0

I am trying to write a Web API site with a Get method that is Authorized. The site is a default template site, using Individual Accounts. So it stores the username and password in a database. I am attempting to call this Web API site and pass along a username and password in a console application via HttpClient. I have tried several ways of going about this. I think* i have CORS enabled on my API site. I keep getting Unauthorized results. Here is the HttpClient code I am running, I feel like it is completely valid, and I think something needs to be configured to handle this username and password on the API side, but I am completely unsure how to go about it if that is the case.

using (var client = new HttpClient())
{
    var byteArray = Encoding.ASCII.GetBytes("sampleUser:Test123!");
    client.DefaultRequestHeaders.Authorization = new System.Net.Http.Headers.AuthenticationHeaderValue("Basic", Convert.ToBase64String(byteArray));

    client.BaseAddress = new Uri("http://localhost:15198/");
    client.DefaultRequestHeaders.Accept.Clear();
    client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));
    try
    {
        HttpResponseMessage response = await client.GetAsync("api/Query");
        if (response.IsSuccessStatusCode)
        {
            thing = response.Content.ToString();
        }
    }
    catch (HttpRequestException e)
    {
        var test = e.Message;
    }
}
sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
jxmiller
  • 78
  • 2
  • 8
  • 1
    Couple of comments: CORS only comes into play if you are making this request from *javascript* - since the console app is making the request, CORS shouldn't be a concern. Secondly, I hope you will move to **https** once this is in production - as you are essentially sending the password in cleartext (base64 encoded cleartext) – kaveman Sep 14 '16 at 20:59
  • Also, can you post a bit of the ApiController (and potentially the routing configuration you are using)? – kaveman Sep 14 '16 at 21:01
  • Without seeing your API code, there's not much to go on. Perhaps this page might give you some pointers? http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api – Simon B Sep 14 '16 at 21:15
  • Its just a default web api project, i used individual account authentication, thats really it. Thats why I didnt bother posting that code. I find examples of passing username password, but cant find anything as far as how to set up the API side. – jxmiller Sep 15 '16 at 02:14
  • The challenge is that "individual account authentication" doesn't really tell us how the auth process is supposed to work. With the 401 Unauthorized response, there should be a www-authenticate header that tells you what security scheme the server is expecting you do use. Does it say "basic" ? – Darrel Miller Sep 21 '16 at 18:00
  • And as a side note, response.Content.ToString(); will not do what you expect. You need to do something like await response.Content.ReadAsStringAsync() – Darrel Miller Sep 21 '16 at 18:01

1 Answers1

0

you would need to impersonate and pass the credentials assuming your running windows authentication on your server.

  using (new Impersonator(UserName, Domain, Pwd))
         {
            ...http request
         }

See thread

Community
  • 1
  • 1
fuzzybear
  • 2,325
  • 3
  • 23
  • 45