AccessToken generated in MVC application is not valid in Crossdomain API

Question

Hi I created a MVC SPA application with Individual Account enabled and successfully able to get the access token after registration process

I also created a WEB API project with Individual account enabled. and hosted both MVC and API projects in localhost.

I tried to access the API from the MVC application with the Bearer token saved in my session storage. It works fine as long as both the projects are in localhost. I hosted the API project in Azure and the API call returns 'Unauthorized' always if I try to access it from the localhost MVC app with the bearer token created by the web application.

Sample Code:

MVC Application :

$.ajax({
        url: 'https://azureapi/api/getProducts',
        headers: {
            'Authorization': 'Bearer ' + accesstoken,
            'Content-Type': 'application/json; charset=utf-8'
        },
        type: "POST", /* or type:"GET" or type:"PUT" */
        dataType: "json",
        data:  JSON.stringify(model),
        success: function (result) {


        },
        error: function (e) {
            debugger;
            console.log(e.responseText);
        }
    });

API Project:

[Authorize] 
    [Route("getProducts")]
    [HttpPost]
    public HttpResponseMessage GetProducts(ProductCriteria model)
    {}

Enabled CORS in WEB API

 // Configure Web API to use only bearer token authentication.
        config.SuppressDefaultHostAuthentication();
        config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
        var enableCORS = new EnableCorsAttribute("*", "*", "*");
        config.EnableCors(enableCORS);

Are the requests denied because of CORS (the preflight OPTIONS request doesn't pass) or are they rejected from your application backend code (e.g. access token validation)? — Ján Halaša, Apr 11 '17 at 14:02
I dont have a clue. IF i try to run the request in fiddler, i get 'Unauthorized' even if i pass valid bearer token in Auth header, the same bearer token is worked if I host both the MVC and API solutions in my localhost. DO I need to add any settings in the web.config of API? — DevExpress, Apr 11 '17 at 14:23
You may need to ensure both sites share the same machineKey. — Chris Pratt, Apr 11 '17 at 14:32
Thanks. But I thought Machine keys required if we enable Form authentication. Is it applicable even if i go for Individual Auth. My web config doesnot have form auth settings — DevExpress, Apr 11 '17 at 14:39
Thank you Cris. That worked. I just setup same machine key in both the web.config files. That did the magic!! — DevExpress, Apr 11 '17 at 15:00

score 1 · Accepted Answer · edited May 23 '17 at 12:10

1

As Chris mentioned in his comment, to allow Site A to pass a token to Site B and site B to 'verify' or 'authorise' it, both sites must share the same MachineKey.

I believe this can be set in both site's Web.Config files but I've not tried it (for fear of breaking my site!).

There is a discussion here: How to set machineKey on Azure Website

I asked a similar question here as part of a bigger task: ASP.NET Identity 2.0 - Is the expiry timespan stored in the token & different sub-domains

edited May 23 '17 at 12:10

Community

1
1

answered Apr 11 '17 at 14:41

scgough

5,099
3
30
48

Thank you!. But I am still wondering how the machine key resolves this issue. Will dig more.. – DevExpress Apr 11 '17 at 15:02

AccessToken generated in MVC application is not valid in Crossdomain API

1 Answers1