Well, someone reading this probably knows (like me) how the WebAPI works, and how, if I create an application using the WebAPI and the Identity framework, I can create an HTTP request, add an auth header, and the application will know who i am reading the auth header.
This is what is called a stateless API call, where all the API receiving the call gets everything it needs to determine who the user is, and thus can authenticate the user and their stateless request.
.....
I want the same behavior in MVC (and not in the Web API).
I want not to offer any requests to this application before, my application uses the Identity framework just like my WebAPI endpoints to ensure that every stateless call is authenticated using an authorization header.
This is how I do it in WebAPI (which does not work in MVC) ...
using Core.App.Security;
using Microsoft.Owin.Security.OAuth;
using Ninject;
using Owin;
namespace Core.App
{
public static class Auth
{
public static void Configure(IAppBuilder app, IKernel kernel)
{
app.CreatePerOwinContext<ApplicationUserManager>((options, owinContext) => ApplicationUserManager.Create(options, owinContext, kernel));
app.CreatePerOwinContext<ApplicationSignInManager>((options, owinContext) => ApplicationSignInManager.Create(options, owinContext, kernel));
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
app.AddAuthInfoToContext();
}
}
}
Essentially, this establishes bearer authentication using tokens, but not the auth server in the current application.
This code allows my centralized SSO server, which acts as my Auth token provider, to issue tokens that I can use against any of our API applications (yes, I have a lot of them).
Differences
WebAPI (HttpContext.Current.Identity) / .
MVC , Forms Auth, , auth MVC "Login" , .
,
"" HTTP-, , , , WebAPI Identity?