2

I have questions about the architecture of ASP.NET Identity.

Here is my set up.

  1. Main solution - business, data, and Web API projects
  2. UI solution - MVC project to consume the Web API

I have implemented the identity on the Web API with authentication and authorization.

What I don't understand is how do I access all of the user.identity stuff from the UI, which is in the Web API service? Do I create a class to model the ApplicationUser/IdentityUser once they login? It seems like there are duplication in the User class. To me, I know authorization is done in Web API, so I don't really need all the properties. But then, without a list of authorized actions, how does the UI display the authorized modules?

Does the UI only check if user is authenticated to the UI and rely the web service to authorize actions? I see this as the challenge with separating the MVC and Web API.

Jeremy Caney
  • 7,102
  • 69
  • 48
  • 77
kyc
  • 85
  • 1
  • 12

1 Answers1

0

Why are you separating Web API and MVC projects? Is there a specific reason you're doing that?

When you have two projects, one exposing Web API and one exposing a UI using MVC, you'll have two separate applications running on the web server, with separate contexts. Think about it as building a MVC UI application for a third-party web site that exposes web-based API services.

This means that the outer application (MVC) needs to authenticate to the inner application (Web API) on behalf of the user, and store the authorization token somehow, to make subsequent calls to the APIs. Not sure how you achieved this, but it can be done using a session variable (not a good idea), or an encrypted authorization cookie.

What the outer application knows about the logged-in user, is only what the user sends for authentication (like username or email) and the response returned from Web API authentication (which contains the token and expiration date). If you need to have more information in the outer (MVC) application, you'll have to either:

  • Customize the Web API authentication to include additional information - see AspNet Identity 2: Customize OAuth endpoint response

  • Add another service in your inner (Web API) application that returns any information that you might want about the logged-in user, and call it immediately after authenticating in the MVC application.

And you'll have to manage/keep the returned information in the outer application (MVC) on your own.

You might also want to setup a separate usage of ASP.NET identity on your outer application (MVC) and use the inner application as an OAuth provider; but I don't think this is what you're after.

Anyway, I think you need to re-evaluate your architecture, and think about separating the Web API and MVC projects. If you're deploying both applications in the same place, this approach will not only add a large amount of hassles (like managing the authorization that you're asking about), but also it means a whole lot more (unnecessary) work for the server, and lower performance. And I don't see any benefit you might be getting from such separation.

Community
  • 1
  • 1
Iravanchi
  • 5,139
  • 9
  • 40
  • 56
  • It's not necessarily any additional overhead. I routinely structure my solutions so that my model, Web API, and client applications are three distinct projects. The Web API and model projects are compiled into their respective DLLs, which are then referenced and configured by the client application; e.g., via `` in the `web.config` and a call to `GlobalConfiguration.Configure()` in the `global.asax.cs`. The approach doesn't necessitate the overhead of, for instance, having separate applications in IIS. Regardless, the OP's question is independent of their architecture. – Jeremy Caney May 12 '15 at 23:07
  • You're right, I also structure my code the same way, having MVC and Web API hosted in the same worker process. This won't cause the separation of identity definition. What I got from the question, is that the MVC application is consuming Web API methods remotely, and they have different request pipelines. – Iravanchi May 13 '15 at 06:30