How to authenticate ASP.NET MVC web app to access Web API(ready to use with OAuth SSO)

SidK 21 Reputation points
2022-07-14T07:34:38.91+00:00

I read at multiple place about ASP.NET as mixed bag for cookie & oauth authentication.I have multiple doubts & questions around authenticating the web server application to access web api. If they can be answered combinely in same question, it will solve a holistic problem.

1) Does ASP.NET Core MVC UI application needs cookie authentication even if want it to use it as an an UI which will be calling web api(implemented with OAuth)

2)Can I implement oAuth mechanism for ASP.NET Core MVC Web App UI & WEB API on same server & same project. If yes, how to achieve that ?

3)Can I implement oAuth mechanism for ASP.NET Core MVC Web App UI & WEB API on different server & different project. If yes, how to achieve that ?

4) Does ASP.NET MVC always needs cookie in the picture. And when cookie comes, I guess session will be there on server.

ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,140 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AgaveJoe 26,186 Reputation points
    2022-07-14T10:25:50.19+00:00

    You'll register your MVC application with the OAuth/OIDC service you select for your project. This involves creating a secret that only the OAuth/OIDC service and your MVC project knows as well as other bit of information like a your web application redirect URL.

    1) Does ASP.NET Core MVC UI application needs cookie authentication even if want it to use it as an an UI which will be calling web api(implemented with OAuth)

    Cookie authentication authorizes the browser when accessing MVC actions. Web API client submits a bearer token which authorizes access to Web API actions. Keep in mind, there can be many types of clients and several OAuth/OIDC flows. Typically you'll pick a flow that fits your security needs. Do a google search for OAuth/OIDC.

    2)Can I implement oAuth mechanism for ASP.NET Core MVC Web App UI & WEB API on same server & same project. If yes, how to achieve that ?

    Of course. Pick an OAuth/OIDC provider. Read the OAuth/OIDC provider documentation and implement. Well known OAuth/OIDC providers will have a library you can use in your project.

    3)Can I implement oAuth mechanism for ASP.NET Core MVC Web App UI & WEB API on different server & different project. If yes, how to achieve that ?

    Yes. Same as 2. One server or multiple servers has no effect. However, it is common to use separate servers due to security.

    4) Does ASP.NET MVC always needs cookie in the picture. And when cookie comes, I guess session will be there on server.

    Cookies and Session are two different middleware services. As explained in 1 above, cookie authentication authorizes the browser to access an MVC application.

    The official documentation covers these concepts quite extensively.

    ASP.NET Core security topics
    Overview of ASP.NET Core authentication
    Introduction to authorization in ASP.NET Core

  2. AgaveJoe 26,186 Reputation points
    2022-07-14T12:29:15.553+00:00

    When you say , cookie authentication authorizes the browser to access an MVC application, doesn't SPA needs it too ?

    It depends on your unknown design. If the SPA makes requests to an MVC action, then cookie authentication authorizes the request. This is a web dev fundamental concept and it has to do with how browsers work. If the SPA (JavaScript) is making a request to Web API then the SPA will submit a bearer token to gain access to resources. This concept applies to any kind of code client making a Web API request.

    SPA doesn't need cookie authentication(not talking about cookie as storage here) to communicate to any API(with oAuth))

    Again, it depends on your unknown design and the OAuth/OIDC flow you've selected. Security best practices recommend JavaScript does not access Web API directly because it causes several security vulnerabilities. For example, JavaScript is clear text in the browser. This might be fine for your unknown requirements. I have no idea and you have not explained your security requirements.

    Please, make an effort to learn OAuth/OIDC fundamentals rather than making assumptions. I'm positive if you look into OAuth/OIDC flows, you will get the idea. Frankly, there is far too much information to cover in a forum post. Fortunately, this information is openly published.

    0 comments
  3. Bruce (SqlWork.com) 55,041 Reputation points
    2022-07-15T15:55:29.983+00:00

    when implementing authentication with browsers, there are two general categories:

    1) browser supported authentication, using basic, kerberos, or certificates. that is the browser itself handles the authentication.

    2) cookie based authentication. the browser only involvement is support of cookies. the server stores a token in the cookie.

    if the request is being made by Ajax, then in addition to above, a custom value can be passed on a header. the standard is the bearer header, and JWT tokens.

    OAuth supports both cookie and bearer tokens. asp.net websites can support both cookie and bearer tokens (with proper configuration).

    this is a big topic. read the docs, and watch a few videos until you understand the basics.

    0 comments