Can somone please explain what these two lines of code mean inside the Register() method of my WebApiConfig.cs file.
// Web API configuration and services
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
I assume its adding HostAuthentication application wide. But even if I don't pass a bearer token with my requests I am still able to get the data. So whats the point of adding this filter?
OAuthAuthorizationServerOptions() Creates an instance of authorization server options with default values.
OWIN (Open Web Interface for . NET) is a standard for an interface between . NET Web applications and Web servers. It is a community-owned open-source project. The OAuth authorization framework enables a third-party application to obtain limited access to a HTTP service.
To make a web API call from a client such as a mobile application, you must supply an access token on the call. The token acts like an electronic key that lets you access the API. Adobe Commerce and Magento Open Source issue the following types of access tokens: Token type.
I usually keep the following comments in my code as a reminder of what they are for.
// Configure Web API to use only bearer token authentication.
// If you don't want the OWIN authentication to flow to your Web API then call
// SuppressDefaultHostAuthentication on your HttpConfiguration.
// This blocks all host level authentication at that point in the pipeline.
config.SuppressDefaultHostAuthentication();
//config.Filters.Add(new HostAuthenticationFilter(Microsoft.Owin.Security.OAuth.OAuthDefaults.AuthenticationType));
// “Host-level authentication” is authentication performed by the host (such as IIS),
// before the request reaches the Web API framework.
// ----
// Often, you may want to to enable host-level authentication for the rest of your application,
// but disable it for your Web API controllers. For example, a typical scenario is to
// enable Forms Authentication at the host level, but use token-based authentication for Web API.
// ----
// To disable host-level authentication inside the Web API pipeline, call config.SuppressHostPrincipal()
// in your configuration. This causes Web API to remove the IPrincipal from any request that enters
// the Web API pipeline. Effectively, it "un-authenticates" the request.
config.SuppressHostPrincipal();
Also if you are still getting access to action data, chances are you did not apply [Authorize]
attribute to the controller or action to restrict access.
Related reading Host authentication and Web API with OWIN and active vs. passive authentication middleware
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With