1

We're building a Windows-authenticated ASP.NET MVC app. This will then call into an ASP.NET WebAPI layer sat on a different server.

We don't have Kerberos enabled so assume authentication with this will be via some form of Basic auth. We're also looking to use ASP.NET Membership/Identity for role management. All communication with the Membership database will be via the WebAPI.

Can anyone give guidance on how best to handle issuing authentication tokens for communication between the MVC and WebAPI apps, and how Authorize attributes may be used across both layers?

Improve this question

1 Answer 1

Reset to default
3

I've blogged detailed series of posts about Token based authentication in Web API using ASP.NET Identity, it should answer part of your questions, check it here

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

Thanks, @Taiseer. This was helpful but the part I'm struggling with is how to take a Windows username on the MVC side and use that as something verifiable to call to the API. The MVC app recognises the Windows user but there is no password or similar to pass to the API to then link to an ASP.NET Identity. Just passing the username doesn't strike me as secure. Anyone could call the API directly with a username and impersonate calls.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.