0

In most cases, I have used AD to lock down applications through IIS. In this case, I need to create an MVC Application that will have some Web API controllers and authentication/and authorization (roles). I was looking to try to use a stack overflow suggestion that I have found to several other posts.

https://identityserver.github.io/Documentation/docs/overview/mvcGettingStarted.html

Most of the answers that I have seen in Stack Overflow reference the above link

ex). Implementing Authentication and role based authorization in ASP.NET MVC web API service and MVC client architecture

The question that I have for the community that has experience with adding Authentication/Authorization to a combined Web Api/MVC project is if the identity server approach listed above is the best solution for this scenario and if there are other resources that I should look at also?

Brandi
  • 53
  • 5
  • Or you can just use asp.net identity http://www.asp.net/identity, everything just works out of the box. – Chirdeep Tomar Apr 20 '16 at 16:13
  • I looked at asp.net/identity and found many examples of where it was used for either web api or for mvc but I am having trouble finding an example of how to have the users authenticate once through an mvc identity page and then have that authentication also work with web api. – Brandi Apr 20 '16 at 16:56
  • I do see this post but I am not really sure if it answers the question http://stackoverflow.com/questions/23137892/angularjs-asp-net-web-api-asp-net-mvc-authentication/23539408#23539408 – Brandi Apr 20 '16 at 17:01

1 Answers1

1

From your requirements (authenticate to use an MVC site and then be authorized to use a Web API) you'll need an OpenID Connect Provider such as Identity Server 3 (aka a Security Token Service (STS), an Authorization Server, etc). Basically something trusted by both the MVC site and the Web API.

The basic flow of things here is that your users will authenticate using OpenID Connect on your MVC site, after which they can get an access token to authorize access to the Web API using OAuth.

The mentioned tutorial is the best way to start. Near the end it takes you through how to access the API on behalf of the user.

ASP.NET Identity is a user/identity store. It is not add authentication or authorization to your application.

Scott Brady
  • 5,498
  • 24
  • 38
  • Thank you Scott. I looked at your profile and you seem well versed in this topic based on your Q/A. I am going to choose this as the answer and proceed forward with attempting to use identity server 3. Wish me luck! – Brandi Apr 20 '16 at 18:50