RestSharp calling WebAPI with Thinktecture AuthenticationConfiguration

Question

I am using Restsharp within an MVC app, trying to call a backend MVC WebAPI protected by Thinktecture IdentityModel AuthenticationConfiguration.

MVC API Setup

My MVC API test is setup with the below:

private static void ConfigureAuth(HttpConfiguration config)
{
    var authConfig = new AuthenticationConfiguration
    {
        DefaultAuthenticationScheme = "Basic",
        EnableSessionToken = true,
        SendWwwAuthenticateResponseHeader = true,
        RequireSsl = false,
        ClaimsAuthenticationManager = new AddCustomClaims(),

        SessionToken = new SessionTokenConfiguration
        {
            EndpointAddress = "/token",
            SigningKey = Convert.ToBase64String(CryptoRandom.CreateRandomKey(32)),
            DefaultTokenLifetime = new TimeSpan(1, 0, 0)
        }
    };

    authConfig.AddBasicAuthentication((username, password) =>
    {
        return username == "admin" && password == "password";
    });

    config.MessageHandlers.Add(new AuthenticationHandler(authConfig));
}

private static void ConfigureCors(HttpConfiguration config)
{
    var corsConfig = new WebApiCorsConfiguration();
    config.MessageHandlers.Add(new CorsMessageHandler(corsConfig, config));

    corsConfig
        .ForAllOrigins()
        .AllowAllMethods()
        .AllowAllRequestHeaders(); 
}

Javascript works OK

I know 100% the token I am sending with Restsharp is correct and working with equivalent json calls (the token used in the javascript is the same used in the Web MVC controller as its stored in the Session array):

var authToken = config.authToken,
baseUri = config.baseUri,
configureRequest = function (xhr) {
    xhr.setRequestHeader("Authorization", "Session " + authToken);
},
errorHandler = function (xhr, status, error) {
    if (xhr.status === 401 && config.onAuthFail) {
        config.onAuthFail(xhr, status, error);
    }
};

Calling the API from my MVC web front end client app - Authorization has been denied for this request

Then in my MVC app controller action i use RestSharp as follows:

public ActionResult Test()
{
    var token = Session[Constants.SessionTokenKey] as string;

    var client = new RestClient(new Uri("http://localhost:65104/"));

    var request = new RestRequest("contacts", Method.GET);
    string authHeader = System.Net.HttpRequestHeader.Authorization.ToString();
    request.AddHeader(authHeader, string.Format("Authorization Session {0}", token));

    var json = client.Execute(request);
    // break point here checking the status it has been denied

    return View("Index");
}

Checking the status, it returns "{\"message\":\"Authorization has been denied for this request.\"}".

I have tried adding the token with Restsharp request methods with request.AddHeader(authHeader, string.Format("Authorization Session {0}", token)); and also with request.AddHeader(authHeader, string.Format("JWT {0}", token));, but get the same access denied for both ways.

What am I doing wrong please or any recommendations on where to look?

Answer 1

Looks like your JavaScript code and RestSharp request code doesn't match.

In JS you set a header with name Authorization and give it a value Session sometoken:

xhr.setRequestHeader("Authorization", "Session " + authToken);

In RestSharp you assign a header with name Authorization a value Authorization Session sometoken

request.AddHeader(authHeader, string.Format("Authorization Session {0}", token));

So I would suggest changing your RestSharp AddHeader code to this:

request.AddHeader(authHeader, string.Format("Session {0}", token));