MVC + WebApi. Authorization and Authentication

Question

I have an ASP.NET MVC project and a Web Api project (separate projects). Access to the database is fully realized through Web Api (including authorization and authentication). ASP.NET MVC is a client, Web Api is a server.

So, how to correctly implement authorization and authentication in the ASP.NET MVC project (on the client side)? I read a lot how this is implemented in Web Api (through a token), but I can not understand how to correctly use this token in ASP.NET MVC.

Realize wrap for each request? I also do not know how to define the user role in ASP.NET MVC. Maybe there is some way to rewrite standard methods of ASP.NET MVC authorization to work with the Web Api token? Will the Authorize attributes on the ASP.NET MVC client side work? Suggest please in an example of such an implementation if possible, or tell me how best to implement it.

Possible duplicate of [How to secure an ASP.NET Web API](https://stackoverflow.com/questions/11775594/how-to-secure-an-asp-net-web-api) — Muhammed Albarmavi, May 27 '18 at 10:59

score 0 · Answer 1 · edited Oct 10 '18 at 07:50

I would recommend you to use OWIN interface to implement token based authentication for web api and MVC. You should provide authentication token in your web api and give ability to deserialize the token in MVC and Web Api. So, you can find an example open source project here which I developed it about how can you implement token based authentication with OWIN for Web api.

For MVC project, you should follow the same practice by using OWIN.

score 0 · Answer 2 · answered Jun 15 '18 at 17:38

First of all if you are not in production yet, it might be time to jump to .Net Core 2.x. It does not separate Web API and MVC underground and it's up to date technology.

If, for some reason, you can't upgrade the framework, then yes, employ Microsoft.Owin, Microsoft.Owin.Security.OpenIdConnect and all the dependencies.

OIdC defines two types of tokens: Identity token, describing a user and Authorization token, giving access to API. There should be some Identity Provider in the system, authenticating users and authorizing clients (such as your MVC APP). Such provider could be external (Google, Office 365 etc), or internal -- you can use free Identity Server 4.x implementation and adjust it to feet your needs. You could even build the IdP into your app.

The flow for both .Net Core and Owin OIdC implementations should be identical:

You register all your apps (API and MVC in Identity provider)
User requests an MVC resource, OIdC middleware redirects him to IdP.
IdP authenticates the user issuing identity and access tokens.
MVC validates the Identity token and uses it to create a local Authentication cookie, so the user becomes authenticated in the app.
MVC controller calls some API and put into the request access token, requested from IdP.
API validates the token and responds with requested data.

score -1 · Answer 3 · answered May 27 '18 at 09:16

-1

The best way is to use Azure active directory authentication if active directory is configured for using your application. You can get more info here

answered May 27 '18 at 09:16

Vishal Khatal

119
1
9

MVC + WebApi. Authorization and Authentication

3 Answers3