2

I'm trying to access a ASP.NET Core (1.1.2) WebAPI from Angular (version 7) which uses cookie authentication. The backend for the Angular application uses ASP.NET Core 2.1.1 and JWT token authentication. Do I need to return the cookie in response and if so how? And how do I access/store that cookie from Angular? Both applications are currently hosted under localhost.

If the cookie is set by logging in manually (Login page from angular app which uses the WebAPI I'm trying to acess) everything works fine. The login from the angular app happens via an Razor HTTP form which generates an input for __RequestVerificationToken. What also works is if I'm setting the src attribute of an <iframe> to the WebAPI login request. Then the login does work as well.

But if I'm trying to do the login process directly from an angular application (GET request with login data) the login process itself runs through, but the login doesn't seem to work, because no cookie has been set.

Request from Angular:

loginToVtsWebConfig(loginUrl: string): Observable<HttpResponse<any>>  {
    return this.http.get<any>(loginUrl, { observe: 'response' });
}

This is what the request url looks like:

http://localhost:65204/SilentLogin?loginData=g7NfYz4%2fI5bbfPWEdsXoGYtcU8cpGprHaVr2c5m3H81nj6j4gE0YrxwmAyn8c%2ba1YLY55CwkKWP55gKict5J4g%3d%3d

Login at WebAPI which needs to be accessed:

[HttpGet("SilentLogin")]
public async Task<IActionResult> SilentLogin([FromQuery] string loginData)
{
    if (string.IsNullOrEmpty(loginData))
    {
        return Unauthorized();
    }

    var loginModel = ExtractModelFromQuery(loginData);

    if (loginModel == null)
    {
        return NotFound();
    }

    return await Login(loginModel, null);
}

Sign in:

 HttpContext.Authentication.SignInAsync(CookieIdentifier, new ClaimsPrincipal(claimsIdentity), new AuthenticationProperties() { IsPersistent = true, ExpiresUtc = DateTimeOffset.UtcNow.AddDays(1) }).Wait();

What I'm trying to achieve is to login to the WebAPI from angular (and store cookie) and access any WebAPI methods afterwards.

tommygeek
  • 71
  • 4
  • 1
    APIs don't use cookies. You need to send an `Authorization` header containing something like a bearer token along with each request that requires authorization. See: https://learn.microsoft.com/en-us/dotnet/standard/microservices-architecture/secure-net-microservices-web-applications/#authenticate-with-bearer-tokens – Chris Pratt Apr 08 '19 at 13:05
  • The requests are filtered by an ActionFilter, which checks if claims are existing for the current HttpContext.User. These claims get set as described above by calling HttpContext.Authentication.SignInAsync. So I'm trying to call the login method from the WebAPI for the cookie to be set. But I don't know how to send and retrieve the cookie to set it for further requests in angular. – tommygeek Apr 08 '19 at 13:17
  • Again. You don't use cookies for this. The claims are on the `ClaimsPrincipal` that is created via authentication, regardless of the means of authentication. You don't have to use a cookie to have claims. Look at the link I posted. That is what you need to do. – Chris Pratt Apr 08 '19 at 13:21
  • If you successfully log in, a cookie will be issued and the browser will send that on every request, you don't have to do anything. – Sasan Apr 09 '19 at 17:33

0 Answers0