MVC authentication shared with Web API

1.3k views Asked by At

I currently have an MVC application using the default "Individual User Accounts" option for authentication. This works great, I'm able to create users, log in and restrict access to controllers based on user roles.

I have a separate Web API application that currently doesn't use any authentication.

Both applications are hosted on the same IIS server as separate sites. I want to combine the authentication from the MVC application into the Web API application, so after the user has logged into the MVC application, they are also given access to the appropriate controllers in the Web API application, based on user role.

From what I have been reading, I need to set <authentication mode='Forms'> in web.config in both applications, and because they are on the same server, the authentication is automatically shared between the two. I've tried adding [Authorize] to a method in a controller in the Web API application, logged in through the MVC application and tried to access that method, but the method is never entered.

This is what I have been looking at: http://www.bipinjoshi.net/articles/436bc727-6de2-4d11-9762-9ee1a1e3cbea.aspx

What am I missing here? I'm hoping there is someone out there who can point me in the right direction.

1

There are 1 answers

0
Martin Kostovski On

You need to be impersonated from your MVC application to the Web Api application with user that has access to the Web api controllers on your Web Api application, for instance with the user that is defined as an identity on the Web Api Application Pool.

Then you can authenticate to the Web Api with Network Credential like the code bellow:

WebApiProjectSoapClient client= new WebApiProjectSoapClient ();
            client.ClientCredentials.Windows.ClientCredential = new NetworkCredential("username", "password");
            client.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Identification;

            client.callSomeMethod();

This is example with Windows impersonation. If you want strictly Forms impersonation you can reffer to this link:

Impersonate using Forms Authentication