Consume the Security of an API for MVC Web Application

Asked

Viewed 172 times

1

I have an API to log (Aspnet Identity) into the WEB MVC application.

  1. Access to WEB MVC application(Login Screen).
  2. I call the API by passing email and password, which was informed in the WEB MVC application.
  3. API returns with Token(Bearer).

Doubt is as follows, how do I authorize access to the WEB application classes with the [Authorize] clause, considering the Token that return the API?

--- Updating with the Code --

-- Method That Calls My API 

 private async Task<List<LoginModel>> GetUserNameByemailRestSharp(string email)
    {
        List<LoginModel> lst = new List<LoginModel>();

        object param = new { Email = email };

        try
        {
            IRestResponse restResponse = await APIIdentity.ResponseAPIPost_RestSharp("/api/Account/GetUserNameByemail", param);

            var token = JToken.Parse(restResponse.Content);
            var obj = JObject.Parse((string)token.ToString());

            lst.Add(new LoginModel { UserName = obj["UserName"].ToString(), Email = obj["Email"].ToString(), Password = obj["Password"].ToString()});
        }
        catch (Exception ex)
        {
            lst.Add(new LoginModel { UserName = "", Email = "", Password = "" });
        }

        return lst;
    }

-- Controller that the login screen of the WEB application MVC(Via Ajax) calls passing, email and password

    [HttpPost]
    public async Task<JsonResult> getLogin(string email, string password)
    {
        List<LoginModel> lstUser = null;
        object result = null;

        try
        {
            lstUser = await GetUserNameByemailRestSharp(email);

            if (!string.IsNullOrEmpty(lstUser[0].UserName))
            {
                var lstToken = await GetToken(lstUser[0].UserName, password);

                if (lstToken[0].ToString() != "200")
                {
                    result = new { StatusCode = lstToken[0].ToString(), Decription = lstToken[1].ToString() };
                }
                else
                {
                   //Token que retornado da API
                    result = new { StatusCode = lstToken[0].ToString(), Decription = "" };
                }
            }
            else
            {
                result = new { StatusCode = "400", Decription = "E-mail não consta na base de dados!" };
            }
        }
        catch (Exception ex)
        {
            result = new { StatusCode = "400", Decription = "E-mail não consta na base de dados!" };
        }

        return Json(result, JsonRequestBehavior.AllowGet);
    }

The Object Result contains the Bearer Token, how do I authenticate the attribute [Authorize] of my MVC WEB application that is outside the API project considering that Token?

c# asp.net asp.net-web-api asp.net-identity

  • The question is not very clear. Which Token are you talking about? It’s a JWT, SAML, etc. Where’s the code? Please see this link to help you improve your question: https://answall.com/help/how-to-ask

1 answer

0

the [Authorize] defines that the authenticated user the points where only authenticated users can have access.

When you decorate the Clases and/or methods with [Authorize] you are defining that only authenticated users can have access to the scope.

Depending on the complexity of your project, you should combine the authorization with other parameters like Roles and Allowed Users. You can for example define that a method is authorized only for users with administration rules or superuser, as below:

 [Authorize(Roles = "Administrador, SuperUser")]

After authentication, depending on how your project is configured and the layer separations, the authenticated user will be authorized transparently through Cookies or sending the Token. Using Identity you can also work the Roles and Claims directly in the process.

Here Authorisation based on function you may have more information about this process.

  • Thanks for the feedback, but I need help in a process before this. , updated my post.

  • Anderson, for this, you need to create a relationship of trust between your client (web project) and your identity provider. Depending on the adopted standard you must configure your client with information from the identity provider to have this relationship, that is, your client will authorize the requests with tokens from the identity provider, since he knows this provider. Take a look at Protect Microservices . NET and Web Applications

Browser other questions tagged c# asp.net asp.net-web-api asp.net-identity

You are not signed in. Login or sign up in order to post.