6

Currently, I have an MVC web application that sells widgets. A user logs into our system using forms authentication, and can then do various functions based on the group they belong to(ie Place an order, View an Order, Cancel an Order, etc).

We've been tasked with writing an Api that will give third parties the ability to create and view orders in our system. Each third party will have it's own username and will be limited to certain api methods based upon the group they belong to.

We are looking at using Web Api as a mechanism to provide the api. We would also like to be able to consume this api from our MVC web application. Unfortunately, we are running into issues with Authentication for the Web Api. Using a DelegatingHandler, we have implemented Basic Authentication over SSL for our WebApi. This works great for our third parties. However, when trying to consume the Api from our MVC application we are getting 401 access denied errors because the user was authenticated in the MVC app using Forms authentication, but we have no way of passing those credentials on to the Web Api. Is there a way to pass the Forms Auth credentials from our MVC app to our Web api app?

IIS Setup WebSite named WidgetStore with two web applications

  • WidgetStore\UI -uses forms authentication
  • WidgetStore\Api - uses basic authentication
j0k
  • 22,600
  • 28
  • 79
  • 90
user1686249
  • 73
  • 1
  • 6
  • In order to solve your Forms/Basic auth problem, I'll suggest you read this great article from Dominick Baier: [Forms / Basic auth claims transformation](http://leastprivilege.com/2012/10/24/extensions-to-the-web-apimvc-formsbasic-auth-sample-claims-transformation-and-ajax/) – JuChom Nov 14 '12 at 16:48

1 Answers1

9

Is there a way to pass the Forms Auth credentials from our MVC app to our Web api app?

Sure, let's take for example the following MVC controller action calling the Web API:

[Authorize]
public ActionResult CallWebApi()
{
    var baseAddress = new Uri("https://example.com");
    var cookieContainer = new CookieContainer();
    using (var handler = new HttpClientHandler() { CookieContainer = cookieContainer })
    using (var client = new HttpClient(handler) { BaseAddress = baseAddress })
    {
        var authCookie = Request.Cookies[FormsAuthentication.FormsCookieName].Value;
        cookieContainer.Add(baseAddress, new Cookie(FormsAuthentication.FormsCookieName, authCookie));
        var result = client.GetAsync("/api/values").Result;
        result.EnsureSuccessStatusCode();

        // now you can read the result.Content ...
    }
}

This assumes that you have also enabled forms authentication in the web.config of your Web API project and that the cookie name is the same as the one used in your MVC project.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • Thanks for your response. But, if I enable FormsAuthentication in the web.config of my Web API project, third parties will not be able to authenticate. They use BASIC authentication to connect to the WebApi, and it will no longer work. Third parties won't have the FormsAuth cookie – user1686249 Sep 21 '12 at 14:57
  • But how does your basic forms authentication delegating handler look like? If it looks like this you won't have problems enabling forms authentication: http://stackoverflow.com/a/11536349/29407 – Darin Dimitrov Sep 21 '12 at 15:12