I tried to test my APIs (Direct Download Pdf API) using postman (Send & Download) and all went well and the file was downloaded successfully, no need to set login information. But when i tried to use mozilla browser, it's tell me login required? why?
Here is my response header using postman:
And here when i try using browser, show idm downloader ask username password:
Here is my code
[Authorize]
[HttpGet]
public IHttpActionResult GetDownloadPdf(string date)
{
HttpResponseMessage response = new HttpResponseMessage(HttpStatusCode.OK);
ResponseData responseData = new ResponseData();
try
{
_logDataBLL.SaveRequestLogRecord(RequestType.GET, MethodBase.GetCurrentMethod().Name);
MA_MS_Agent objdata = new MA_MS_Agent();
//Update - Checking current user still active
var identity = User.Identity as ClaimsIdentity;
if (LoginBLL.isStillActive(identity) == false)
{
dynamic Reject = new ExpandoObject();
Reject.Message = "Authorization has been denied for this request.";
return Content(HttpStatusCode.Unauthorized, Reject);
}
date = "01" + date.Substring(2);
string filename = "1000007"+ "_" + date + ".pdf";
ByteArrayContent pdfByte;
MA_MS_ApplicationParameter Selected_Parameter = AddReferralBLL.getAppParameterByCode("APPP025");
string param_value = Selected_Parameter.ApplicationParameter_Value;
string pdfFilePath = param_value + filename;
byte[] bytes = null;
if (File.Exists(pdfFilePath))
{
bytes = System.IO.File.ReadAllBytes(pdfFilePath);
}
else
{
return BadRequest();
}
using (var m = new MemoryStream())
{
pdfByte = new ByteArrayContent(bytes);
}
if (pdfByte == null)
{
responseData = _responseDataBLL.GenerateResponseData(HttpStatusCode.NoContent);
responseData.status = true;
return Ok(responseData);
}
response.Content = pdfByte;
response.Content.Headers.ContentDisposition = new System.Net.Http.Headers.ContentDispositionHeaderValue("attachment");
response.Content.Headers.ContentDisposition.FileName = filename;
response.Content.Headers.ContentType = new MediaTypeHeaderValue("Application/pdf");
//response.Headers.Add("MyHeader", "MyHeaderValue");
//response.Content = new StringContent(JsonConvert.SerializeObject(result), Encoding.UTF8, "application/json");
return ResponseMessage(response);
}
catch (Exception ex)
{
string error = ex.Message;
if (ex.InnerException != null)
error += " => " + ex.InnerException.Message;
responseData = _responseDataBLL.GenerateResponseData(HttpStatusCode.InternalServerError, error);
_logDataBLL.SaveResponseLogRecord(JsonConvert.SerializeObject(responseData));
return Content(HttpStatusCode.InternalServerError, responseData);
}
}
Oauth2 Flow: When you try to access your api from a browser, like your Mozilla browser, you need to get the access token from your oauth server first. So your clientapp should authorize the user and use the users token for the authorisation.
Getting the authtoken depends from your Auth Server.
The keycloak project explains how you can authorize in a JS-ClientApplication like an angular or react app and pass the bearer token to another api.
https://www.keycloak.org/docs/latest/securing_apps/index.html#_javascript_adapter
Without Authorisation:
you are forcing authorization in your code. You should replace the [Authorize] attribute with [AllowAnonymous]
Update better link: https://learn.microsoft.com/en-us/aspnet/core/security/authorization/simple?view=aspnetcore-3.1