Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What does HostAuthenticationFilter do?

Tags:

c#

asp.net-web-api

owin

Can somone please explain what these two lines of code mean inside the Register() method of my WebApiConfig.cs file.

// Web API configuration and services
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

I assume its adding HostAuthentication application wide. But even if I don't pass a bearer token with my requests I am still able to get the data. So whats the point of adding this filter?

like image 355
psj01 Avatar asked Jun 22 '18 17:06

psj01

People also ask

What is OAuthAuthorizationServerOptions?

OAuthAuthorizationServerOptions() Creates an instance of authorization server options with default values.

What is Owin authentication?

OWIN (Open Web Interface for . NET) is a standard for an interface between . NET Web applications and Web servers. It is a community-owned open-source project. The OAuth authorization framework enables a third-party application to obtain limited access to a HTTP service.

What is token in Web API?

To make a web API call from a client such as a mobile application, you must supply an access token on the call. The token acts like an electronic key that lets you access the API. Adobe Commerce and Magento Open Source issue the following types of access tokens: Token type.

1 Answers

I usually keep the following comments in my code as a reminder of what they are for.

// Configure Web API to use only bearer token authentication.
// If you don't want the OWIN authentication to flow to your Web API then call 
// SuppressDefaultHostAuthentication on your HttpConfiguration. 
// This blocks all host level authentication at that point in the pipeline.
config.SuppressDefaultHostAuthentication();
//config.Filters.Add(new HostAuthenticationFilter(Microsoft.Owin.Security.OAuth.OAuthDefaults.AuthenticationType));

// “Host-level authentication” is authentication performed by the host (such as IIS), 
// before the request reaches the Web API framework. 
// ----
// Often, you may want to to enable host-level authentication for the rest of your application, 
// but disable it for your Web API controllers. For example, a typical scenario is to 
// enable Forms Authentication at the host level, but use token-based authentication for Web API.
// ----
// To disable host-level authentication inside the Web API pipeline, call config.SuppressHostPrincipal() 
// in your configuration. This causes Web API to remove the IPrincipal from any request that enters 
// the Web API pipeline. Effectively, it "un-authenticates" the request.
config.SuppressHostPrincipal();

Also if you are still getting access to action data, chances are you did not apply [Authorize] attribute to the controller or action to restrict access.

Related reading Host authentication and Web API with OWIN and active vs. passive authentication middleware

like image 163
Nkosi Avatar answered Sep 24 '22 13:09

Nkosi
Sign in to Comment

Related questions

Access UI thread while app is being suspended?
Get type that implements generic interface by searching for a specific generic interface parameter
MVC async method in constructor controller
Is it possible to perform a LINQ aggregate over a collection of one type to a different result type?
WebClient.CancelAsync — File still downloading
Execute Raw Mongodb Query with c# driver v2
How to identify Post Data is hacked using anti-forgery token
Is there an example of Ix.NET (System.Interactive) somewhere?
Azure function: limit the number of calls per second
Can vstest.console.exe run an appx without a security certificate
C# overload resolution with IList<T> and IReadOnlyList<T>
How to store the active status of a Task, and maintain permanency of a List of these Tasks
Using a type to instantiate a derived class which uses restricted generics
Reacting to Task completion: `.ContinueWith()` vs `GetAwaiter().OnCompleted()`
IdentityServer4 ValidIssuers
Can I have an analyzer on a .net 4.5 project?
How to handle server errors with layered architecture in web API controller
How can I detect how many gameobjects have a certain material?
Alternative to taking rapid screenshots of a window
Custom JsonConfigurationProvider - ASP.NET Core uses wrong implementation

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!