Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What does HostAuthenticationFilter do?

Can somone please explain what these two lines of code mean inside the Register() method of my WebApiConfig.cs file.

// Web API configuration and services
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

I assume its adding HostAuthentication application wide. But even if I don't pass a bearer token with my requests I am still able to get the data. So whats the point of adding this filter?

like image 355
psj01 Avatar asked Jun 22 '18 17:06

psj01


People also ask

What is OAuthAuthorizationServerOptions?

OAuthAuthorizationServerOptions() Creates an instance of authorization server options with default values.

What is Owin authentication?

OWIN (Open Web Interface for . NET) is a standard for an interface between . NET Web applications and Web servers. It is a community-owned open-source project. The OAuth authorization framework enables a third-party application to obtain limited access to a HTTP service.

What is token in Web API?

To make a web API call from a client such as a mobile application, you must supply an access token on the call. The token acts like an electronic key that lets you access the API. Adobe Commerce and Magento Open Source issue the following types of access tokens: Token type.


1 Answers

I usually keep the following comments in my code as a reminder of what they are for.

// Configure Web API to use only bearer token authentication.
// If you don't want the OWIN authentication to flow to your Web API then call 
// SuppressDefaultHostAuthentication on your HttpConfiguration. 
// This blocks all host level authentication at that point in the pipeline.
config.SuppressDefaultHostAuthentication();
//config.Filters.Add(new HostAuthenticationFilter(Microsoft.Owin.Security.OAuth.OAuthDefaults.AuthenticationType));

// “Host-level authentication” is authentication performed by the host (such as IIS), 
// before the request reaches the Web API framework. 
// ----
// Often, you may want to to enable host-level authentication for the rest of your application, 
// but disable it for your Web API controllers. For example, a typical scenario is to 
// enable Forms Authentication at the host level, but use token-based authentication for Web API.
// ----
// To disable host-level authentication inside the Web API pipeline, call config.SuppressHostPrincipal() 
// in your configuration. This causes Web API to remove the IPrincipal from any request that enters 
// the Web API pipeline. Effectively, it "un-authenticates" the request.
config.SuppressHostPrincipal();

Also if you are still getting access to action data, chances are you did not apply [Authorize] attribute to the controller or action to restrict access.

Related reading Host authentication and Web API with OWIN and active vs. passive authentication middleware

like image 163
Nkosi Avatar answered Sep 24 '22 13:09

Nkosi