Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET MVC 5 and WebApi 2 Authentication

I recently built an MVC 5 Web Site as a front end protoype and used Individual Accounts for authentication. I now need to build a WebApi2 backend that will serve this website as well as an iPhone app, and multiple other clients. I am confused regarding authentication with the MVC site and WebApi.

I want all user management to take place through the WebApi (which will use tokens) so that it is client agnostic however I don't know how Cookie authentication on the Website side will work without my Identity classes. It seems like I'll be duplicating code with the MVC site and WebApi. I want to use cookies for the mvc site, and oauth tokens for the webapi. Do I need create another project like an IdentityProvider to manage this? Or is there a clean way to implement this using just the MVC and WebApi projects. Thanks!

EDIT: I am mainly confused about how to manage user identity with users being able to login through both the MVC site and through a WebApi request. I need to be able to generate the UserIdentity and claims in a unified way and I am confused when I have both the MVC Individual Accounts template and the WebApi2 Individual Account authentication template to work with. I want to store users, claims, etc. in an AWS hosted MongoDB instance.

like image 953
narciero Avatar asked Aug 05 '15 03:08

narciero


People also ask

What is difference in authentication in ASP.NET MVC and Web API?

Asp.Net MVC is used to create web applications that return both views and data but Asp.Net Web API is used to create full-blown HTTP services with an easy and simple way that returns only data, not view.

What is OAuth 2.0 authentication in Web API?

Using OAuth 2.0, it is possible for the application to access the user's data without the disclosure of the user's credentials to the application. The API will grant access only when it receives a valid access token from the application.

How many types of authentication are there in ASP.NET MVC?

ASP.NET MVC Authentication | Four Different Ways of Authentication.


2 Answers

Both templates (mvc and api) use a SigninManager and UserManager. The standard user manager implementation it's based on SQL Server and Entity Framework.

If you want to mantain user data on MongoDB, the best solution imo it's to roll your own UserStore to implement at least the IUserStore and IUserRoleStore interfaces, or use this nuget package

For the UserManager you can use the standard implementation.

The Asp.net identity that you are using it's open source and you can have a look on codeplex (the one on github it's for mvc 6).

I think that the best way to handle your scenario is:

  • For website login, for standard web user, make a login action on a standard mvc controller and let the SignInManager do the work; you can use the standard Login method that comes with the template
  • For api login, implement a simple OAuthAuthorizationServerProvider and override the GrantResourceOwnerCredentials method; this is a nice article that shows you all the steps

Hope this helps!

like image 195
omar.ballerani Avatar answered Oct 17 '22 09:10

omar.ballerani


Think of the membership provider as separate and independent of the technology used to dev the app. Authentication is authentication its not dependent on a particular technology.

http://www.asp.net/identity/overview/getting-started/aspnet-identity-recommended-resources

like image 23
stink Avatar answered Oct 17 '22 09:10

stink