Menu
According to this post http://www.asp.net/web-api/overview/security/external-authentication-services... I'm able to log in with a local authentication service (with the new ASP.NET identity framework)
but I can't find a walkthrough to properly call (from a mobile app or Postman) the default web API generated in the Visual Studio 2013 SPA template.
Can anyone help me?
487
The user agent sends its credentials to the external authentication service, and if the user agent has successfully authenticated, the external authentication service will redirect the user agent to the original web application with some form of token which the user agent will send to the web application.
Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.
In IIS Manager, go to Features View, select Authentication, and enable Basic authentication. In your Web API project, add the [Authorize] attribute for any controller actions that need authentication. A client authenticates itself by setting the Authorization header in the request.
I had the same problem today and found the following solution:
At first get all available providers
GET /api/Account/ExternalLogins?returnUrl=%2F&generateState=true The response message is a list in json format
[{"name":"Facebook", "url":"/api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A15359%2F&state=QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1", "state":"QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1"}] Now send a GET request to the url of the provider you want to use. You will be redirected to the login page of the external provider. Fill in your credentials and the you will be redirected back to your site. Now parse the access_token from the url.
http://localhost:15359/#access_token=[..]&token_type=bearer&expires_in=[..]&state=QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1 If the user already has a local account, the .AspNet.Cookies cookie is set and you are done. If not, only the .AspNet.ExternalCookie cookie is set and you have to register a local account.
There is an api to find out if the user is registered:
GET /api/Account/UserInfo The response is
{"userName":"xxx","hasRegistered":false,"loginProvider":"Facebook"} To create a local account for the user, call
POST /api/Account/RegisterExternal Authorization: Bearer VPcd1RQ4X... (access_token from url) Content-Type: application/json {"UserName":"myusername"} Now send the same request with the provider url as before
GET /api/Account/ExternalLogin?provider=Facebook&response_type=token&client_id=self&redirect_uri=http%3A%2F%2Flocalhost%3A15359%2F&state=QotufgXRptkAfJvcthIOWBnGZydgVkZWsx8YrQepeDk1 But this time the user already has an account and gets authenticated. You can verify this by calling /api/Account/UserInfo again.
Now extract the access_token from the url. You have to add the Authorization: Bearer [access_token] header to every request you make.
152
I found another post showing pretty details how this external authentication works. The client is WPF and server uses ASP.NET Identity.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
