ASP.NET Web API Authorization with AuthorizeAttribute

Question

Using the new ASP.NET Web API beta. I can not seem to get the suggested method of authenticating users, to work. Where the suggested approach seems to be, to add the [Authorize] filter to the API controllers. For example:

[Authorize] 
public IEnumerable<Item> Get()
{
    return itemsService.GetItems();
}

This does not work as intended though. When requesting the resource, you get redirected to a login form. Which is not very suitable for a RESTful webapi.

How should I proceed with this? Will it work differently in future versions?, or should I fall back to implementing my own action filter?

Please, take a look at http://stackoverflow.com/questions/9482982/custom-mvc-authorizeattribute-for-asp-net-web-api/9484119. — paulius_l, Mar 02 '12 at 10:34

score 96 · Accepted Answer · edited Mar 03 '12 at 02:30

96

Double check that you are using the System.Web.Http.AuthorizeAttribute and not the System.Web.Mvc.AuthorizeAttribute. This bit me before. I know the WebAPI team is trying to pull everything together so that it is familiar to MVC users, but I think somethings are needlessly confusing.

edited Mar 03 '12 at 02:30

Paul Tyng

7,924
1
33
57

answered Mar 02 '12 at 23:34

AlexGad

6,612
5
33
45

1

Yeah I think this is the preferred method, didn't realize they introduced an entirely new attribute class hierarchy, I agree, confusing... – Paul Tyng Mar 03 '12 at 02:30
1

Yea, they should preface every "Hello World" example with a disclaimer about the different namespace for MVC vs Web Api – Kevin Mar 09 '12 at 16:06
Yea, System.Web.Http != System.Web.Mvc – Kevin May 17 '12 at 20:47
Great, glad I've found this after an hour of searching everywhere around. – Wiktor Zychla Oct 21 '13 at 08:15

score 4 · Answer 2 · answered Mar 02 '12 at 13:13

Set your authentication mode to None:

<authentication mode="None" />

None Specifies no authentication. Your application expects only anonymous users or the application provides its own authentication.

http://msdn.microsoft.com/en-us/library/532aee0e.aspx

Of course then you have to provide some sort of authentication via headers or tokens or something. You could also specify Windows and use the built in auth via headers.

If this site is mixed between API and actual pages that do need the Forms setting, then you will need to write your own handling.

All the attribute does is return an HttpUnauthorizedResult instance, the redirection is done outside of the attribute, so its not the problem, its your authentication provider.

score 2 · Answer 3 · answered May 21 '12 at 09:45

You are being redirected to login page because forms authentication module does this automatically. To get rid of that behavior disable forms authentication as suggested by Paul. If you want to use more REST friendly approach you should consider implementing HTTP authorization support. Take a look at this blog post http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/

Anestis Kivranoglou · Answer 4 · 2017-10-31T13:06:59.640

1

ASP.NET 5 Introduced the new Microsoft.AspNet.Authorization System which can secure both MVC and Web API controllers.

For more see my related answer here.

Update:

At that time 2 years ago it was Microsoft.AspNetCore.Authorization.

As @Chris Haines pointed out. now it resides on Microsoft.AspNetCore.Authorization.

From .NET core 1.0 to 2.0 many namespaces have been moved i think. And spread functionality between .net classic and core was obscure. That's why Microsoft introduced the .net standard.

.net standard

edited Oct 31 '17 at 13:06

answered Feb 15 '16 at 10:54

Anestis Kivranoglou

7,728
5
44
47

I think you mean `Microsoft.AspNetCore.Authorization`? – Chris Haines Oct 31 '17 at 12:41
1

At that time 2 yers ago it was Microsoft.AspNetCore.Authorization.As you can see . https://www.nuget.org/packages/Microsoft.AspNet.Authorization/ From .NET core 1.0 to 2.0 many namespaces have been moved i think. And spread functionality between .net classic and core was obscure. I think that's why microsoft introduced the .net standard. https://learn.microsoft.com/en-us/dotnet/standard/net-standard – Anestis Kivranoglou Oct 31 '17 at 12:59

score 0 · Answer 5 · edited May 23 '17 at 11:54

0

Also, look at my answer for: How to secure an ASP.NET Web API

There is a NuGet package I have created which you can use for convenience.

edited May 23 '17 at 11:54

Community

1
1

answered May 20 '13 at 03:55

Varun Chatterji

5,059
1
23
24

score 0 · Answer 6 · answered Nov 22 '15 at 23:22

If you're using a Role, make sure you have it spelled correctly :

If your role is called 'Administrator' then this - for instance will not work :

    [System.Web.Http.Authorize(Roles = "Administator")]

Neither will this :

    [System.Web.Http.Authorize(Roles = "Administrators")]

Oops...

score 0 · Answer 7 · answered May 28 '18 at 10:45

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]
[Produces("application/json")]
[Route("api/[controller]")]
public class CitiesController : Controller
{
        [HttpGet("[action]")]
        public IActionResult Get(long cityId) => Ok(Mapper.Map<City, CityDTO>(director.UnitOfWork.Cities.Get(cityId)));
}

Use

[Authorize(AuthenticationSchemes = JwtBearerDefaults.AuthenticationScheme)]

Filter with authentication type

ASP.NET Web API Authorization with AuthorizeAttribute

7 Answers7

Linked