Ok anyone reading this is probably knows (as do I) how WebAPI works and how if I build an application using WebAPI and Identity framework I can build a http request, add an auth header and the app will know who I am by reading the auth header.
This is what is known as a "Stateless" API call, where everything the API receiving the call is given everything it needs to determine who the user is and can thus authenticate the user and "Statelessly" action their request.
.....
I want this exact same behaviour within MVC (not Web API).
I want to without previously making any request at all to this app have my app use Identity framework in the exact same way that my WebAPI endpoints do to ensure that each "Stateless" call is authenticated using the Authorization header.
Here is how I do it in WebAPI (which doesn't work in MVC) ...
using Core.App.Security;
using Microsoft.Owin.Security.OAuth;
using Ninject;
using Owin;
namespace Core.App
{
/// <summary>
/// Setup as per ...
/// Source code: https://github.com/tjoudeh/AngularJSAuthentication
/// walkthrough: http://bitoftech.net/2014/09/24/decouple-owin-authorization-server-resource-server-oauth-2-0-web-api/
/// </summary>
public static class Auth
{
public static void Configure(IAppBuilder app, IKernel kernel)
{
// ensure that owin creates the required UserManager & sign in manager per owin instance
app.CreatePerOwinContext<ApplicationUserManager>((options, owinContext) => ApplicationUserManager.Create(options, owinContext, kernel));
app.CreatePerOwinContext<ApplicationSignInManager>((options, owinContext) => ApplicationSignInManager.Create(options, owinContext, kernel));
app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
app.AddAuthInfoToContext();
}
}
}
Essentially this sets up bearer auth using the tokens, but not an auth server in the current application.
This code allows my centralised SSO server that acts as my Auth token provider can issue tokens that I can use against any of our API applications (yes I have many).
Differences
WebAPI would have in the current identity (HttpContext.Current.Identity) the authorized user information, and does not rely on sessions / previous login calls to create session info.
MVC relies on sessions and the user taking a sort of more traditional "Forms Auth" type approach meaning I would have to make an auth request to the local MVC app to "Login" prior to the request I care about.
So the question is
How can I "Login" with an authorization header token in a typical http get request when this is the first request made by that user in that session in the same way that WebAPI does when using the above code with Identity framework?
Authorizationheader from a web browser while the user navigates using<a>tags? Bearer tokens in headers can only work using AJAX or in-app clients, this is why MVC traditionally uses cookies (note that this is NOT equal to stateful, cookies auth can be as stateless as token auth). - Federico Dipuma