1

I have the following setup.

2 mobile apps communicating with an asp.net web api 2 project and they use Token Authentication. Each mobile client stores the token client side, never username and password.

I then have my web portal hosted on an asp.net mvc 5project which uses standard cookie authentication.

Now in some cases my mobile apps needs to load webpages from the mvc 5web portal. For example our payment gateway page. But the client needs to be authenticated in order to load this page.

At the moment when we show the user a web wrap of out web portal. It asks them to login again. This is very bad UX.

How can I authenticate the client on the MVC site, using my web api Token

I'm imagining a function like this in the MVC site:

pubic Action LogInWithToken(String token)
{
var user = GetUserFromToken(token);
var isAllowed = AuthenticateUserFromToken(user,token);
if(!isAllowed) return 401;
return CreateCookieForUser(user);
}
Zapnologica
  • 22,170
  • 44
  • 158
  • 253
  • You can use custom authorization attribute where you can check the request data and if token exist then validate the user. Check [here](https://msdn.microsoft.com/en-us/library/ee707357(v=vs.91).aspx) and search in this regard. – Siva Gopal Jun 19 '17 at 05:45
  • 1
    Possible duplicate- https://stackoverflow.com/questions/38661090/token-based-authentication-in-web-api-without-any-user-interface – Souvik Ghosh Jun 19 '17 at 05:50
  • @SivaGopal yes I can do that. but how do you decrypt the token? I still need a way to take the `string token` and get the user and time stamp from the token. – Zapnologica Jun 19 '17 at 16:04

1 Answers1

1

Is the Web Api 2 application hosted in the same machine as the MVC 5 application?

If they are, you can manually deserialize the token to get the id of the user. See Extract User details from web api auth token in MVC.

From there, you can sign in the user in CookieAuthentication automatically.

If they are hosted in different machines, however, you would have to specify the same machine key in the projects' Web.Config files.

dericatienza
  • 19
  • 3
  • 1
    They are hosted on azure web service, design wise I would like them to be able to scale horizontally so I dono want to rely on them being the same machine. The link u sent requires us to change the API token to use JWT. How can I do it with using the standard API token. – Zapnologica Jun 19 '17 at 16:06