I have an asp.net core project, and one of my fields is set via User?.Identity?.Name. I am wondering if there is a way to pass the identity through an http request, rather than logging into the site. I've asked around quite a bit and nobody seems to have done this, although it makes sense to me that it's possible given that the web is stateless. Any insight would be of interest. Thanks!
1
-
Have you tried adding it to the request header/body. Also you could try using cookies. Also could you tell me what kind of field is set via the User?.Indetity?.Name?BenceL– BenceL2020-04-16 16:47:11 +00:00Commented Apr 16, 2020 at 16:47
Add a comment
|
2 Answers
It depends what Auth service are you using, if you're using OAuth 2.0 on .net core you need to loggin sending the params like Username and Password on the http request and then get the Access Token for the others http requests so postman has that option:
Comments
There's a ton of unknowns here, because your question isn't specific about really anything. Generally speaking, auth is typically handled by one of two principle means: a cookie or an Authorization header.
Cookie-based auth is the more traditional form of web auth. You submit a form on a login page with a username and password, the server receives that request and handles it by verifying the credentials, and if correct, sets a cookie via the Set-Cookie response header with an encrypted authentication ticket. On each subsequent request, the browser sends this cookie back to the server via the Cookie request header, decrypts and validates the authentication ticket, and if it's still valid, "restores" the authenticated session: i.e. recognizes the authenticated user.
APIs will typically auth via the Authorization request header, instead. The client generally first sends a request to an authentication endpoint with some set of credentials. That could be a username/password or it might be a client id/secret pair, etc. The server again validates the credentials, and if valid, returns a response containing a token. That token then is sent along with the actual request the client wants to make via the Authorization header like Authorization: Bearer {token}. There's other forms the header can take though. For example, you might instead use basic authentication, and instead of hitting an auth endpoint, first, you'd simple pass the username and password as a Base64 encoded string like Authorization: Basic {base64-encoded user:pass}.
Long and short, yes, something is always sent with the request to "authorize" it, whether a cookie or an Authorization header. However, what you send and how its handled is a function of how the app has been set up to handle authentication, and you haven't detailed any of that here. You can't just send an Authorization header with basic authentication, for example, if your app isn't explicitly set up to know that it needs to look for that and actually knows how to process it.
If you're using a cookie-based auth approach, you can mimic submitting the form by passing the same data the HTML form would to the same URL in the same way (x-www-form-urlencoded). The response would be the HTML of whatever page the user is taken to after, but the cookie will be in the Set-Cookie handler. You can capture this, and then send that along in the Cookie header of your request. You can do all this through something like Postman, but you still have to go through the authentication process, either way.
If you're dealing an API, then you should be using some other form of auth: basic, bearer, etc. However, again, you'll need to actually set this up.
1 Comment
mattylantz
Thanks Chris Pratt! Lots of great information in here. I'll likely be doing some experimenting in the near future. PS. Loved you as Andy Dwyer in Parks and Rec