I am working on locking down various sections of an internal application's web api controller actions. Currently, we are using Windows Authentication and a custom role provider. When making ajax calls to the API, I would like to prevent the credentials prompt from showing up when the current user is not authorized to access the given api method. We have a custom authorization filter for our MVC controller actions (NOT WEBAPI), but am not having much luck in preventing that prompt from showing up when making AJAX calls to a webapi action.
Is it possible to just deny/grant access via an authorize attribute and prevent that annoying login prompt from showing up?
Related
I'm trying to use Google Authentication in a VS2015 solution with 2 Asp.Net projects:
an MVC App and
an MVC WebApi.
Logging in with a local username and password works fine. I get back a token after logging in with api/Token from the API and can use this on subsequent httpclient calls to api/xxxxxx methods decorated with [Authorize].
Now I want to add the option to log in with a Google account. I have have managed to get the call to Google working on the front end and get back an Owin.ExternalLoginInfo object, but of course calls to the api/methods fail with
unauthorized.
Can someone tell if it's possible to push that ExternalLoginInfo back to the API and have it be used for authentication in the backend?
I work on an application where I have a separate MVC layer and Web API Layer, both have the same authentication mechanism, I have chosen the individual accounts authentication option while adding the projects. The web api service layer will be directly accessed by some other mobile clients also.
But when the user logs in through MVC he should be able to access Web Api seamlessly, but I don’t want to really pass the username and password from MVC to the Web Api layer, I am told it is a bad practice. but i need to authenticate and authorize my user, so the only option i have thought of is to have a default account at Web API level to issue tokens, and this will be called from MVC post the authentication and a token will be returned which is written to a cookie in the client. Now the Ajax calls from the UI can use this bearer token and get the job done.
The only glitch I have here is that, because I am using a default account I need user details again for authorization at service level, though I am doing authorization at my UI level, the user can spoof the system. I was lost here and came up with a solution like, when the user logs in to MVC will send across user details also along with the call to get the WebAPI token and issue another token to the user so that the user uses both of the tokens to make a call to web api from MVC.
I am not sure if this works or if it is even the best way. I just wanted to check, how I should go from here. Any help on this will be really great.
This is a really good example of integration - I know they use Angular as the client but you can learn from this:
http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/
Check this section to see how they decouple the API from the front end (Part of the same article).
http://bitoftech.net/2014/09/24/decouple-owin-authorization-server-resource-server-oauth-2-0-web-api/
I'm planning on making a restful web service using ASP.NET Web Api. A number of ASP.NET MVC web applications and possibly native apps will consume the service. The service will use ASP.NET Identity to authorise requests/users. I can see how I would use the service with native apps by passing a token with each request.
My issue is with any ASP.NET MVC apps that consume the service, how will I mark a user as logged in after making a request to the service?
Here's what I'd like, is it possible?
User isn't logged in, redirected to log in page
User submits form which calls MVC controller in the app
The controller makes a call to the web service
The web service returns the id, name and roles of the user (JSON maybe?)
This is where I'm stuck: The ASP.NET MVC web application then marks the user as logged in for the whole MVC web app. The role will be used in any authorize attributes on any controllers/actions. The ASP.NET MVC web app will also be able to remember the user via a cookie and log them in automatically in the future.
To set the cookie you just need:
FormsAuthentication.SetAuthCookie(USERNAME, true /*rememberMe*/);
This solve your authentication issue. Authorization - determining what a user can and cannot do - is another story. You need to cache the roles a user is in somewhere and check them as needed.
I have built a SPA application with Hot Towel (durandal) and I have problems to understand the authentication.
When I am loading data from my database how can I filter this data to the current logged in userid ?
thanks for help,
Best Reguards
If your SPA is calling asp.net of any kind on the back end you can still use Forms Auth cookies to secure your ajax endpoints and identify the user making the request. Depending on how SPA like you need it you can just use a standard aspx or mvc login page, then from there redirect the user to your SPA start page that calls your main.js and starts your SPA. All ajax calls you make to that site will have the Forms Auth cookie set and you can use it to verify the user making the request. Here is a link to standard forms auth. If you want handle the login process in durandal as well that can still be done, you just need to make your ajax endpoints for logging in and out to allow anonymous and then handle setting the forms auth cookie in them.
On the server-side, referencing User.Identity in the controller will get you the properties of the currently authenticated user. The question is, what form of authentication does your application use (Windows, Forms, Basic, Anonymous, etc.)?
I've created my first mvc 4 project using the web api template. I've configured CORS to restrict other sites from accessing my api directly into other websites. I use ajax to retrieve the data supplied by the api into a web page and that works well.
The address to my web api is http://www.xyz.com/webapi/ one of the actions is http://www.xyz.com/webapi/api/sales How can I prevent anyone from accessing /webapi and /webapi/api/sales and using the data (screen scraping) for their own use. I do not want any other service browser accessing the web api, just the ajax query that is present on another website that I've set up.
Thanks in advance!
Approach 1 - Get a Bearer Token
You could implement this - Individual Accounts in ASP.NET Web API
Here in this tutorial, the controllers are marked with [Authorize] and the following steps are followed.
Register a User
Authenticate and Get a Bearer Token
Send an Authorized Request
Approach 2 - Use a private API Key
You could use an api key with each of your web api calls and check on server side if the api key is valid if not return 401, Unauthorized. This api key could be saved in your web.config file.