0

I work on an application where I have a separate MVC layer and Web API Layer, both have the same authentication mechanism, I have chosen the individual accounts authentication option while adding the projects. The web api service layer will be directly accessed by some other mobile clients also.

But when the user logs in through MVC he should be able to access Web Api seamlessly, but I don’t want to really pass the username and password from MVC to the Web Api layer, I am told it is a bad practice. but i need to authenticate and authorize my user, so the only option i have thought of is to have a default account at Web API level to issue tokens, and this will be called from MVC post the authentication and a token will be returned which is written to a cookie in the client. Now the Ajax calls from the UI can use this bearer token and get the job done.

The only glitch I have here is that, because I am using a default account I need user details again for authorization at service level, though I am doing authorization at my UI level, the user can spoof the system. I was lost here and came up with a solution like, when the user logs in to MVC will send across user details also along with the call to get the WebAPI token and issue another token to the user so that the user uses both of the tokens to make a call to web api from MVC.

I am not sure if this works or if it is even the best way. I just wanted to check, how I should go from here. Any help on this will be really great.

Aditya M S K
  • 1
  • 4

1 Answers1

0

This is a really good example of integration - I know they use Angular as the client but you can learn from this:

http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/

Check this section to see how they decouple the API from the front end (Part of the same article). http://bitoftech.net/2014/09/24/decouple-owin-authorization-server-resource-server-oauth-2-0-web-api/

MichaelLake
  • 1,735
  • 14
  • 17
  • Thanks for the input @MichaelLake. I finally followed https://wesleycabus.be/2014/06/adding-an-mvc-layer-on-top-of-a-web-api-backend/ Able to successfully authenticate with a cookie based solution. But when i tried to scale it across multiple web api services featuring a single sign on, it is not working out. Have posted the same in the other question. – Aditya M S K Jan 08 '16 at 14:39
  • You need to set the MachineKey in the web.config to be the same for every server - It affects the way the cookies are Serialized / Deserialised. http://stackoverflow.com/questions/3855666/adding-machinekey-to-web-config-on-web-farm-sites – MichaelLake Jan 08 '16 at 15:08
  • The machine key is exactly the same, I have compared the files with beyond compare too, and all seem same except the latest version of the reference packages. I am a bit skeptical now ... – Aditya M S K Jan 08 '16 at 17:17