6

I have implemented JWT authentication/authorisation in the API part of my application. I also have a ASP.NET core MVC website that I would like to authenticate with. Is it possible to use the JWT token from the API to authenticate with the website? I would like to prevent users from going to specific locations unless they are authorised, and redirect to the login page if not. All examples I have found show how to do this with either the API (JWT) OR the MVC website (cookies) but not both at the same time.

Dour High Arch
  • 21,513
  • 29
  • 75
  • 90
Peter
  • 309
  • 1
  • 10

1 Answers1

3

Having both handle authentication/Authorization does not make sense to me.

Why Authenticating with both MVC app and Web API does not make sense

If you want both your API and MVC web app handle authentication and authorizatation both your MVC app and API need the ability to verify the token it recieves and check the roles the user has. This would mean you will need to duplicate all the authentication/authorization logic your authentication API has and it would make your API redundant because using the API to only create a token does not make much sense when your MVC app would be handling verifying the token.

Recommendation:

whenever a protected resource is called on your MVC web app, pass the token from your MVC app to your authentication API to verify if the user is authorized to access this resource. If the response from your Authentication API is 401 or 403 handle them appropriately (redirect to login). If the response is 200 OK then display the resource.

Esentially you need to pass the JWT through to the Authentication API for every request that requires authentication and your MVC web app reacts based on the status code returned from the Authentication API

Possible implementation

A custom Authentication handler could be a good place to handle this. you can do this by overriding the HandleAuthenticateAsync method in AuthenticationHandler

and then registering your custom authentication and authorisation class in startup. Here is a quick sample of how it would look. 

public class MyCustomAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
    public PlatformAuthenticationHandler(
        IOptionsMonitor<AuthenticationSchemeOptions> options, 
        ILoggerFactory logger, 
        UrlEncoder encoder,
        ISystemClock clock) 
        : base(options, logger, encoder, clock)
    {
    }

    protected override async Task<AuthenticateResult> HandleAuthenticateAsync()
    {
        //Send your request to your API and return either 
        //AuthenticateResult.Fail
        //return AuthenticateResult.Success
    }
}

This is the doc for Authorization

https://learn.microsoft.com/en-us/aspnet/core/security/authorization/iauthorizationpolicyprovider?view=aspnetcore-3.1

Kevin
  • 2,258
  • 1
  • 32
  • 40
  • Thanks for your answer. I guess I come from an aspx background, where you have built-in authentication/redirects to login etc. But I do want an API setup for use with an app, and wondered if it was possible to have some kind of shared authentication. So I guess there will be some manual client-side work for me to do. Thanks again. – Peter Feb 27 '20 at 14:48
  • I updated my answer to provide more info on a possible implementation. It might be helpful for you. I just took the snippet from the question in https://stackoverflow.com/questions/58363002/custom-authenticationhandler-not-working-in-asp-net-core-3 because I dont have my own sample to send you right now – Kevin Feb 27 '20 at 16:13