Geek Answers Handbook

Implement role-based authentication and authorization in the ASP.NET MVC web API and MVC client architecture

It is difficult for me to determine the approach when implementing the authentication / authorization scenario for my project for the architecture of the web interface (service) - MVC (client). Despite the fact that I implemented authentication based on tokens authentication in the web API project, it is difficult for me to find where exactly I should implement authorization (in the client or in the API itself).

Architecture Overview:

  • Project Solution

    |
    | __ ASP.NET-based web-based REST service (Independently hosted on IIS on M / C 1)
    |
    | __ ASP.NET MVC client (independently hosted in IIS when using the REST service for M / C 2)
    |
    | __ Application for connecting a smartphone (using the REST service)

Authentication already implemented:

  • Web API token-based authentication (using a message handler) - Generates a SHA1 token for an authenticated user, which should be part of each HTTP request header for authentication.
    (Token = username + user IP)

  • Secure HTTP HTTP request. (Again, using a message handler)

Current issues:

  • At what level should authorization be implemented?
  • How should the user role be stored on the client? Using Cookies? or Adding role information to the token itself (which can add service data for the API to decrypt information and additional database calls to obtain permissions associated with this role).
  • How should an authentication token be stored in a client session?
  • Since my application is a SPA MVC application, what is the best way to include an authentication token as part of every AJAX call that I make for the API?

I hope I am not mistaken, taking into account the whole concept of authentication / authorization. Thus, I would appreciate any alternative approach / suggestion.

+8
asp.net-mvc asp.net-web-api asp.net-mvc-4 asp.net-authorization
source share
2 answers

First of all, I believe that never come up with your own authentication mechanism.

To answer your current problems:

1 As a rule, you always want to protect your Api using authentication, as this is the place where you access your data. Your client (MVC App / Smartphone) must log in to access your Api.

2 and 3 Since you are using REST Api, I would suggest keeping your Apache stateless, in other words, not storing session information. Just provide the role details that you need in your token. You can use, for example, JNON Web Token .

4 I would always use the authorization header to send authorization data. In the DelegatingHandler case (note the difference in MessageHandler MVC, DelegatingHander HTTP), you can just get the header.

protected override Task<HttpResponseMessage> SendAsync( HttpRequestMessage request, CancellationToken cancellationToken) { var authorizationHeader = request.Headers.Authorization; // Your authorization logic. return base.SendAsync(request, cancellationToken); }

For details on how to enable the authorization header in an ajax call, see below: How to use Basic Auth with jQuery and AJAX?

Additional Information:

If I were you, I would also look at the Thinktecture Identity Server: https://github.com/thinktecture/Thinktecture.IdentityServer.v2

And maybe this REST service authentication answer will also help you: REST Service Authentication

+3
source share

Why create an entire token system (if you are not using any kind of federated security), you have authentication and cookies, as soon as the cookie is set and returned, the browser will send a cookie with any AJAX requests made by your SPA.

0
source share

More articles:


All Articles