7

I currently have a Web API controller added to an existing MVC 5 project (not using .net core) and I was able to successfully create and get data from the controller that I have set up. The purpose of the API is to pass data between it and a mobile application that uses the same data source that the MVC project uses (I will also be calling existing methods in the project from the API so I would prefer the API exist in the MVC project). I am now looking for a way to add token authentication to the API, as I only want logged in users in the mobile application to be allowed to access the API. How can I achieve this?

Improve this question

1 Answer 1

Reset to default
3

The simplest solution should be to use the Token Validation Middleware from the IdentityServer 3 suite.
Just add the nuget package and configure your application following the doc:

public class Startup
{
  public void Configuration(IAppBuilder app)
  {
    // turn off any default mapping on the JWT handler
    JwtSecurityTokenHandler.InboundClaimTypeMap = new Dictionary<string, string>();

    app.UseIdentityServerBearerTokenAuthentication(new IdentityServerBearerTokenAuthenticationOptions
        {
            Authority = "https://localhost:44333/core",
            RequiredScopes = new[] { "api1" }
        });

    app.UseWebApi(WebApiConfig.Register());
  }
}

It's ok to set
app.UseIdentityServerBearerTokenAuthentication() only
prior to
app.UseCookieAuthentication() and app.UseOpenIdConnectAuthentication()
and call
GlobalConfiguration.Configure(WebApiConfig.Register) in Global.asax
Such approach allows to combine token and cookie-based auth in one MVC application.
The only problem for today is that IdentityServer 3 family tools are frozen and support System.IdentityModel 4 and OWIN 3 only, so

update: The preferred solution for ASP.NET 4.6+ becomes IdentityServer3.Contrib.AccessTokenValidation -- a fork, refactored according to the recent framework changes.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Since it is an MVC 5 project, there is no Startup file. Where would I add this code?
You have to reference owin. But it will be added automatically as a dependency for Identity package. and then you'll be able to mark any custom class with '[OwinStartupAttribute]'. Guess, it's a totally separate question, but I've described the basics...
@d_f I'm facing the same issue. app doesn't have a UseWebApi method. I want keep cookie auth to controllers but apply JWT auth for api controllers and be able to use the Authorize attribute on them.
@emzero it's ok to set app.UseIdentityServerBearerTokenAuthentication() only (prior to app.UseCookieAuthentication() and app.UseOpenIdConnectAuthentication()) and call GlobalConfiguration.Configure(WebApiConfig.Register) in Global.asax

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.