Call a Web API from MVC controller (cookie authentication)

Question

I have a Web Api and Mvc 5 on same project. That Web Api is protected with bearer token (but I commented the SuppressDefaultHostAuthentication line, so I can access the api from browser when I am authenticated with cookie mvc)

Now I´m trying to access the api from a mvc controller without sending the token, is that possible with SuppressDefaultHostAuthentication off?

Tried that without success (401 error):

HttpClientHandler handler = new HttpClientHandler()
{
     PreAuthenticate = true,
     UseDefaultCredentials = true
};

using (var client = new HttpClient(handler))
{
     client.BaseAddress = new Uri("http://localhost:11374/");
     client.DefaultRequestHeaders.Accept.Clear();
     client.DefaultRequestHeaders.Accept.Add(new MediaTypeWithQualityHeaderValue("application/json"));

     var response = client.GetAsync("api/MyApi").Result;
     if (response.IsSuccessStatusCode)
     {  }
}

If its not possible, how is the best way to handle that problem?

Chris Pratt Chris Pratt · Accepted Answer · 2016-06-06T19:16:57

WebApi adheres to REST, which among other things, dictates that requests are stateless. That means with WebApi, or any REST-compatible API, there's no concept of anything such as cookies, sessions, etc. Each request to the API must contain all information needed to service the request. Therefore, if you have an endpoint that requires authentication, you must authenticate the request to access it. Period. If you're doing auth via bearer tokens, then you must pass the bearer token.

Call a Web API from MVC controller (cookie authentication)

2 Answers