Authorize Attribute Authentication with Postman in Web Api

Question

I am working with RESTful services and find Postman as one of the best plugin to GET, POST and test the API's.

I find Basic Auth, No Auth, DIgest Auth, OAuth, AWS in postman. How do I test the Authorize Controller and methods.

I am aware that Authorize attribute checks user.Identity.IsAuthenticated

I am not sure on how to pass authorize in controller and methods with specific roles like below using Postman

[Authorize(Roles = "Admin, Super User")]

public ActionResult AdministratorsOnly()
{
    return View();
}

Here is my Startup file

  public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; }

    public static string PublicClientId { get; private set; }

    // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864
    public void ConfigureAuth(IAppBuilder app)
    {
        // Configure the db context and user manager to use a single instance per request
        app.CreatePerOwinContext(ApplicationDbContext.Create);
        app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);

        // Enable the application to use a cookie to store information for the signed in user
        // and to use a cookie to temporarily store information about a user logging in with a third party login provider
        app.UseCookieAuthentication(new CookieAuthenticationOptions());
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        // Configure the application for OAuth based flow
        PublicClientId = "self";
        OAuthOptions = new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider(PublicClientId),
            AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
            // In production mode set AllowInsecureHttp = false
            AllowInsecureHttp = true
        };

        // Enable the application to use bearer tokens to authenticate users
        app.UseOAuthBearerTokens(OAuthOptions);         
    }

Default authentication which I assume is basic. I did not make any changes to Web Api authentication — Chatra, Mar 23 '17 at 13:14
Please share the Startup.Auth.cs or the startup class where the configuration of the authprovider is — Marcus Höglund, Mar 23 '17 at 13:21
@chatra, it looks like you are using windows identity provider and using OAuth 2.0. And also you don't send roles in using postman. Authorization is handled by the framework base on the user claim. please, let me if i misunderstood your question — Yordan, Mar 23 '17 at 13:55
@Yordan So, if we dont send roles in using postman how Authorization is handled by framework ? I think I missed web api concept here. can you please explain more ? — Chatra, Mar 23 '17 at 14:05
@chantra I have put u an explanation as an answer, don't hesitate if you seek further explanation — Yordan, Mar 23 '17 at 14:56

score 7 · Answer 1 · edited May 23 '17 at 10:30

7

1. Enable CORS in the web api

Attach the following to the IAppBuilder in the Startup.cs Configuration method (If you face trouble, read more here How to make CORS Authentication in WebAPI 2?)

app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

Nuget package here

2. Get a token via Postman

3. Use the token and get data from the web api

Note: The token response contains of access_token which is the token and the token_type which is bearer. When used in request, add them with a space between in the value of the Authorization http header. The auth server will parse the token and set the user.Identity before the request hits the [Authorize] attribute in the requested controller

Also, make sure that the ApplicationOAuthProvider adds the claimidentity that contians the current role/s to the token. Else the request will be denied. One way to test it is to just use [Authorize] attribute without roles and see if postman can access the controller then

edited May 23 '17 at 10:30

Community

1
1

answered Mar 23 '17 at 13:54

Marcus Höglund

16,172
11
47
69

Without authorize attribute, Am able to access the controller and methods from postman. I am aware of cors, I don't think my issue is with cors – Chatra Mar 23 '17 at 14:06
@Chatra If you use just [Authorize] without the roles spec in it. Does it work? – Marcus Höglund Mar 23 '17 at 14:08
Not it doesnt work with just Authorize. Am not using MVC controller at all, I am trying to call web api only – Chatra Mar 23 '17 at 14:33
@Chatra And you have added the bearer token in the Authorization header when requesting the api from postman? – Marcus Höglund Mar 23 '17 at 18:55
This is quite an old post but I have a question to ask related to the post above. I know about Bearer and the token but my problem is that, if used in a browser, how does things work out since you wouldn't be adding "Bearer" and token in the browser. Does the browser automatically take care of all that? – Alf Moh Jun 15 '17 at 12:47
1

Hi @AlfMoh , Usually you create a api request in a coding language, let's say javascript for example. Then you create your request and attach the bearer token as an http header before sending it to the server. Browsers don't store information if you don't tell them to. – Marcus Höglund Jun 15 '17 at 12:49

score 2 · Answer 2 · answered Mar 23 '17 at 14:54

it looks like you are using windows identity provider and using OAuth 2.0 (default for web api 2 template). And also you don't send roles in using postman. Authorization is handled by the framework based on the user claim.

Explanation

When you authenticate with your usename and password to the /Token endpoint, you will be issued with a bearer token and a claim, which holds you identity information including your roles (more like your passport/Id). You will use you bearer token to access authorized resources and you will be granted or denied based on you role associated with it.

How does it know ?

In the database the asp.net identity has automatically created the tables needed for users, roles, externalLogin etc... with the prefix aspnet, when you first launched the application. What you need to do is create a user, create the roles and assign the user to the roles with the aspnet identity provide. Then decorate your resource ends with the authorize attribute and issue a request with postman with only the bearer token( the ones you get when you successfully login to the /token endpoint)

You can refer here to for further explanation.

Authorize Attribute Authentication with Postman in Web Api

2 Answers2

Linked