4

I have several applications in my solution, and I want to share authentication between them. To simplify, let's say I have two WebAPI applications. I authenticate using /Token endpoint, and receive Bearer token in return. Afterwards, I put this token in Authentication: header.

Now, logging in to WebAPI_1 I can get data from [Authorize]-decorated methods. But that doesn't work if I want to do that in WebAPI_2.

Those WebAPIs are out-of-the-box VS2013 WebAPI 2.1 templates with ASP.NET Identity 2. Each one is set individually, but they are connected to the same database.

How should I tackle this problem?

I plan to acheive LoadBalanced architecture, where client application (AngularJS) communicates with WebAPI. Now I should be able to duplicate WebAPIs, and therefore user should be authenticate along all of these.

Community
  • 1
  • 1
wojciech_rak
  • 2,276
  • 2
  • 21
  • 30

3 Answers3

0

The [Authorize]-Attribute does nothing more than check if the current principal is authenticated.

How are the WebAPIs set up? Make sure your authentication middlewares always run before the WebAPI middleware. This is most likely your problem.

user3137652
  • 346
  • 1
  • 3
  • 9
0

If WebAPI_1, WebAPI_2, etc. all operate against the same database why are you hosting them on different web servers? If you just have one WebAPI web server it would be much easier to apply consistent authentication middleware.

If you have a load balanced architecture you should be able to add more instances of this single WebAPI server to handle request load demands.

Otherwise if it's necessary to have WebAPI_1, WebAPI_2 exist as separate web servers you will need to implement your /Token endpoint such that all web servers can acquire tokens, probably on a separate web server, WebAPI_Token. Where is the /Token endpoint currently?

Trisk
  • 593
  • 3
  • 8
  • Even if they are on the same webserver, I though OWIN middleware would just work, but it doesn't. Do you suggest creating another app, just for authentication? – wojciech_rak Apr 14 '14 at 18:36
  • Yes that's what I would recommend but it seems like it works for WebAPI_1... right? If you answer the questions I asked I could give a better recommendation, and understand why it doesn't work. – Trisk Apr 14 '14 at 18:50
  • Yes, it works for WebAPI_1. The `/Token` endpoint is in each API - as it is in standard VS2013 template. Let's say, that WebAPI_1 talks to user, and WebAPI_2 communicates with services - in these services I want to be logged in as user as well, to perform some actions on user's behalf. – wojciech_rak Apr 14 '14 at 18:51
  • It sounds like the token needs to have some user information in it so you can track user actions against WebAPI_2. e.g. Client logs in and gets token with user claims, creates a session, and can use that token to perform actions against WebAPI_2 – Trisk Apr 14 '14 at 19:33
0

You dont have to worry about authorize attribute, it simply makes sure there is an identity.

In your startup.cs you should configure the api to use bearer token.

The client that generates the token and all the web api servers must all use the same AccesstokenFormat. ISecureDataFormat<AuthenticationTicket> Otherwise they can't read the token you pass to it. Please keep in mind decrypting a token doesn't always mean you can trust it, it's recommended they are signed and verified, but thats a bit out of scope of identity 2.0

Startup.cs in webapi

app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()
{
                      //you can write your encryption however you want.
                      // just implement ISecureDataFormat<AuthenticationTicket>
              AccessTokenFormat = new SecureTokenFormatter("YourKeyIfThatsHowYouDesignIt")
});

Then magic, your controllers will have a authenticated user.

** Edit ** I saw a few different examples of a formatter on stack, google it.

William
  • 1,375
  • 12
  • 27