1

I have a WebApi using Basic Auth nicely. And I have an MVC site using Forms Auth nicely. But here's the catch:

Client X has a dedicated database with any number of Contacts and Products. The MVC site is a dedicated site for them (via {clientId} routing), which allows their Contacts to log in (via Forms Auth) and place orders for their products. The Contact must be Form-ly logged in to place an order.

The product orders (need to) hit the WebApi to be recorded in the Client's database.

But since the WebApi uses Basic Auth to validate the Client, not the Contacts who placed the orders, every request comes back is 401 - Unauthorized.

I've checked out ThinkTecture as suggested by a number of posts here on SO, however it doesn't get me what I need because I'm not looking to allow Forms Auth in the WebApi. I don't want to authenticate the Contact from the Client's database in the WebApi, I want to authenticate the Client in the WebApi.

Has anyone come across a similar scenario and am I missing something glaringly obvious? Perhaps I need to implement both Forms and Basic on the site?

The very standard Api call I'm making from the site (where the UserName and Password are the Client's, not the Contact's):

var clientId = new Guid(RouteData.Values["clientId"].ToString());
var baseUrl = ConfigurationManager.AppSettings["ApiBaseAddress"];
var authHeader = Convert.ToBase64String(Encoding.ASCII.GetBytes(String.Format("{0}:{1}", _shoppingCartSettings.UserName, _shoppingCartSettings.Password)));
var requestUrl = String.Format("api/{0}/inventory", clientId.ToString());

var httpWebRequest = WebRequest.Create(baseUrl + requestUrl);

httpWebRequest.Headers.Add(HttpRequestHeader.Authorization, "Basic " + authHeader);
httpWebRequest.Method = "GET";
httpWebRequest.Accept = "application/json";
httpWebRequest.ContentType = "application/json";

try
{
    using (var httpWebResponse = httpWebRequest.GetResponse())
    {
        // we never get here because of a 401
    }
}
catch (WebException ex)
{
    using (var httpWebResponse = ex.Response)
    {
        // we always get here
    }
}

If I set up a separate test client and make the same call, it works great :/

Improve this question

3 Answers 3

Reset to default
1

Is your Web API under the same virtual directory and configuration as the MVC site? It looks like the Forms Auth HTTP module kicks in for your API, which you don't want. As long as you don't plan to call the API directly from the browser, move it to a separate virtual directory that is set up exclusively for basic auth, no forms auth module in the web.config for the API.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Yep, they are definitely in separate virtual directories with their own configs. MVC site set to "Forms" and WebApi set to "None" in the web.configs.
Thanks for the push in the right direction. Got it figured out.
0

Why not have one login for your MVC site that has the ability to submit orders for every Client? It makes sense for your WebAPI to only allow Clients to submit orders for themselves. But I don't think it makes sense to have your MVC site authenticate as different Clients based on the Contact. Your MVC site would have to store the passwords for each Client.

Instead, create one login for the MVC site and give it the ability to submit an order for any Client.

Improve this answer

Comments

0

After much banging of head against the not-so-proverbial wall, and a much needed shove by @0leg, I've discovered the cause.

In the Properties of my WebApi project file under Web > Servers, the Visual Studio Development Server was being used with a Virtual Path of "/", whereas my MVC project file was set up to use the Local IIS Web Server. The MVC project also had the Apply server settings to all users (store in project file) option checked.

Setting both to use the local IIS server resolved it.

Upon further contemplation, this now seems logical since they were essentially running on different servers.

Posting this for posterity's sake.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.