Getting logged in user from web api

1
votes

I have a web app front end and web api back end both written in ASP .Net Core 1.1 MVC. I am using Auth0 as the authentication server, using the "authorization code grant flow".

So the user logs in - i.e. the user gets directed to Auth0's login screen, which, if the username and password were correct, sends the web app back an authorization code, which the web app then exchanges for an access token, which is then used for all web api calls.

Then, the user clicks on a link which makes the web app call upon a web api action. My question is, how can the web api know which user is making the request? Or maybe at the point the user successfully logs in, the web app should call upon a controller in the web api and tell it which user just logged in? Not sure what the best practice is...

Thank you

1
authenticationasp.net-core-mvcasp.net-core-webapi

1 Answers

1
votes

I will answer in terms of OAuth 2.0 specification.

Specification determines 4 roles:

  1. Resource owner
  2. Resource server
  3. Client
  4. Authorization Server

In your context:

  1. Resource owner is end-user.
  2. Resource server is your Web API.
  3. Client is your web application.
  4. Authorization Server is Auth0.

Follow steps:

  1. Your Web API should be registered on Authorization Server (https://auth0.com/docs/apis).
  2. Your Web API should be responsible to validate access tokens that are used for requesting API. This access tokens contains info about end-user/client (https://auth0.com/docs/api-auth/tutorials/verify-access-token).
  3. You should include Web API scope in authorization request.
  4. You should get access token in your web application and include it in HTTP request to Web API.