1

I'm building an application using backbone.js and web api. JS client will send ajax requests to access api. Building an API is pretty easy but i want to implement authentication and authorization for API.

I'm planning to return a token after a successful authentication and use this token for further requests. This token will be passed in HTTP Authorization headers. My requirements are as below 1) Verify token on each request and get user id. 2) Use fetched user id for further actions.

First bit can be handled using Custom action filter where the permanent token can be verified against the database. But i'm not able to find any sample or example for doing a second bit. I want to get a userid from a passed token and carry it further for later processing. Is there any way of doing it?

Waiting for suggestions or ideas. Any code sample will really help. Thanks in advance.

prashant
  • 2,181
  • 2
  • 22
  • 37
  • you can have a look at my answer here http://stackoverflow.com/questions/19269543/asp-net-web-api-for-user-authentication/19288696 – Rolfvm Oct 27 '13 at 20:47

2 Answers2

1

You can set Thread.CurrentPrincipal upon successful token verification like this:

IPrincipal principal = new GenericPrincipal(new GenericIdentity(username), null);

Thread.CurrentPrincipal = principal;
// if we're running in IIS...
if ( HttpContext.Current != null )
    HttpContext.Current.User = principal;

The principal might also be an instance of a custom class implementing the System.Security.Principal.IPrincipal interface (in order to be able to have its user ID associated).

I further suggest you use a DelegatingHandler instead of an action filter for the token verification in order to set the current principal as early as possible during the message lifecycle. Additionally, this way you don't have to decorate every action method/controller with the action filter attribute.

metalheart
  • 3,740
  • 1
  • 23
  • 29
  • :thanks...I will try this on http://stackoverflow.com/questions/1064271/asp-net-mvc-set-custom-iidentity-or-iprincipal.... – prashant Oct 28 '13 at 09:36
0

I highly recommend to use OAuth. Anyway, you can set the token and user info in session and use them in subsequent calls. i.e. if the session is active and user info exists then use them otherwise authorize and authenticate user (probably through OAuth) and if it is valid then store them in session to be used in subsequent calls.

Aidin
  • 2,134
  • 22
  • 26
  • 6
    Why should he use OAuth and how does that relate to this question? Just dropping a name like that without any further reason why really doesn't help anyone. – Karl-Johan Sjögren Oct 28 '13 at 06:58