question

sidk-4295 avatar image
0 Votes"
sidk-4295 asked Bruce-SqlWork answered

How to authenticate ASP.NET MVC web app to access Web API(ready to use with OAuth SSO)

I read at multiple place about ASP.NET as mixed bag for cookie & oauth authentication.I have multiple doubts & questions around authenticating the web server application to access web api. If they can be answered combinely in same question, it will solve a holistic problem.

1) Does ASP.NET Core MVC UI application needs cookie authentication even if want it to use it as an an UI which will be calling web api(implemented with OAuth)

2)Can I implement oAuth mechanism for ASP.NET Core MVC Web App UI & WEB API on same server & same project. If yes, how to achieve that ?

3)Can I implement oAuth mechanism for ASP.NET Core MVC Web App UI & WEB API on different server & different project. If yes, how to achieve that ?

4) Does ASP.NET MVC always needs cookie in the picture. And when cookie comes, I guess session will be there on server.

dotnet-aspnet-core-webapidotnet-aspnet-core-auth
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AgaveJoe avatar image
0 Votes"
AgaveJoe answered sidk-4295 commented

You'll register your MVC application with the OAuth/OIDC service you select for your project. This involves creating a secret that only the OAuth/OIDC service and your MVC project knows as well as other bit of information like a your web application redirect URL.

1) Does ASP.NET Core MVC UI application needs cookie authentication even if want it to use it as an an UI which will be calling web api(implemented with OAuth)

Cookie authentication authorizes the browser when accessing MVC actions. Web API client submits a bearer token which authorizes access to Web API actions. Keep in mind, there can be many types of clients and several OAuth/OIDC flows. Typically you'll pick a flow that fits your security needs. Do a google search for OAuth/OIDC.

2)Can I implement oAuth mechanism for ASP.NET Core MVC Web App UI & WEB API on same server & same project. If yes, how to achieve that ?

Of course. Pick an OAuth/OIDC provider. Read the OAuth/OIDC provider documentation and implement. Well known OAuth/OIDC providers will have a library you can use in your project.

3)Can I implement oAuth mechanism for ASP.NET Core MVC Web App UI & WEB API on different server & different project. If yes, how to achieve that ?

Yes. Same as 2. One server or multiple servers has no effect. However, it is common to use separate servers due to security.

4) Does ASP.NET MVC always needs cookie in the picture. And when cookie comes, I guess session will be there on server.

Cookies and Session are two different middleware services. As explained in 1 above, cookie authentication authorizes the browser to access an MVC application.

The official documentation covers these concepts quite extensively.

ASP.NET Core security topics
Overview of ASP.NET Core authentication
Introduction to authorization in ASP.NET Core


· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you for the details.

When you say , cookie authentication authorizes the browser to access an MVC application, doesn't SPA needs it too ? SPA doesn't need cookie authentication(not talking about cookie as storage here) to communicate to any API(with oAuth))

0 Votes 0 ·
AgaveJoe avatar image
0 Votes"
AgaveJoe answered AgaveJoe edited

When you say , cookie authentication authorizes the browser to access an MVC application, doesn't SPA needs it too ?

It depends on your unknown design. If the SPA makes requests to an MVC action, then cookie authentication authorizes the request. This is a web dev fundamental concept and it has to do with how browsers work. If the SPA (JavaScript) is making a request to Web API then the SPA will submit a bearer token to gain access to resources. This concept applies to any kind of code client making a Web API request.

SPA doesn't need cookie authentication(not talking about cookie as storage here) to communicate to any API(with oAuth))

Again, it depends on your unknown design and the OAuth/OIDC flow you've selected. Security best practices recommend JavaScript does not access Web API directly because it causes several security vulnerabilities. For example, JavaScript is clear text in the browser. This might be fine for your unknown requirements. I have no idea and you have not explained your security requirements.

Please, make an effort to learn OAuth/OIDC fundamentals rather than making assumptions. I'm positive if you look into OAuth/OIDC flows, you will get the idea. Frankly, there is far too much information to cover in a forum post. Fortunately, this information is openly published.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered

when implementing authentication with browsers, there are two general categories:

1) browser supported authentication, using basic, kerberos, or certificates. that is the browser itself handles the authentication.

2) cookie based authentication. the browser only involvement is support of cookies. the server stores a token in the cookie.

if the request is being made by Ajax, then in addition to above, a custom value can be passed on a header. the standard is the bearer header, and JWT tokens.

OAuth supports both cookie and bearer tokens. asp.net websites can support both cookie and bearer tokens (with proper configuration).

this is a big topic. read the docs, and watch a few videos until you understand the basics.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.