I configured my OWIN startup class like such :
public class Startup
{
public void Configuration(IAppBuilder app)
{
// For more information on how to configure your application, visit https://go.microsoft.com/fwlink/?LinkID=316888
app.UseActiveDirectoryFederationServicesBearerAuthentication(
new ActiveDirectoryFederationServicesBearerAuthenticationOptions
{
MetadataEndpoint = ConfigurationManager.AppSettings["ida:AdfsMetadataEndpoint"],
TokenValidationParameters = new TokenValidationParameters()
{
ValidAudience = ConfigurationManager.AppSettings["ida:Audience"],
ValidIssuer = ConfigurationManager.AppSettings["ida:Issuer"]
}
}
);
}
}
Global.asax.cs :
public class WebApiApplication : HttpApplication
{
protected void Application_Start()
{
AreaRegistration.RegisterAllAreas();
GlobalConfiguration.Configure(WebApiConfig.Register);
FilterConfig.RegisterGlobalFilters(GlobalFilters.Filters);
RouteConfig.RegisterRoutes(RouteTable.Routes);
}
}
And my controller :
[RoutePrefix("v1/onboarding")]
public class OnboardingController : ApiController
{
[Route("client")]
[HttpGet]
public HttpResponseMessage CreateClient([FromUri] string CIFID)
{
return new HttpResponseMessage(HttpStatusCode.Created);
}
}
But when I use postman to call the GET /client without a Bearer token, the call proceeds and I get my 201 response status.
It should trigger a 403 Not Authorized status code if I don't provide the bearer token, right?
Added [Authorize] attribute to the controller.