How should I handle authentication with Identity 2.0 and WebAPI 2.1 and Owin 2?

Question

How should I handle authentication with Identity 2.0 and WebAPI 2.1 and Owin 2?

I use

New browser-only clients in one domain
Identity 2.0
WebAPI 2.1
Owin 2.1
AngularJS interface for registering, logging in and displaying data

In a WebAPI application with AngularJS interface.

I read about token authentication, but now I am very confused, and I cannot find any good examples that use my combination. I would like to know if I should use cookies or tokens for authentication. Should I use Userfactory or CreatePerOwinContext?

Here is what I have in my Startup.Auth.cs

public partial class Startup { public void ConfigureAuth(IAppBuilder app) { app.CreatePerOwinContext(ApplicationDbContext.Create); app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create); app.CreatePerOwinContext<ApplicationRoleManager>(ApplicationRoleManager.Create); app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/"), Provider = new CookieAuthenticationProvider { OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>( validateInterval: TimeSpan.FromMinutes(30), regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)) } }); app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); app.UseTwoFactorSignInCookie(DefaultAuthenticationTypes.TwoFactorCookie, TimeSpan.FromMinutes(5)); // Enables the application to remember the second login verification factor such as phone or email. // Once you check this option, your second step of verification during the login process will be remembered on the device where you logged in from. // This is similar to the RememberMe option when you log in. app.UseTwoFactorRememberBrowserCookie(DefaultAuthenticationTypes.TwoFactorRememberBrowserCookie); } }

Here is my WebAPI configuration:

 public static class WebApiConfig { public static void CustomizeConfig(HttpConfiguration config) { config.Formatters.Remove(config.Formatters.XmlFormatter); var json = config.Formatters.JsonFormatter; json.SerializerSettings.ContractResolver = new CamelCasePropertyNamesContractResolver(); json.SerializerSettings.ReferenceLoopHandling = Newtonsoft.Json.ReferenceLoopHandling.Ignore; json.SerializerSettings.Converters.Add(new IsoDateTimeConverter { DateTimeFormat = "yyyy-MM-ddTHH:mmZ" }); }

I saw a few examples using this code, but I'm not sure how to call it:

 OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"), Provider = new ApplicationOAuthProvider(PublicClientId, UserManagerFactory), AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(14), AllowInsecureHttp = true };

Can I just replace cookie authentication with this?

+6

asp.net asp.net-web-api asp.net-identity asp.net-web-api2 asp.net-identity-2

user3568783 Apr 28 '14 at 14:11

source share

1 answer

William · Accepted Answer · 2014-05-01T16:23:45+0000

Not an expert, but in my work I found that tokens work fine for api and from javascript to api, while traditional cookies focus mainly on ui. Either or both will work, depending on what you are trying to do.

You can follow this link which makes cookie for ui and token for api http://blog.iteedee.com/2014/03/asp-net-identity-2-0-cookie-token-authentication/

  app.CreatePerOwinContext(ApplicationSession.Create); app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create); // Token Authentication app.UseOAuthBearerAuthentication(new OAuthBearerOptions());

I think you can set bearer authentication authentication type if you need media for both, but you have to play with it. The token will be in owincontext in the ".AspNet.ExternalBearer" section.

I also think that if you register the Identity 2.0 middleware, I think it also logs the oauth middleware material, so you do not need to register the oauthserver middleware yourself. This is the OAuthAuthorizationServerOptions code that you posted. You do not need it.

if ui and api are separate, then it is a little more complicated if you want to make one single character from the ui pass to api. I would recommend looking at an authentication server or an open source authorization server from thinktecture .

If your suite is based on owin and Identity 2.0 middleware, you will need to make sure that the token can be read by both the application and api, and you probably need to implement ISecureDataFormat. But remember that decryption does not mean that you can 100% trust the token, it must be signed and verified. Depends on your needs.

Sorry, I think this is a long move ... Good luck.

How should I handle authentication with Identity 2.0 and WebAPI 2.1 and Owin 2?

More articles: