MVC external authentication with the [Authorize] attribute

Question

A site authorizes through a separate system. Once the user is authorized, I want to store some additional information with their Auth cookie. I am able to do this using the code below.

var settings = new JsonSerializerSettings { ContractResolver = new CamelCasePropertyNamesContractResolver() };
var serialized = JsonConvert.SerializeObject(accountNumber, Formatting.None, settings);
var authTicket = new FormsAuthenticationTicket(1, "MyAuthTicket", DateTime.Now, DateTime.Now.AddMinutes(15),
    false, serialized);
var encTicket = FormsAuthentication.Encrypt(authTicket);
var faCookie = new HttpCookie(FormsAuthentication.FormsCookieName, encTicket)
{
    HttpOnly = true,
};
Response.Cookies.Add(faCookie);

However, when I try to hit a WebAPI method marked with [Authorize], I get a 401 Unauthorized error. What am I missing?

Web API is stateless. It doesn't do anything with cookies. If you want to use `[Authorize]`, you must authenticate with each request. Now, how you go about that (passing a token, passing actual credentials, OAuth, etc.) is a different matter. This question may help: http://stackoverflow.com/questions/11775594/how-to-secure-an-asp-net-web-api/ — Chris Pratt, Sep 25 '14 at 20:09
Not true, WebAPI can use Forms authentication (which is stored in an encrypted cookie) just like any ASP.NET application can (MVC and WebForms). — Ryan Langton, Sep 25 '14 at 20:15

score 0 · Accepted Answer · answered Sep 25 '14 at 20:14

0

The following needs added to web.config:

<system.web>
    <authentication mode="Forms">
    </authentication>
    <!-- other stuff -->
<system.web>

answered Sep 25 '14 at 20:14

Ryan Langton

6,294
15
53
103

MVC external authentication with the [Authorize] attribute

1 Answers1