Hi all.
I created an ASP.NET MVC5 web site that uses ASP.NET Identity for security. It allows the use of both local accounts and social accounts. It's a pretty out-of-the-box implementation of Identity.
I want to develop a companion App for the site, so I created some Web Api controllers that expose the basic services needed by the mobile App. I configured security for the Web Api with OAuth and bearer tokens, but I'm facing a small issue when using both (the site and the Web Api): If I try to call a method that requires authorization in the Web Api as an unauthenticated user, I don't get a 401 response, but instead I get a 200 response, with the login page.
Let me try to explain myself:
- If (on the web site) I try to go to a controller that has the [Authorize] attribute, the site will redirect me to the login page, which is the expected behavior.
- If I try to go to an ApiController (using Fiddler) that has the [Authorize] attribute, I don't get a 401 response, but instead I get redirected to the site's login page, so I get a 200 response with the login's page HTML code.
Am I missing something in the configuration on my site? This is the code for myConfigureAuth method:
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
#region OAtuh authentication for the Web Api
// Configure the application for OAuth based flow
PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
TokenEndpointPath = new PathString("/Token"),
Provider = new ApplicationOAuthProvider(PublicClientId),
AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
AccessTokenExpireTimeSpan = TimeSpan.FromDays(14)
//AllowInsecureHttp = true
};
// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);
#endregion
#region Cookies for the Web site
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a
// third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password
// or add an external login to your account.
OnValidateIdentity =
SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
TimeSpan.FromMinutes(30),
(manager, user) =>
user.GenerateUserIdentityAsync(manager))
}
});
#endregion
app.UseTwitterAuthentication("00", "00");
app.UseFacebookAuthentication("00", "00");
app.UseGoogleAuthentication(new GoogleOAuth2AuthenticationOptions
{
ClientId = "00",
ClientSecret = "00"
});
}Thanks a lot.