1

I am trying to consume API action methods form MVC controller using httpclient object, but the problem that I face is that I am unable to access the claims of the session user because the User is always null here is the calling of api method from mvc method you can notice the session user always null

please I got stuck and I need your help to overcume

Wajeeh Abiad
  • 21
  • 1
  • 4
  • You should refactor your APIs to make controller (or web front apis) consume the internal api (exposed via web api with authorization based on token - not cookie). That way you can just consume the api normally. Otherwise (your current design), you have 2 options: (1) passing the cookie along the request - this is not efficient as pointed out in my comment under the first answer below. (2) redirect the request - this still requires you to refactor your api/services a bit (but not much as what I mentioned at the beginning). – King King Jan 17 '21 at 19:45

1 Answers1

0

Check the way identity works in one of the tutorials: https://www.tektutorialshub.com/asp-net-core/asp-net-core-identity-tutorial/

We are invoking PasswordSignInAsyncto verify and issue an authentication cookie

You should provide a cookie with the authentication value so the call can identify the target user and initialize the current user object with the appropriate values.

You can find an example of cookie addition here: How do I set a cookie on HttpClient's HttpRequestMessage

Please provide some code and authentication implementation details for us to help you more.

Athanasios Kataras
  • 25,191
  • 4
  • 32
  • 61
  • 1
    I believe that sending the cookie along a request like this requires us to set the `CookieContainer` for each request (before sending). So that's a problem when using ***shared*** `HttpClientHandler` which is recommended when using `HttpClient`. If not sharing the client handler, we always have to create a new `HttpClientHandler` for each request (with a separate `CookieContainer`), that finally will ***possibly*** exhaust all the socket connections. So I think we can forward the header values only (meaning the endpoint must support some kind of token-based authorization). – King King Jan 17 '21 at 19:37
  • 1
    in case of propagating the headers only (e.g: `Authorization` header, ...) to help propagate identity & authorization, we can use the built-in middleware called `Header propagation middleware` https://learn.microsoft.com/en-us/aspnet/core/fundamentals/http-requests?view=aspnetcore-5.0#header-propagation-middleware – King King Jan 17 '21 at 19:48
  • I think you should update your answer by not using a `CookieContainer` but instead sending a header of `Cookie` with the cookies cloned from the current request context. The `HttpClientHandler` then ***must*** have `UseCookies` set to `false` (so it will not use `CookieContainer` and ***NOT*** actively ignore the `Cookie` header). That way is really cool and we have a perfect solution to the original issue of the OP. – King King Jan 18 '21 at 09:29