How to use the same Identity in ASP.NET Web API and MVC?

6
votes

I have the following scenario:

  1. MVC App - ASP.NET MVC application that has Identity installed in it.
  2. SPA App - Angular SPA app that is located in an area inside the MVC App.
  3. Web API - ASP.NET Web API service that is used by the SPA App.

Both, MVC App and Web API should use the same user accounts. So, now, I have the Identity installed in the MVC App. There would be a View in it that will load the SPA App and the SPA App is going to make requests to the Web API. But the Web API will work only if the user is authenticated, thus it needs a Bearer Token sent by the client. So, when the user gets authenticated in the MVC App and opens the View with the SPA App, I should somehow get a Token for the same user that is authenticated in the MVC App, place it in the SPA App, and send the token from the SPA App JavaScript to the Web API.

Is this possible? Or is there a better way to do it?

2
angularjsasp.net-mvcauthenticationasp.net-web-apitoken
Can MVC and Web API share cookie? In other words, are they in same domain?Win
@Win - Isn't Web API allowed to use Token authentication only?Yulian
It does, but you want to share authentication between Web API and MVC. It is easier to use cookie based ASP.Net Identity which is how I authenticate my AngularJS SPAs.Win
You may try to look into Owin dll, it provides a way of accessing UserManager object using GetOwinContext().GetUserManager(). You may want to look at this solution to help you, incase : stackoverflow.com/questions/24001245/…daisy
@Yulian Have you got any good solution? ThanksHashem

2 Answers

0
votes

Here is what you can do , Create a new class library project . Move all identity component from your mvc project to that library. reference that project to web api project and mvc project .

i have done in couple of project where i need api and mvc . it works for me. Try this it will definitely work. let me know if you din't understand correctly

0
votes

It is not a real answer to your question but if you use Asp.net MVC only for bootstrapping your single page application then you may have the option to use only web api authentication. After your spa is bootstrapped then you can check if you have an authenticated user and get user specific info to customize the page for your user.

In that scenario you do not need to use Asp.net MVC authentication but sometimes you may need to use Asp.net sessions for situations like captcha validation (if your captcha library requires so). For such situations you can enable sessions for your specific web-api calls like below.

    //WebApi Session
    protected void Application_PostAuthorizeRequest()
    {
        if (HttpContext.Current == null)
            return;

        var request = HttpContext.Current.Request;
        if(RequireSession(request))
            HttpContext.Current.SetSessionStateBehavior(System.Web.SessionState.SessionStateBehavior.Required);
    }

    private static bool RequireSession(HttpRequest request)
    {
        return request.AppRelativeCurrentExecutionFilePath == "~/api/user" && request.HttpMethod == "POST";
    }

Not: If you enable asp.net mvc sessions for all your web-api calls than your requests will be processed sequentially. Not recommended!

Concurrent Requests and Session State