Authorize Attribute with Roles in ASP.NET Web API not working

Question

I have ASP.NET MVC4 application project. I also added WebApi to my project by creating ApiContoller. I have Forms Authentication for MVC and Basic Authentication (Thinktecture) for Web API.

I noticed that in ApiContoller [Authorize] is working well but [Authorize(Roles="")] never let to invoke methods. I think the reason is that in MVC Contoller descendants both statements User.IsInRole(""); and Roles.IsUserInRole(User.Identity.Name, ""); returns true, but in ApiContoller descendants first statement is always false, when second returns true if user has role:

bool booool1 = User.IsInRole("Radiolog");
bool booool2 = Roles.IsUserInRole(User.Identity.Name, "Radiolog");

Here is my web.config configuration:

    <add key="enableSimpleMembership" value="false" />
    <add key="autoFormsAuthentication" value="false" />
    ...
        <roleManager cacheRolesInCookie="false" defaultProvider="CustomRoleProvider" enabled="true">
          <providers>
            <clear />
            <add name="CustomRoleProvider" type="RisSystem.Services.CustomRoleProvider" />
          </providers>
        </roleManager>
        ...
        <authentication mode="Forms">
          <forms loginUrl="~/Account/Login" timeout="2880" />
        </authentication>

In ApiController methods I am authenticating with: client.DefaultRequestHeaders.Authorization = new BasicAuthenticationHeaderValue(login, password); (Thinktecture) and FormsAuthentication in MVC Contoller.

Authentication for WebApi is set in WebApiConfig.cs in Register(HttpConfiguration config) function:

        var authConfig = new AuthenticationConfiguration();
        authConfig.AddBasicAuthentication((userName, password) => AuthenticationService.ValidateUser(userName, password));
        config.MessageHandlers.Add(new AuthenticationHandler(authConfig));

Q: How to get to work Authorize Attribute with Roles in ASP.NET Web API

The problem is that under your MVC request, the `User` is of type `RolePrincipal` and the `IsInRole` is evaluated correctly using your role manager. However, your WebAPI seems to use some other authentication module and the `User` is of some other type (`ClaimsPrincipal`? `WindowsPrincipal`?). What you show ("I am authenticating") looks like client authentication, you don't show what happens on the server. First, check what's the type of `User` under your WebAPI request and come back with more details. — Wiktor Zychla, Mar 27 '15 at 08:31
`Microsoft.IdentityModel.Claims.ClaimsPrincipal` is the `User` type. Moreover I think the solution for my problem is here http://stackoverflow.com/a/25587270/3243859, but in my Thniktecture library there is no `AddBasicAuthorization()` overload taking delegate for user's roles :( — Sebastian Xawery Wiśniowiecki, Mar 27 '15 at 09:14
Yes, this would be the solution. The `ClaimsPrincipal` supports roles, too, but assuming roles are somehow provided there. — Wiktor Zychla, Mar 27 '15 at 10:45
The API seems to be there: https://github.com/IdentityModel/Thinktecture.IdentityModel/blob/cda89ad369d19c87f5f3414246be57c450332756/source/WebApi.AuthNHandler/AuthenticationConfigurationExtensionsCore.cs — Wiktor Zychla, Mar 27 '15 at 10:51
I don't know why, I don't have those extension methods in file installed with nuGet... — Sebastian Xawery Wiśniowiecki, Mar 27 '15 at 12:52
Have you added `using ...` the namespace where the extension is defined? — Wiktor Zychla, Mar 27 '15 at 17:16
There's no Thinktecture.IdentityModel.WebApi.Authentication.Handler namespace in the library... — Sebastian Xawery Wiśniowiecki, Mar 30 '15 at 07:06
It is there, you just miss a proper nuget package. Try this one: http://www.nuget.org/packages/Thinktecture.IdentityModel.WebApi.AuthenticationHandler/ — Wiktor Zychla, Mar 30 '15 at 07:52
The screenshot taken from my VS a minute ago: http://s28.postimg.org/tpr1l7app/thinktecture.png — Wiktor Zychla, Mar 30 '15 at 07:55

Authorize Attribute with Roles in ASP.NET Web API not working

0 Answers0