13

I have created an ASP.NET Web API and applied Authorize attribute to the API controller. Now, I want to test it using Postman but I am getting Authorization error.

Controller code is:

[Authorize]
[HttpPost]
public IHttpActionResult Attend([FromBody] int gigId)
{
    var attendance = new Attdendance
    {
        GigId =  gigId,
        AttendeeId = User.Identity.GetUserId()
    };

    _context.Attdendances.Add(attendance);
    _context.SaveChanges();
    return Ok();
}

My request looks like this http://prntscr.com/c8wz0b

I am using this advance Postman rest client http://prntscr.com/c8xafd

How do I pass authorization in Postman?

mohabbati
  • 1,162
  • 1
  • 13
  • 31
Asif Hameed
  • 1,353
  • 9
  • 25
  • 46
  • https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-call-a-web-api-with-postman?tabs=dotnet6&pivots=no-api#configure-an-authorized-request-to-the-web-api-in-postman – XoXo Aug 18 '23 at 18:00

3 Answers3

16

EDIT 23/08/2016 I presume you are in cookie authentication with identity

// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
    AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
    LoginPath = new PathString("/Account/Login"),
    Provider = new CookieAuthenticationProvider
    {
        // Enables the application to validate the security stamp when the user logs in.
        // This is a security feature which is used when you change a password or add an external login to your account.  
        OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
            validateInterval: TimeSpan.FromMinutes(30),
            regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
    }
});

This is the default configuration with identity in Visual Studio. I can argue why it is not a good option for security but that's not the point.

You can go whit it in "postman" but it's tricky this is how I do it :

  1. Make a request over your login page :

enter image description here

  1. Get the anti forgery token in the form :

enter image description here

  1. Make a post request on login page with this post params in data form :

enter image description here

Now your postman get the authentication cookie and you can request web api with [authorize] tag

EDIT

For tool you have to add an authorization header.

  • Go in the Headers form
  • Add the HTTP header "authorization"
  • Click on the edit button et voilà ;)

screen shot

Previous answer deleted

mohabbati
  • 1,162
  • 1
  • 13
  • 31
Mathieu
  • 516
  • 2
  • 10
  • This is for Basic authentication, after it depends on your autentication mechanism – Mathieu Aug 22 '16 at 15:22
  • I am using Identity. I used above approach but still get authentication error like this http://prntscr.com/c908zb – Asif Hameed Aug 22 '16 at 17:41
  • 2
    I add a method to go with cookie authentication. You got to do that every time your authentication session goes down. I suggest you to switch to token based authentication if you have to use your web api from a phone application by exemple. Maintain cookie on phone app is a mess ;) – Mathieu Aug 23 '16 at 09:00
  • Thanks a lot for such detailed answer. It worked. You rock! – Asif Hameed Aug 23 '16 at 11:15
  • Thanks ! Someone helped me, so now I try pay my due like I can :) – Mathieu Aug 23 '16 at 12:31
4

For Postman Windows App 4.6.0:

  1. Select your request from your request collection
  2. Go to the "Authorization" tab
  3. Choose an appropriate "Type", e.g. "Basic Auth"
  4. Enter "Username" and "Password"
  5. Click "Update Request"
Georg Patscheider
  • 9,357
  • 1
  • 26
  • 36
  • Sorry I am using other post man (https://chrome.google.com/webstore/detail/advanced-rest-client/hgmloofddffdnphfgcellkdfbfbjeloo) – Asif Hameed Aug 22 '16 at 14:06
  • not even in settings. http://prntscr.com/c8xorb I am using advance postman rest client not Postman Windows App 4.6.0 – Asif Hameed Aug 22 '16 at 14:34
  • Sorry, I am not familiar with Advanced REST client. But it looks like you can set custom headers. Maybe you can set the "Authorization" header by hand. Also have a look at [How to send a correct authorization header for basic authentication](http://stackoverflow.com/questions/18264601/how-to-send-a-correct-authorization-header-for-basic-authentication) which suggests including the username and password in the URL. – Georg Patscheider Aug 22 '16 at 15:14
0

In addition to the answer posted by Mathieu, I had to install interceptor extension for postman (https://www.getpostman.com/docs/interceptor_cookies, https://www.getpostman.com/docs/capture) to capture the cookies. After that it worked.

Kalpesh Patel
  • 51
  • 4