Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Simplest way to add Basic authentication to web.config with user/pass

I'm setting up an Azure API Management with with an ASP.NET WebApi 2 app behind it. API Management recommends setting up Basic auth between the API Management proxy and the ASP.NET WebApi to make sure the WebApi is only accessible through the API Management proxy.

(Of course OAuth tokens will be still sent with requests for the "real" authentication, but I'll add that later.)

With this in mind, I don't really want to implement the Basic auth in the application, I would like to have it handled by IIS exclusively, via Web.config.

Question: How can I set up my Web.config to do basic auth with a username/password stored in Web.config?

What I've tried:

I tried to follow this article Apply ASP.NET Authentication and Authorization Rules to Static Content with IIS 7.0's Integrated Pipeline Feature but didn't have much luck.

This question is unanswered, but they probably ask for similar thing: web.config single user basic auth

Other answers I found here include adding the authentication inside the application which I don't want to do.

Here is my Web.config:

<?xml version="1.0"?>
<configuration>
  <configSections>
    <!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
    <section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false"/>
  </configSections>
  <appSettings configSource="bin\debug-appSettings.config"/>
  <connectionStrings configSource="bin\debug-connectionStrings.config"/>
  <system.web>
    <compilation targetFramework="4.5.2"/>
    <httpRuntime targetFramework="4.5.2"/>
    <authentication mode="Forms">
      <forms>
        <credentials passwordFormat="Clear">
          <user name="test" password="test" />
        </credentials>
      </forms>
    </authentication>
    <authorization>
      <allow users="test" />
      <deny users="*" />
    </authorization>
  </system.web>
  <system.webServer>
    <handlers>
      <remove name="ExtensionlessUrlHandler-Integrated-4.0"/>
      <remove name="OPTIONSVerbHandler"/>
      <remove name="TRACEVerbHandler"/>
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0"/>
    </handlers>
    <modules>
      <remove name="FormsAuthenticationModule" />
      <add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
      <remove name="UrlAuthorization" />
      <add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
    </modules>
    <security>
      <authentication>
        <basicAuthentication enabled="true" />
      </authentication>
    </security>
  </system.webServer>
  <runtime>
    <assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.Azure.AppService.ApiApps.Service" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-0.9.64.0" newVersion="0.9.64.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Newtonsoft.Json" culture="neutral" publicKeyToken="30ad4fe6b2a6aeed"/>
        <bindingRedirect oldVersion="0.0.0.0-7.0.0.0" newVersion="7.0.0.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Net.Http.Formatting" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="MiniProfiler" publicKeyToken="b44f9351044011a3" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-3.2.0.157" newVersion="3.2.0.157"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="System.IdentityModel.Tokens.Jwt" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-4.0.20622.1351" newVersion="4.0.20622.1351"/>
      </dependentAssembly>
      <dependentAssembly>
        <assemblyIdentity name="Microsoft.WindowsAzure.Storage" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
        <bindingRedirect oldVersion="0.0.0.0-6.1.0.0" newVersion="6.1.0.0"/>
      </dependentAssembly>
    </assemblyBinding>
  </runtime>
  <entityFramework>
    <defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
      <parameters>
        <parameter value="mssqllocaldb"/>
      </parameters>
    </defaultConnectionFactory>
    <providers>
      <provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer"/>
    </providers>
  </entityFramework>
</configuration>

I send a request with PostMan with the following headers:

Authorization: Basic dGVzdDp0ZXN0
Content-Type: application/json

But all I get is the 401.1 page by IIS.

IIS Screenshot

What am I missing?

like image 708
Adam Szabo Avatar asked Nov 28 '15 19:11

Adam Szabo


People also ask

How do I pass my basic authentication username and password?

1 Answer. It is indeed not possible to pass the username and password via query parameters in standard HTTP auth. Instead, you use a special URL format, like this: http://username:[email protected]/ -- this sends the credentials in the standard HTTP "Authorization" header.

How can I pass the basic HTTP authentication?

We can do HTTP basic authentication URL with @ in password. We have to pass the credentials appended with the URL. The username and password must be added with the format − https://username:password@URL.


1 Answers

I ended up implementing BasicAuthentication as a HttpModule. I will update this answer later with the details.

Edit:

NuGet package: https://www.nuget.org/packages/Hexasoft.BasicAuthentication

Source: https://github.com/hexasoftuk/Hexasoft.BasicAuthentication

like image 158
Adam Szabo Avatar answered Oct 27 '22 00:10

Adam Szabo