorize the user in some way using OwinContext :
private static void Authenticate(AuthenticationModel model) { var accessToken = Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(model.AccessToken); cookiesIdentity.AddClaim(new Claim(ClaimTypes.Expiration, accessToken.Properties.ExpiresUtc.Value.ToString())); cookiesIdentity.AddClaim(new Claim("AccessToken", model.AccessToken)); HttpContext.Current.GetOwinContext().Authentication.SignIn(new AuthenticationProperties() { ExpiresUtc = accessToken.Properties.ExpiresUtc.Value }, cookiesIdentity); var roles = accessToken.Identity.Claims.Where(item => item.Type == ClaimTypes.Role).Select(item => item.Value).ToArray<string>(); Thread.CurrentPrincipal = HttpContext.Current.User = (IPrincipal)new GenericPrincipal(cookiesIdentity, roles); } Well, or write something custom, optional)
3) Well, if you save the access_token on the Client side (for example, in cookies), you can access the Api private methods.
torokhkun
3,203 3 gold marks 14 silver marks 34 bronze marks
Giraffe giraffe
131 2 bronze marks
|
I will offer a different approach.
You can create your own authorization attribute. Which will largely duplicate the functionality of the standard attribute [Authorize]:
will take data from OwinContext and determine whether the user is authorized.
in case of error redirect to login page
Here is something similar from the old project, though without using aspnet identity. Authorization data is simply stored in session.
public class MyAuthorize : System.Web.Http.AuthorizeAttribute { protected override bool IsAuthorized(HttpActionContext actionContext) { return MySession.Current.Connection.IsConnected; // тут вы проанализируете авторизацию используя Identity } } 
Nikita Nikita
885 6 silver marks 15 bronze marks
|