1

I'm using Umbraco 7.5 with an OWIN startup class.

Despite the shortcomings with using cookie auth, I'm trying to share the cookie auth between both MVC and Web API.

I have this in my OWIN startup class:

private static void ConfigureAuth(IAppBuilder app)
{
    app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);

    CookieSecureOption secureCookieOption = CookieSecureOption.SameAsRequest;
#if DEBUG
    secureCookieOption = CookieSecureOption.Never;
#endif

    app.UseCookieAuthentication(new CookieAuthenticationOptions
    {
        AuthenticationType = CookieAuthenticationDefaults.AuthenticationType,
        AuthenticationMode = AuthenticationMode.Active,
        LoginPath = new PathString("/Account/Login"),
        CookieSecure = secureCookieOption,
        CookieManager = new ChunkingCookieManager(),
        Provider = new CookieAuthenticationProvider()
        }, PipelineStage.Authenticate);

    //configure B2C OAuth middleware
    foreach (string policy in AppSettings.B2CPolicies)
    {
        app.UseOpenIdConnectAuthentication(CreateBearerOptionsFromPolicy(policy));
    }

    // Use a cookie to temporarily store information about a user logging in with a third party login provider
    app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie);
}

This works fine as far as the Umbraco & custom MVC pages are concerned - the current user identity is available and the Umbraco helper methods work as expected.

However for Web API controllers - whether derived from UmbracoApiController or just ApiController, the current user identity on the HTTP Context is always null. I have checked the browser request being sent for to the API controllers, and the ASPNET identity cookie is included, so I'm confused as to why this doesn't translate to a user identity on the thread & httpcontext. Anyone able to shed some light on that?

Edit: some more info on this- I tried creating my own custom cookie authentication middleware and replaced the standard MS CookieAuthenticationHandler with my custom implementation so that I could trace the calls through it. Interestingly, for a normal MVC page, the AuthenticateCoreAsync method is invoked as the page loads, which successfully reads the cookie and returns a valid authentication ticket. For the Web API call, the AuthenticateCoreAsync method is not invoked at all before the API method is hit.

Improve this question

1 Answer 1

Reset to default
0

I found the answer to this - it was nothing to do with OWIN, and everything to do with my Web API initialization code. I was mixing the code required for self-hosting Web API with the code required to get Web API running as part of the MVC app. Instead of IAppBuilder.UseWebApi() I should have been using GlobalConfiguration.Configure()

So the working code looks something like this:

public static void Configure(IAppBuilder app)
{
    GlobalConfiguration.Configure(Register);
}

private static void Register(HttpConfiguration config)
{
    ConfigureHttpRoutes(config);

    ConfigureFormatters(config);

    //etc...
}

A similar issue was encountered in this SO question.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.