8

I have a minimal setup of an auth-provider, which sets claims-identity

public class SimpleAuthorizationProvider : OAuthAuthorizationServerProvider { public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context) { context.Validated(); } public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context) { if (context.UserName != context.Password) { context.SetError("invalid_grant", "The user name or password is incorrect."); return; } var identity = new ClaimsIdentity(context.Options.AuthenticationType); identity.AddClaim(new Claim("sub", context.UserName)); identity.AddClaim(new Claim("role", "user")); context.Validated(identity); } }

I am trying to access hello-world-api, which is giving unauthorized access error.

public class HelloWorldApiController : ApiController { [HttpGet] [Route("api/hello")] //[AllowAnonymous] [Authorize] public HttpResponseMessage FetchAllEnum() { return Request.CreateResponse(HttpStatusCode.OK, "Hello World!!!"); } }

But I am getting 401/unauthorized access for the above API. I do get the bearer token back to the web-api and I am also passing it to the server as Bearer ABCD****. I do see that the authorization header is set while debugging in Visual Studio.

If I debug the AuthorizeAttribute, I am getting user.Identity.IsAuthenticated as false, which is actually causing the issue. But given that I do see the Authorization header set and I have set claims details in OAuthProvider, why is it that the AuthorizeAttribute is not reading that information?

Note: This is a Web API project so there are no references to the MVC AuthorizeAttribute.

Here is the OWIN setup:

public static class WebApiConfig { public static HttpConfiguration Register() { var config = new HttpConfiguration(); config.MapHttpAttributeRoutes(); //config.SuppressDefaultHostAuthentication(); //tried with/without this line config.Filters.Add(new AuthorizeAttribute()); config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*")); return config; } } public class OwinConfiguration { // ReSharper disable once UnusedMember.Local public void Configuration(IAppBuilder app) { ConfigureOAuth(app); app.UseCors(CorsOptions.AllowAll); app.UseWebApi(WebApiConfig.Register()); } private void ConfigureOAuth(IAppBuilder app) { var options = new OAuthAuthorizationServerOptions { AllowInsecureHttp = true, TokenEndpointPath = new PathString("/token"), AccessTokenExpireTimeSpan = TimeSpan.FromMinutes(60), Provider = new SimpleAuthorizationProvider() }; app.UseOAuthAuthorizationServer(options); app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions()); } }
Improve this question
0

2 Answers 2

Reset to default
5

to make it work config.Filters.Add(new HostAuthenticationAttribute("bearer")); needed to add this line beofre authorize attribute...

public static HttpConfiguration Register() { var config = new HttpConfiguration(); config.MapHttpAttributeRoutes(); config.Filters.Add(new HostAuthenticationAttribute("bearer")); //added this config.Filters.Add(new AuthorizeAttribute()); config.EnableCors(new EnableCorsAttribute("*", "*", "*", "*")); return config; }
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Does EnableCorsAttribute require any assembly reference ? Do I need extension method to use config.EnableCors(...)?
You need to install nugget :. Microsoft.owin.cors
1

Another possible solution which worked for me was to not use HostAuthenticationAttribute, but instead set the OWIN filter to be an Active filter like this:

var bearerOptions = new OAuthBearerAuthenticationOptions { AccessTokenFormat = new JwtFormat(validationParameters), AuthenticationMode = AuthenticationMode.Active, };
Improve this answer

2 Comments

what does the bearerOptions variable get assigned to? Thanks
app.UseOAuthBearerAuthentication()

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.