1

I have a website written in ASP NET MVC. It's using ASP.NET Identity to authorize users to particular Controller actions. It's using different claims on users(like roles). Now I need to write a Mobile App which is suppose to do the same what my website does, so to avoid duplicating code I decided to move all the data access layer to separated Web Api(MVC 6) Project so I can reuse the logic between applications. The question is - is there a way to somehow "Reuse" the authorization I have in my MVC project, like generating and passing some token to Web Api or something ? Re-writting it from scratch would take too much time, which I don't have too much. Any answers/tips/articles would be appreciated.

Tseng
  • 61,549
  • 15
  • 193
  • 205
MajkeloDev
  • 1,661
  • 13
  • 30
  • Are you using forms authentication in your mvc?How are you building your mobile app? Is the views same for both web and mobile or how? – Karthik M R Apr 29 '16 at 09:10
  • Does it matter how I'm going to build my mobile app ? It will be calling my API via HTTP to get data. Views are separated. Web API is handling only the logic layer. – MajkeloDev Apr 29 '16 at 10:07
  • yes, webapi is only for getting the data, but how are you authenticating the user from your app? It has to be done in webapi. that is the reason I asked. we have used oauth bearer token in our application to do authentication in webapi. then any requests to get the data from webapi will be authenticated. – Karthik M R Apr 29 '16 at 10:32

1 Answers1

2

Yes, but API's do not generally use cookies so you can configure Bearer Token authentication which your API can use. OWIN middleware will look after authenticating the token and populating the User principal in the same way that cookies are handled in MVC.

After that, you'll be able to handle authorization in the same way as your MVC controllers.

John Mc
  • 2,862
  • 1
  • 22
  • 37
  • What do you mean that API do not have cookies ? – Vova Bilyachat Apr 29 '16 at 09:33
  • An API can be consumed outside of a browser and therefore it is not suitable to rely on cookies to provide a means of verifying the identity. A bearer token serves the same purpose as a cookie and is sent to the API in the request header by the client. – John Mc Apr 29 '16 at 09:35
  • Yes but this means that it depends how you use IT and not that WebApi is not using cookies – Vova Bilyachat Apr 29 '16 at 09:36
  • You would presumably want to build your API to support as many client integrations as possible, and would therefore not force the client to operate within a web browser. I have updated my answer to reflect this – John Mc Apr 29 '16 at 09:54
  • @JohnMc Thanks, I'll try Bearer tokens and let you know about the outcome :) – MajkeloDev Apr 29 '16 at 10:06
  • No problem. Just install the Nuget packages and add the configuration to Startup.Auth. If you have any problems I can share the config I use when I get home later – John Mc Apr 29 '16 at 10:09
  • It's not just Startup.Auth - it's not working with MVC6 anymore - I had to implement it on my own. Following http://stackoverflow.com/questions/29048122/token-based-authentication-in-asp-net-5-vnext/29698502#29698502 – MajkeloDev May 03 '16 at 09:54
  • I'm surprised to hear that. I have used it with MVC 4 and MVC 5 alongside Web API 2 and after installing the few Nuget packages was able to get it up and running with just some configuration. The link you added discusses vNext so is that the problem with having to "roll your own"? – John Mc May 03 '16 at 09:57