Question adding Bearer Token to BasicAuthentication?

[raysefo]

Hi,

I have an ASP.Net Web API 2 with BasicAuthenticationAttribute that is working as expected. In my application, there are different controllers and I want to add bearer token-based authentication to one of my controllers. I added those NuGet packages:

Microsoft.AspNet.WebApi.Owin
Microsoft.Owin.Host.SystemWeb
Microsoft.Owin.Security.OAuth

There is no problem with the web API config.

public static class WebApiConfig
    {
       public static void Register(HttpConfiguration config)
       {
                    
           config.Formatters.JsonFormatter.SerializerSettings.ReferenceLoopHandling = ReferenceLoopHandling.Ignore;
        config.Formatters.JsonFormatter.SerializerSettings.DateTimeZoneHandling =
        DateTimeZoneHandling.Local;
                
        config.MapHttpAttributeRoutes();
      
        config.Routes.MapHttpRoute(
            "DefaultApi",
            "api/{controller}/{id}",
            new {id = RouteParameter.Optional}
        );
        
                          
       config.MessageHandlers.Add(new RequestResponseHandler());
                    
       config.Filters.Add(new CustomExceptionFilter());
        
       var resolver = config.DependencyResolver;
       var basicAuth = resolver.GetService(typeof(BasicAuthenticationAttribute)) as BasicAuthenticationAttribute;
       config.Filters.Add(basicAuth);
   }
}

Here is Owin startup

public class Startup
     {
         public void Configuration(IAppBuilder app)
         {
             var configuration = new HttpConfiguration();
             Configure(app);
    
             WebApiConfig.Register(configuration);
             app.UseWebApi(configuration);
         }
    
         private static void Configure(IAppBuilder app)
         {
             var options = new OAuthAuthorizationServerOptions()
             {
                 TokenEndpointPath = new Microsoft.Owin.PathString("/token"),
                 AccessTokenExpireTimeSpan = TimeSpan.FromHours(1),
                 AllowInsecureHttp = true,
                 Provider = new AuthorizationServerProvider()
             };
    
             app.UseOAuthAuthorizationServer(options);
             app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());
         }
     }

In the configuration of Owin startup, the program flow goes back to the web API config file.

WebApiConfig.Register(configuration);

And finally, it gets a null exception for basic authentication.

config.Filters.Add(basicAuth);

How can I solve this and use both basic authentication attribute and token-based authentication in my web API?

Best Regards.

 

[Skydiver]

Are you getting the exception on line 25 of your WebApiConfig.cs? If so that means that the resolver on line 24 could not find the
BasicAuthenticationAttribute.

I am guessing that the call to app.UseOAuthBearerAuthentication() maybe removing the registration of the basic auth from your resolver. That or you accidentally over wrote the code that sets up basic auth with your new code that sets up Oauth.

 

[raysefo]

At first, when the web API config starts, Unity Dependency Resolver is set. But after owin startup, it is an Empty Resolver.

var resolver = config.DependencyResolver;

 

[Skydiver]

If you revert back to the version without OAuth, is it also null?

 

[raysefo]

Without OAuth, it is not null. I am googling and found out this one. Trying to find a way.

Difficulty getting Unity dependency injection working with WebAPI, and OWIN

 

[Skydiver]

I was going to point you to the same thing...

 

[raysefo]

I changed Owin startup.cs like this but this time I am not getting 401 Authorization has been denied for this request.

public void Configuration(IAppBuilder app)
        {
            var configuration = GlobalConfiguration.Configuration;
            
            //WebApiConfig.Register(configuration);
            app.UseWebApi(configuration);

            Configure(app);
        }

What I am missing?

 

[raysefo]

Any ideas on how to accomplish it?

 

[Skydiver]

Did you read the first answer in that link? It looks like you are trying to implement the second answer.

 

[raysefo]

I don't understand his logic. He seems using ProviderService but there is no clue what is inside the class. So I need some guidance. Is there any tutorial about this specific issue?

 

[Skydiver]

I'm sorry, I don't know enough about the plumbing that goes into the ASP.NET authentication/authorization pipeline. I believe that it is documented, but I just never had to dig into it. Just speculating: Perhaps order matters on whether you setup webapi first or oath first?

Don't get hung up on his

ProviderService[/icode] and [icode]IProviderService[/icode]. I think it's his private code to help drive the code behind his [icode]ServiceController[/icode].

 

[raysefo]

I am searching and trying to find how to use both basic authentication and token-based authentication for different controllers. Here is my status update.

There is no code in the Global.asax

public class Startup

    {

        public void Configuration(IAppBuilder app)

        {


            var config = GlobalConfiguration.Configuration;

            WebApiConfig.Register(config);

            app.UseWebApi(config);

            Configure(app, config.DependencyResolver);           

            config.EnsureInitialized();

        }


        private static void Configure(IAppBuilder app, IDependencyResolver resolver)

        {

            var options = new OAuthAuthorizationServerOptions()

            {


                TokenEndpointPath = new Microsoft.Owin.PathString("/token"),

                AccessTokenExpireTimeSpan = TimeSpan.FromHours(1),

                AllowInsecureHttp = true,

                Provider = new AuthorizationServerProvider((IUserValidate)resolver.GetService(typeof(IUserValidate)))

                

            };


            

            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

            app.UseOAuthAuthorizationServer(options);


        }

    }

public class AuthorizationServerProvider : OAuthAuthorizationServerProvider
    {
        private readonly IUserValidate _userValidate;
        public AuthorizationServerProvider(IUserValidate userValidate)
        {
            _userValidate = userValidate;
        }
        public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
            if (!context.TryGetBasicCredentials(out var clientId, out var clientSecret))
            {
                context.SetError("Error", "Error...");
            }

            if (_userValidate.Login(clientId, clientSecret))
            {
                context.Validated();
            }
        }

        
        public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {

            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Origin", new[] { "*" });
            context.OwinContext.Response.Headers.Add("Access-Control-Allow-Headers", new[] { "Content-Type" });


            if (_userValidate.Login(context.UserName, context.Password))
            {
                
                var identity = new ClaimsIdentity(context.Options.AuthenticationType);
                identity.AddClaim(new Claim("sub", context.UserName));
                identity.AddClaim(new Claim("role", "admin"));

                context.Validated(identity);
            }
            else
            {
                
                context.SetError("Error", "Error...");
            }
        }
    }

The rest is the same as the previous code samples.


When I call ...api/v2/game/abc101/purchase I am getting 401, it is progress. But when I call http://localhost:52908/token I am getting unsupported_grant_type. I am sending requests via Postman and I am sending a POST requests with content-type x-www-form-urlencoded. Grant-Type is password and username/password is also correct. When I call another controller http://localhost:52908/api/v2/game/purchase basic authentication does NOT work!

 

[raysefo]

Now I am getting the token, one step at a time How can I also use Basic authentication for another controller?

public class Startup
    {
        public void Configuration(IAppBuilder app)
        {

            var config = GlobalConfiguration.Configuration;
            Configure(app, config.DependencyResolver);
            WebApiConfig.Register(config);
            app.UseCors(Microsoft.Owin.Cors.CorsOptions.AllowAll);
            app.UseWebApi(config);
            config.EnsureInitialized();

        }

        private static void Configure(IAppBuilder app, IDependencyResolver resolver)
        {
            var options = new OAuthAuthorizationServerOptions()
            {
                AllowInsecureHttp = true,
                TokenEndpointPath = new Microsoft.Owin.PathString("/token"),
                AccessTokenExpireTimeSpan = TimeSpan.FromHours(1),
                Provider = new AuthorizationServerProvider((IUserValidate)resolver.GetService(typeof(IUserValidate)))
                
            };

            app.UseOAuthAuthorizationServer(options);
            app.UseOAuthBearerAuthentication(new OAuthBearerAuthenticationOptions());

        }
    }

public class AuthorizationServerProvider : OAuthAuthorizationServerProvider
    {
        private readonly IUserValidate _userValidate;
        public AuthorizationServerProvider(IUserValidate userValidate)
        {
            _userValidate = userValidate;
        }
        public override async Task ValidateClientAuthentication(OAuthValidateClientAuthenticationContext context)
        {
            if (!context.TryGetBasicCredentials(out var clientId, out var clientSecret))
            {
                context.SetError("invalid_grant", "The user name or password is incorrect.");
            }

            if (_userValidate.Login(clientId, clientSecret))
            {
                context.Validated();
            }
        }

        
        public override async Task GrantResourceOwnerCredentials(OAuthGrantResourceOwnerCredentialsContext context)
        {

            
            if (_userValidate.Login(context.UserName, context.Password))
            {
                
                var identity = new ClaimsIdentity(context.Options.AuthenticationType);
                identity.AddClaim(new Claim("sub", context.UserName));
                identity.AddClaim(new Claim("role", "admin"));

                context.Validated(identity);
            }
            else
            {
                
                context.SetError("invalid_grant", "The user name or password is incorrect.");
            }
        }
    }

As I mentioned before, I have Basic Authentication Attribute and somehow I have to use it in my other controller.

 

[Skydiver]

Yay! Progress!

Sorry for all the hand waving, but as I understand ASP.NET AuthN/AuthZ, they use a chain of responsibility. If one provider says it doesn't know how to handle something, it gets passed in down the chain. I wish I could tell you more to guide you.

 

[raysefo]

It seems one is interested in asp.net web API nowadays