2

I have an existing MVC 5 project wite WebAPI2 controllers. I use Forms Authentication for my frontend and now Bearer tokens for my WebAPI.

The problem is that if I use the WebAPI authentication after logging in to the MVC Application, the webapi thinks I'm authenticated even if I don't specify a valid bearer token.

If I call 

config.SuppressDefaultHostAuthentication()

then once login through WebAPI with a bearer token and then login to the MVC app, the principal is always set to ClaimsPrinciple even though it was set to my custom prinicpal (Application_AuthenticateRequest). So when I cast the HttpContext.User to my custom Prinicpal later, it doesn't work and the MVC App thinks my user is logged out.

So, how can I separate the two authentication methods without them overriding each other?

MVC Authentication:

protected void Application_AuthenticateRequest(object sender, EventArgs e)
    {
        if (Request.IsAuthenticated)
        {
            // check if we have the user in the cache
            var userPrincipal = PrincipalManager.GetPrincipal();
            if (userPrincipal == null || !userPrincipal.Identity.IsAuthenticated)
            {                    
                userPrincipal = new GenericPrincipal(new RoomixerIdentity(), null);

                PrincipalManager.StorePrincipal(userPrincipal);                    
            }


            HttpContext.Current.User = userPrincipal;
        }            
    }
Improve this question

1 Answer 1

Reset to default
1

I recommend you to check the VS 2013 Web API template (Web API and MVC core dependency) but with individual accounts checked as this image, I believe you are missing adding those both lines in class WebApiConfig.cs:

config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

You need to suppress the default authentication (Forms Auth) then add the bearer authentication only for Web API.

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

Hi Taiseer, I did try to do this, but then the WebAPI authentication Principal overrides my custom MVC Principal. After I receive a token using the WebAPI /Token endpoint and go authenticate using my regular login on the MVC application, I set the HttpContext.Current.User to my custom prinicpal on Application_AuthenticateRequest. However, when my MVC controller is called, the HttpContext.User is of type ClaimsPrincipal and not the one that was just set on Application_AuthenticateRequest. I have not idea why this is happening.
Just a question, are you using the default VS 2013 MVC5/WebApi template or you built this from scratch? Did you check this link
No, I had a VS 2012 project which I updated to MVC5/WebAPI2. I tried setting [OverrideAuthentication] and [System.Web.Http.HostAuthentication(DefaultAuthenticationTypes.ExternalCookie)] on my Base MVC Controller, but not change.
The external cookie is set when you enable authentication using external providers (Facebook) so it is not valid in your case. Unfortunately I can't tell what is going wrong because mixing the Web API and MVC authentication together is not so pleasant approach, but my recommendation is to add new POC project using the new VS 2013 template and see how this is configured, hopefully this will solve your issue.
After some comparisons I've managed to solve this but moving the WebAPI configuration to global.asax.cs from the Startup.cs file and to add the config.SuppressDefaultHostAuthentication() before the HttpMapRoute call.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.