2

We have vendors (and in house consumers) some of who do basic authentication with us and some do jwt token auth when consuming our API. We have our controller annotated with either basic auth filter or token auth filter. Is there a way to combine both these authentication methods in the same controller depending on which method is being called? We can ofcourse annotate each method with basic or token auth filters instead of anotating the class but I was wondering whether there was a better way of doing it?

Improve this question

1 Answer 1

Reset to default
2

This can be done with Owin. In Startup.cs file you can add something like that:

public partial class Startup
{
    public void ConfigureAuth(IAppBuilder app)
    {
        var oAuthOptions = new OAuthBearerAuthenticationOptions
        {
            // your jwt settings
        };

        app.UseOAuthBearerAuthentication(oAuthOptions);

        app.Use(typeof(BasicAuthenticationMiddleWare)); // basic auth middleware           
    }
}

Unluckily Owin doesn't support basic auth by default, you have to write your own middleware for that:

public class BasicAuthenticationMiddleWare : OwinMiddleware
{
    public BasicAuthenticationMiddleWare(OwinMiddleware next) : base(next) { }

    public override Task Invoke(IOwinContext context)
    {
        throw new NotImplementedException();
    }
}

For information about basic middleware you will find here: https://lbadri.wordpress.com/2013/07/13/basic-authentication-with-asp-net-web-api-using-owin-middleware/

About how to configure jwt for owin you will find more details in google. Without details about your jwt vendor I cannot help you with configuration.

When you configure jwt and basic auth you simply add [Authorize] attribute to your controllers or methods:

[Authorize]
public class AccountController : ApiController
{

}

Owin will do the rest of work to define which auth method was used to authorize request.

If you are not using jwt as bearer tokens please use UseOAuthAuthorizationServer instead of UseOAuthBearerAuthentication.

Also using Owin you can add other vendors like Google, Microsoft, Facebook and others.

Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

How does this code differentiate between when to use basic and when to use bearer?
@NitinSingh Owin tries to auth request using 'registered' vendors/providers one by one. Every provider generates his own claimsidentity when was able to auth request. When Owin finds that one provider successfully generates claimsidentity simply set this request as authorized and doesn't proceed next providers. When all providers says that were not able to authorize your application will return '401 Unauthorized'. And of course multiple requests (even from same web app session) can be authorized with different providers. This is based on my knowledge and experience, so I can be wrong.
I haven't tried with multiple providers myself as well, just used an if clause to redirect to different mechanism based on config or URL. Good new learning point to investigate.
@Wokuo That is a great idea and I will try it out and let you know. So far haven't been able to get to coding it.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.