So, I have a custom authentication token that I use to secure my web.api project. Now this is a bearer type token which I pass along with the header and I have managed to seamlessly consume it within my WebAPI project.
The complexity is that I am not being able to use it with my MVC project. The [Authorize] tag on MVC uses a System.Web.Mvc library instead of System.Web.Http. To check what is happening to my header which contains the authorization token, I used a custom Token attribute.
public override void OnAuthorization(AuthorizationContext context)
In my above function, when I peek into the header using context.HttpContext.Request.Headers, I see that there is not Authorization token in the header. This is absurd as I use angular injectors to add the Bearer token and it is very much present in the client request being sent out.
What am I not doing to receive this token?
[Update]
So after a bit of debugging I just noticed that the Authorize attribute is not appended to the redirect URL's. I suppose this is because the application doesn't have angular interceptors working for these calls. Any idea how to append Authorize Bearer token too all requests?
Turns out you cannot inject values into the header when there is a window.location.href as the javascript is not executed. It's a direct post by the client browser. The solution is to create a cookie and consume it on the request.