4

I’m using ASP.NET Identity with Forms auth in an MVC6 application, and trying to implement Basic auth for the API endpoints.

I would have thought there’d be a pre-built middleware that does it, but haven’t been able to find it. I’ve had a look at the Filters test website https://github.com/aspnet/Mvc/tree/dev/test/WebSites/FiltersWebSite and I can’t seem to work out what it’s doing/which parts are important.

I’ve tried using the pre-5 approach of manually doing basic auth in an authorizationfilter, but SuppressFormsAuthenticationRedirect seems to be gone, and the CookieAuthenticationHandler keeps redirecting to the login page.

Improve this question
4
  • To answer the 'pre-built middleware' question, “Basic auth does not meet [the katana team’s] security requirements” - katanaproject.codeplex.com/workitem/381 Commented Mar 31, 2015 at 1:03
  • I suspect I’d need to subclass both CookieAuthenticationMiddleware and CookieAuthenticationHandler, and reproduce all of logic hidden in UseIdentity, OR rewrite the UseIdentity helper to make Cookie auth passive, and manually redirect everywhere that’s needed? Commented Mar 31, 2015 at 9:58
  • Are you targeting a specific web host (e.g. IIS) Commented Apr 7, 2015 at 19:58
  • At the moment it’s deployed in IIS, but it kind of defeats the purpose of building an OWIN application by tying to a specific host. Commented Apr 8, 2015 at 2:49

2 Answers 2

Reset to default
2

Basic auth is not there by design. Security team is against it. They will probably make a sample later.

you can read a discussion on the issue here : https://github.com/aspnet/Security/issues/209

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks for raising the issue @Bart. I can’t say I agree with the ‘let’s not implement this part of the HTTP spec because someone might use it wrong’ attitude, but I guess they have to do what makes them happy.
Third party option referenced at the bottom of the discussion: github.com/Kukkimonsuta/Odachi/blob/master/src/…
0

Since you are targeting IIS, I suggest leveraging IIS for basic authentication. You can drop a web.config file into your wwwroot folder with a section to configure your basic authentication options.

If you want to remain host agnostic, you will need middleware. Here is someones implementation: https://github.com/Kukkimonsuta/Odachi/tree/master/src/Odachi.Security.BasicAuthentication

Improve this answer

2 Comments

AFAIK IIS only supports Basic Auth against Windows accounts - I need to auth with ASP.NET Identity. At any rate, I can’t see this solving the redirects going on inside the OWIN middleware?
Yes, I’ve seen that one - see my comment on Bart’s answer. The real issue isn’t the basic auth (I have this working via a filter atm), it’s configuring/modifying the CookieAuthenticationHandler so it doesn't hijack the request/response.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.