authorization - write single API accessible through asp.net identity user and bearer token both -


i have created asp.net mvc 6 application , configured asp.net identity users using entity framework 7 working fine. added aspnet.security.openidconnect.server token provider server working fine.

then created api controller follows:

 [route("api/[controller]")]     public class valuescontroller : controller     {         // get: api/values         [authorize(policy = "somepolicy")]         [httpget]         public ienumerable get()         {             return new string[] { "value1", "value2" };         }     }

question: want configure authorization in such way either bearer token or asp.net identity user valid (and belong role), want allow user access api.

here tried in startup.cs:

  services.addauthorization(options => {                 // add new policy requiring "scope" claim                 // containing "api-resource-controller" value.                 options.addpolicy("api", policy => {                     policy.addauthenticationschemes(jwtbearerdefaults.authenticationscheme);                     policy.requireclaim(openidconnectconstants.claims.scope, "offline_access");                                                         });                             });

then if add [authorize(policy="api")] api controller, respecting bearer tokens, not identity users.

any appreciated!

policy.addauthenticationschemes supports multiple schemes, - in theory - that:

services.addauthorization(options => {     options.addpolicy("api", policy => {         policy.addauthenticationschemes(             /* scheme 1: */ jwtbearerdefaults.authenticationscheme,             /* scheme 2: */ typeof(identitycookieoptions).namespace + ".application");     }); });

note: typeof(identitycookieoptions).namespace + ".application" default authentication scheme used asp.net identity 3: https://github.com/aspnet/identity/blob/3.0.0-rc1/src/microsoft.aspnet.identity/identitycookieoptions.cs#l61

alternatively, remove policy.addauthenticationschemes call , configure bearer , cookies middleware use automatic authentication (automaticauthenticate = true, default value cookies middleware, not jwt middleware).

in practice, it's absolutely not recommended defeats whole purpose of using bearer-only authentication: mitigating xsrf attacks. if want support cookies + bearer authentication, should strongly consider implementing xsrf countermeasures.


Comments

Post a Comment

Popular posts from this blog

sublimetext3 - what keyboard shortcut is to comment/uncomment for this script tag in sublime -

Image
i have script tag in code, keyboard shortcut comment/uncomment script tag in sublime. after selecting script open , close tag. <script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> </script> i pressing ctrl + shift + / , getting this /*<script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> </script>*/ also pressed ctrl + / , got this // <script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> // </script> instead of <!-- <script src="http://code.jquery.com/jquery-latest.min.js" type="text/javascript"> </script> --> script open , close tag in 2 lines not in 1 line , not have spaces too. for mac,high light lines want comment. hold 'command , / ' commented. for windows: high line or select lines ,then hold ctrl + / if not work: ...
Read more

post - imageshack API cURL -

i credentials correct. when send image through form this:(action="http://api.imageshack.com/v2/images/"). working fine when tried send $ch = curl_init($url); failed. code: enter code here <form action="" method="post" enctype="multipart/form-data"> select image upload: <input type="file" name="file" id="file" multiple> <input type="text" name="auth_token" id="auth_token" value="xxxxxxxxxxxxxxxx"> <input type="text" name="api_key" id="api_key" value="xxxxxxxxxxxxxxx"> <input type="submit" value="upload image" > </form> $url = ' http://api.imageshack.com/v2/images/ '; $temp = $_files["file"]['tmp_name']; echo $temp."<br>" ; $ch = curl_init($url); curl_setopt($ch, curlopt_post, true); curl...
Read more

dataset - MPAndroidchart returning no chart Data available -

i having problems mpandroidchart. adding temperature , humidity data chart, displays "no chart data available". here can see bug is? super grateful! //create data //set size of data int size = list.size(); if (size > 24){ size = 24;} //create lists form temp , hum arraylist<entry> temps = new arraylist<entry>(); arraylist<entry> hums = new arraylist<entry>(); //fill list temp values (int = 0; < size; i++){ entry value = new entry(math.round(list.get(list.size()-size + i).temp), (size-i)); temps.add(value); } //fill list hum values (int = 0; < size; i++){ entry value = new entry(math.round(list.get(list.size()-size + i).hum), (size-i)); hums.add(value); } ...
Read more