OWIN Application Sharing Between WebAPI and MVC Application
The current application that we are developing consists of 2 applications. WebApi app and external MVC app. For WebApi, I added support for bearer token authorization via OWIN. These applications work as separate websites within the same domain, but with their own subdomains site.xxx.xxx, api.xxx.xxx
Authentication on WebAPi, i.e. with Postman, works as designed, basic and identical objects, including formulas, are initialized properly.
The question comes up when I want to log into WEbApi from the Mvc application.
Is there a way to get the ClaimsPrincipal and ClaimsIdentity in our MVC application after logging in via WebAPI via a URL / token somewhat sharing the OWIN context, or should we implement the same OWIN authorization functionality inside the MVC application to create a separate "route" authorization?
source to share
Yes there is. A couple of things to celebrate
- The token you return from the web api will be encrypted by default. Your web application needs to decrypt this token in order to be able to retrieve claims from the bearer token. To do this, you must have the same machine key on both servers (your webapi web.config and mvc web.config must have the same machine key)
-
Your MVC web app needs to include bearer tokens and app cookies. Your startup.auth.cs might include something like this:
public static OAuthBearerAuthenticationOptions OAuthBearerOptions { get; private set; } static Startup() { OAuthBearerOptions = new OAuthBearerAuthenticationOptions(); } public void ConfigureAuth(IAppBuilder app) { app.UseOAuthBearerAuthentication(OAuthBearerOptions); app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Account/Login") }); }
Now in your login method
//Assume that the token that you got from web api is in the variable called accessToken //Decrypt this token first. If your machine keys are the same, the following line will work var unencryptedToken = Startup.OAuthBearerOptions.AccessTokenFormat.Unprotect(accessToken); //Next, extract the claims identity from the token var identity = unencryptedToken.Identity; //Need to create a claims identity that uses a cookie (not a bearer token). An MVC app //knows how to deal with a claims identity using an application cookie, but doesn't know //how to deal with a claims identity using a bearer token. So this is a translation step //from a web api authentication mechanism to the mvc authentication mechanism var id = new ClaimsIdentity(identity.Claims, DefaultAuthenticationTypes.ApplicationCookie); //At this moment, your new claims identity using an application cookie is ready, but we still //need to sign in. Use the OWIN Auth manager from the context to sign in. This will create //the application cookie and correctly populate User.IsAuthenticated(). From now on, you are //logged in AuthenticationManager.SignIn(id);
source to share