Search code examples
asp.net-web-apiwifthinktecture-ident-model

Is it possible to use Thinktecture's IdentityModel and a System.IdentityModel SessionAuthenticationModule cookie in the same application?


I have a web app which contains services used by both a browser delivered javascript application and also an Android mobile phone application.

The javascript application uses a System.IdentityModel.SessionAuthenticationModule cookie for authentication, and the mobile app uses a JWT token in the Authentication header.

I can configure the application to work with either the System.IdentityModel.SessionAuthenticationModule and the cookie works or the thinktecture AuthorizationHandler and the token works, but I can't work out how to get them both to work at the same time?

This answer Thinktecture IdentityModel AuthenticationConfiguration Mapping for Cookie - how? suggests it's not possible but it seems to be using a custom cookie and not FederatedAuthentication.SessionAuthenticationModule.WriteSessionTokenToCookie(token);


Solution

  • That should work as long as no authorization element in web.config gets in the way. Or IOW use the AuthorizeAttribute instead.

    But that's a general problem with cookie based authentication for Web APIs because now you are opening up yourself to CSRF attacks. What you really should do is separate UI and APIs and treat both clients as "external" with token based authentication. But that's of course a big architectural change (though in the right direction).