4

I am working with RESTful services and find Postman as one of the best plugin to GET, POST and test the API's.

I find Basic Auth, No Auth, DIgest Auth, OAuth, AWS in postman. How do I test the Authorize Controller and methods.

I am aware that Authorize attribute checks user.Identity.IsAuthenticated

I am not sure on how to pass authorize in controller and methods with specific roles like below using Postman

[Authorize(Roles = "Admin, Super User")] public ActionResult AdministratorsOnly() { return View(); }

Here is my Startup file 

 public static OAuthAuthorizationServerOptions OAuthOptions { get; private set; } public static string PublicClientId { get; private set; } // For more information on configuring authentication, please visit http://go.microsoft.com/fwlink/?LinkId=301864 public void ConfigureAuth(IAppBuilder app) { // Configure the db context and user manager to use a single instance per request app.CreatePerOwinContext(ApplicationDbContext.Create); app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create); // Enable the application to use a cookie to store information for the signed in user // and to use a cookie to temporarily store information about a user logging in with a third party login provider app.UseCookieAuthentication(new CookieAuthenticationOptions()); app.UseExternalSignInCookie(DefaultAuthenticationTypes.ExternalCookie); // Configure the application for OAuth based flow PublicClientId = "self"; OAuthOptions = new OAuthAuthorizationServerOptions { TokenEndpointPath = new PathString("/Token"), Provider = new ApplicationOAuthProvider(PublicClientId), AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"), AccessTokenExpireTimeSpan = TimeSpan.FromDays(14), // In production mode set AllowInsecureHttp = false AllowInsecureHttp = true }; // Enable the application to use bearer tokens to authenticate users app.UseOAuthBearerTokens(OAuthOptions); }
Improve this question
7
  • What type of authentication provider is the web api using? Commented Mar 23, 2017 at 13:11
  • Default authentication which I assume is basic. I did not make any changes to Web Api authentication Commented Mar 23, 2017 at 13:14
  • Please share the Startup.Auth.cs or the startup class where the configuration of the authprovider is Commented Mar 23, 2017 at 13:21
  • @MarcusH I posted my startup.auth.cs Commented Mar 23, 2017 at 13:28
  • 1
    @chantra I have put u an explanation as an answer, don't hesitate if you seek further explanation Commented Mar 23, 2017 at 14:56

2 Answers 2

Reset to default
7

1. Enable CORS in the web api

Attach the following to the IAppBuilder in the Startup.cs Configuration method (If you face trouble, read more here How to make CORS Authentication in WebAPI 2?)

app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);

Nuget package here

2. Get a token via Postman

enter image description here

3. Use the token and get data from the web api

Note: The token response contains of access_token which is the token and the token_type which is bearer. When used in request, add them with a space between in the value of the Authorization http header. The auth server will parse the token and set the user.Identity before the request hits the [Authorize] attribute in the requested controller

enter image description here

Also, make sure that the ApplicationOAuthProvider adds the claimidentity that contians the current role/s to the token. Else the request will be denied. One way to test it is to just use [Authorize] attribute without roles and see if postman can access the controller then

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Without authorize attribute, Am able to access the controller and methods from postman. I am aware of cors, I don't think my issue is with cors
@Chatra If you use just [Authorize] without the roles spec in it. Does it work?
Not it doesnt work with just Authorize. Am not using MVC controller at all, I am trying to call web api only
@Chatra And you have added the bearer token in the Authorization header when requesting the api from postman?
Hi @AlfMoh , Usually you create a api request in a coding language, let's say javascript for example. Then you create your request and attach the bearer token as an http header before sending it to the server. Browsers don't store information if you don't tell them to.
|
2

it looks like you are using windows identity provider and using OAuth 2.0 (default for web api 2 template). And also you don't send roles in using postman. Authorization is handled by the framework based on the user claim.

Explanation

When you authenticate with your usename and password to the /Token endpoint, you will be issued with a bearer token and a claim, which holds you identity information including your roles (more like your passport/Id). You will use you bearer token to access authorized resources and you will be granted or denied based on you role associated with it.

How does it know ?

In the database the asp.net identity has automatically created the tables needed for users, roles, externalLogin etc... with the prefix aspnet, when you first launched the application. What you need to do is create a user, create the roles and assign the user to the roles with the aspnet identity provide. Then decorate your resource ends with the authorize attribute and issue a request with postman with only the bearer token( the ones you get when you successfully login to the /token endpoint)

You can refer here to for further explanation.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.