Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Authorization with ASP.NET Identity & Autofac OWIN integration

Tags:

asp.net

asp.net-mvc

asp.net-web-api

owin

autofac

(an update has been added at the bottom of this question)

I have a web application that uses both MVC5 and WebAPI2 with Autofac for DI. The app uses ASP.NET Identity and oAuth bearer tokens, though the latter may be beside the point. This has all worked perfectly well, but at this point I need the same instances of my injected services to be shared throughout the OWIN pipeline as well as the rest of my application and therefore I'm trying to setup Autofac's OWIN integrations for MVC and Web API. I seem to be close- everything seems to work except for AuthorizeAttibutes on ApiControllers. The oAuth process completes successfully and I end up signed in with a bearer token, but subsequent attempts to authorize with said token on WebAPI controllers/actions fail.

Specifically, in the IsAuthorized method of System.Web.Http.AuthorizeAttribute, IPrincipal.Identity seems that it has not been instantiated correctly in that it doesn't have the appropriate claims and the IsAuthenticated property is always false. The developers of Autofac indicate that this attribute should work with the OWIN integrations, even though that code uses GlobalConfiguration which is not advisable for the OWIN integrations. I've seen multiple recommendations to remove config.SuppressDefaultHostAuthentication() (here and here), which, while not advisable, I've tried out of desperation and yet to no avail- for my particular configuration this causes IPrincipal to come back as null. I've also tried to modify a much simpler example project than my own to use AuthorizeAttribute on the WebAPI controller, also with no success. At this point I'm out of things to try, and help would be greatly appreciated.

Here is my Startup.cs:

[assembly: OwinStartup(typeof (Startup))]
namespace Project.Web
{
    public partial class Startup
    {
        public void Configuration(IAppBuilder app)
        {
            var builder = new ContainerBuilder();
            builder.RegisterControllers(Assembly.GetExecutingAssembly());
            var config = new HttpConfiguration();
            builder.RegisterHttpRequestMessage(config);
            builder.RegisterApiControllers(Assembly.GetExecutingAssembly());
            RegisterGeneralTypes(builder);
            var container = builder.Build();
            WebApiConfig.Register(config);
            config.DependencyResolver = new AutofacWebApiDependencyResolver(container);
            DependencyResolver.SetResolver(new AutofacDependencyResolver(container));
            WebApiFilterConfig.RegisterGlobalFilters(config.Filters);

            app.UseAutofacMiddleware(container);
            app.UseAutofacWebApi(config);
            app.UseAutofacMvc();
            app.UseWebApi(config);

            ConfigureAuth(app);
        }

        private static void RegisterGeneralTypes(ContainerBuilder builder)
        {
            builder.Register(c => new DomainModelContext())
                .AsSelf()
                .InstancePerRequest();

            builder.Register(c => HttpContext.Current.User.Identity)
                .As(typeof (IIdentity));

            builder.RegisterType<EmailService>()
                .AsImplementedInterfaces()
                .InstancePerRequest();

            builder.Register(c => new IdentityFactoryOptions<DomainUserManager>
            {
                DataProtectionProvider = DataProtectionProvider
            }).InstancePerRequest();

            builder.RegisterType<DomainUserManager>()
                .AsSelf()
                .UsingConstructor(typeof (IIdentityMessageService),
                    typeof (IdentityFactoryOptions<DomainUserManager>),
                    typeof (CustomUserStore))
                .InstancePerRequest();

            builder.RegisterType<CustomUserStore>()
                .AsImplementedInterfaces()
                .AsSelf()
                .InstancePerRequest();

            builder.Register(c => HttpContext.Current.GetOwinContext().Authentication)
                .As<IAuthenticationManager>();
        }
    }
}

and my Startup.Auth.cs:

public partial class Startup
{
    internal static IDataProtectionProvider DataProtectionProvider;
    public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; }
    public static string PublicClientId { get; private set; }

    public void ConfigureAuth(IAppBuilder app)
    {
        var onValidateIdentity = SecurityStampValidator
            .OnValidateIdentity<DomainUserManager, DomainUser, int>(
                validateInterval: TimeSpan.FromMinutes(30),
                regenerateIdentityCallback: (manager, user) =>
                    user.GenerateUserIdentityAsync(manager, CookieAuthenticationDefaults.AuthenticationType),
                getUserIdCallback: id => id.GetUserId<int>());

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            LoginPath = new PathString("/account/login"),

            Provider = new CookieAuthenticationProvider
            {
                OnValidateIdentity = onValidateIdentity
            }
        });
        app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);

        // Configure the application for OAuth based flow
        PublicClientId = "self";
        OAuthOptions = new OAuthAuthorizationServerOptions
        {
            TokenEndpointPath = new PathString("/token"),
            Provider = new ApplicationOAuthProvider(PublicClientId),
            AuthorizeEndpointPath = new PathString("/api/v1/account/externallogin"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
        };

        // Enable the application to use bearer tokens to authenticate users
        app.UseOAuthBearerTokens(OAuthOptions);

        DataProtectionProvider = app.GetDataProtectionProvider();
    }
}

I think that covers it, but I will gladly post additional code upon request.

UPDATE

So based on jumuro's answer, I changed my order of registrations as recommended. However, this simply transferred the exact same issue from Web API authorization to MVC authorization. Since I had MVC auth working before the update, I ultimately tried registering auth in the pipeline twice as follows:

app.UseAutofacMiddleware(container);
ConfigureAuth(app);
app.UseAutofacWebApi(config);
app.UseAutofacMvc();
app.UseWebApi(config);
ConfigureAuth(app);

This works, but I really can't say that I understand why and I can't imagine that it's good to be doing this twice. So now I have new questions:

  1. It makes sense that WebAPI would need Auth registered in the pipeline first, but why in the world does MVC want me to register Auth last?
  2. How can I clean this up and avoid calling ConfigureAuth twice?
like image 476
joelmdev Avatar asked Jun 15 '16 05:06

joelmdev

People also ask

What is authorization in ASP.NET Core?

Authentication is the process of determining a user's identity. Authorization is the process of determining whether a user has access to a resource. In ASP.NET Core, authentication is handled by the authentication service, IAuthenticationService, which is used by authentication middleware.

Does ASP.NET support Windows authentication?

Windows Authentication relies on the operating system to authenticate users of ASP.NET Core apps. You can use Windows Authentication when your server runs on a corporate network using Active Directory domain identities or Windows accounts to identify users.

How do I Authorize in C#?

Action. To restrict access for specific actions, add the attribute to the action method. public class StudentsController : ApiController{ public HttpResponseMessage Get() { ... } // Require authorization for a specific action. [Authorize] public HttpResponseMessage Post() { ... } }

How authorization works in ASP NET MVC?

The Authorize Attribute In ASP.NET MVC, any incoming request is bound to a controller/method pair and served. This means that once the request matches a supported route and is resolved to controller and method, it gets executed no matter what.

1 Answers

You have to add middlewares to the application pipeline in the correct order. Bearer token has to be validated before the MVC and Web Api middlewares process the request.

Try this order in your Configuration() method:

public void Configuration(IAppBuilder app)
{
    ...
    app.UseAutofacMiddleware(container);
    ConfigureAuth(app);
    app.UseAutofacMvc();
    app.UseWebApi(config);
    app.UseAutofacWebApi(config);
    ...
}

I hope it helps.

like image 94
jumuro Avatar answered Sep 24 '22 11:09

jumuro
Sign in to Comment

Related questions

how can I join two regex into one?
How to implement synchronized Memcached with database
Use MachineKey.Protect Outside of ASP.NET
Entity Framework 6 Creating Two table from the same entity object
How to create an Email queue mechanism in ASP.NET In case of network goes down?
AngularJS Ui-Router with ASP.Net MVC RouteConfig. How does it work?
How do I export to Excel?
Can't see "Create deploy package as a zip file" option in Visual Studio 2015 Community
Publishing from Visual Studio 2015
ASP.NET 5 targeting dnx451/dnx46 Performance
Possible unintended reference comparison worked as intended
VSTS Build fails with: The type or namespace name 'Practices' does not exist in the namespace 'Microsoft'
MVC 6 HttpResponseException
Could not load file or assembly 'Microsoft.AI.Agent.Intercept' or one of its dependencies
The localhost page isn’t working. localhost redirected you too many times
Missing WebApiConfig.cs in App_Start. Can I use Startup.cs?
Error while generating a password for my number when using Password generated software for whatsapp API
USING block behaves differently in website vs windows form
how to cancel HostingEnvironment.QueueBackgroundWorkItem
Running multiple ASP.NET Core RC2 Applications on the same port

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!