Search code examples
wifasp.net-web-apiclaims-based-identity

Claims Based Security between Web Client, ASP.Net MVC 4 and ASP.Net WebAPI


Given the following parties:

Browser based client
ASP.Net MVC 4 web application
ASP.Net Web API service
Security Token Service (STS) i.e. Thinktecture IdentityServer
(note: Web application and WebAPI service live on different boxes)

I would like to get a flow similar to this working:

User navigates to the WebApp, application does not see a valid token in the request and redirects user to be authenticated with the STS. User logs in to the STS and upon successful authentication is redirected back to the WebApp. The WebApp sees the valid token and grants the user access. User attempts to conduct an operation on the WebApp which requires a service call to the WebAPI. The WebApp passess the users token along on the service request. WebAPI service sees the token, disallows access and returns an error, or authorizes the request on behalf of the user and returns a result.

Additionally, I would like the client to be able to make a service call directly to the WebAPI service via an AJAX call.

So far I can get the flow working with the Web Application redirecting to the STS and back but how do I pass the token along from the the Web App to the Web API service?

Also, how do I get the JavaScript client to pass the token along on the AJAX call?


Solution

  • Well - you can do that immediately, if you work with SAML.

    The web site login returns a SAML token, the saveBootstrapContext features saves the token for later use - and you can forward it to your web api.

    In Web API you can consume SAML usign thinktecture identitymodel. For AJAX calls, provide a way to retrieve the SAML token from JS and send it on the authorization header to the Web API.

    This is not optimal. But for doing JWT all the way through (which would be the preferred way) - some bits are missing right now (e.g. IdSrv only has support for symmetric signatures right, my JWT handler does not support bootstrap context, MS JWT handler and symmetric signatures via config are a problem as well).

    I am working on this. But for now this scenario has some rough edges.