0

I have inherited an existing application. This application uses ASP.NET MVC 3. It has some APIs. Those APIs look like the following:

[AcceptVerbs(HttpVerbs.Post)]
[Endpoint]
public ActionResult AuthenticatePlayer(string username, string password)
{
  // Ensure that the user entered valid credentials
  if (Membership.ValidateUser(username, password) == false)
    return Json(new { statusCode = StatusCodes.INVALID_CREDENTIALS, message = "You entered an invalid username or password. Please try again." });


  // Get the profile of the person that just logged in.
  ProfileCommon userProfile = (ProfileCommon)(ProfileCommon.Create(username));
  if (userProfile != null)
  {
    string name = username;
    if (String.IsNullOrEmpty(userProfile.FirstName) == false)
      name = userProfile.FirstName;


    return Json(new {
      statusCode = StatusCodes.SUCCESS,
      payload = name,
      username = username.ToLower(),
    });
  }
}

[AcceptVerbs(HttpVerbs.Get)]
[Endpoint]
public ActionResult SomeUserAction(string q)
{
  // TODO: Ensure the user is authorized to perform this action via a token

  // Do something
  return Json(new { original = q, response = DateTime.UtcNow.Millisecond }, JsonRequestBehavior.AllowGet);
}

I'm trying to figure out how to integrate a token-based authorization schema into this process. From my understanding, a token-based system would return a short-lived token and a refresh token to a user if they successfully login. Then, each method can check to see if a user is authorized to perform the action by looking at the token. I'm trying to learn if this is built-in to ASP.NET MVC or if there is a library I can use. I need to figure out the shortest way to get this done.

Thank you so much!

Improve this question

2 Answers 2

Reset to default
2

I've built a WebAPI Token Authentication library a year ago, providing Token based authentication:

WebAPI Token Auth Bootstrap is out of the box Token based User Auth for WebAPI applications, Provides ready to use 'TokenAuthorize' Attribute and 'TokenAuthApiController' Controller.

Among its features - Token Based User Authentication User Property inside the TokenAuthApiController (Id, Username, Role, LastAccess).

Token Based User Authorization TokenAuthorizeAttribute with Access Level - Public, User, Admin or Anonymous.

Built-in Functionality Login(), Logoff(), Error(), Unauthorized() Responses with various overloads.

You can read more about here and in its own wiki in GitHub.

Nowadays I am working on a Node.js application and I am using Json Web Tokens (JWT) using Node.js library and it is very easy and straightforward.. its Node.js after all ;)

I saw there is a .NET implementation of JWT explained on this article which I recommend you to look at.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

apologized to ask a question on token based auth. i have seen people choose token based auth for web api project but hardly go for this approach when they develop any web site with MVC. so can u tell me why token based auth is right solution for web api because people can use form auth in web api too. thanks
0

You can use Owin ... i.e. Microsoft.owin.security

I haven't tried this implementation but this is just to give you an idea:

var identity = new ClaimsIdentity(Startup.OAuthBearerOptions.AuthenticationType);
var currentUtc = new SystemClock().UtcNow;
ticket.Properties.IssuedUtc = currentUtc;
ticket.Properties.ExpiresUtc = currentUtc.Add(TimeSpan.FromMinutes(30));
DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", accessToken); 

return Json(new {
    statusCode = StatusCodes.SUCCESS,
    payload = name,
    username = username.ToLower(),
    accessToken = Startup.OAuthBearerOptions.AccessTokenFormat.Protect(ticket)
});
Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.