Understanding and Using IPrincipal in different Projects

Question

I'm having problems with understanding the concept of its use with several projects. Assume I have 4 projects

• Business.Services
• Presentation.MVC
• Presentation.WebApi

Business.Services is the project where all the business logic and db connections occur. MVC, Web Api project references services to call business logic. MVC and web api does not have any interaction with each other because they are completely for different purpose in my case. Web Api only stands for dealing with mobile client requests/responses.

In my MVC project I provide a login to my users and after making a successful login I create FormsAuthenticationTicket and with the help of this ticket I execute a custom authorization if the user is available for specified action. In addition to this, I create IPrincipal based on my FormsAuthenticationTicket data in Authorization. After setting this I can reach it with like HttpContext.Current.User.

On the other hand, in my Web Api project, Basic authentication is needed for all requests. There is a login action where user needs to send LoginName and Password in order to get a token that is going to be used for future requests. Once token is retrieved by client, client adds ?token parameter at the end of query string. When the request reaches the Web Api, it enters my CustomAuthorizationAttribute and again check if the user is eligible for that request. Moreover, I set Thread.CurrentPrincipal and HttpContext.Current.User to a IPrincipal object which is determined by token.

These are for now so far so good. The problem starts off here. I wanted to put SignalR into my Presentation.WebApi project. As far as I understand OWIN is on top of all of MVC, WebApi, thus, we don't need to have authentication system if we have already one. So that the first question is: how can I create authorization over this signalr? I get the Context.User(IPrincipal) naturally null. It seems ok because in my web api IPrincipal object was set by per request in CustomAuthorizationAttrbute . Moreover, how can I authorize user coming from Presentation.MVC? Should I provide a new method for mvc user that provide a token to him? May I use it's FormsAuthenticationTicket data in order to make it authorize?

Answer 1

As far as I understand from the question, all your applications are hosted under the same host (IIS, I assume). If so, move any authentication code from your applications and enable it at the OWIN middleware level. Cookie based authentication is already provided by the ASP.NET team as a NuGet package: Microsoft.Owin.Security.Cookies.

Once you have this authentication layer, you can have different levels of authorization at the each application with the provided AuthorizeAttribute (play nice with the namespaces here as each web framework has its own AuthorizeAttribute). This should work out fine for you on ASP.NET MVC and SignalR endpoints. Also take a note that, for SignalR clients, you should send the authentication tiket/token through the Cookie or query-string because headers don't play well with web sockets.

You also want to have token based authentication for ASP.NET Web API applications. Not sure what kind of 'token' is that but you mentioned Basic auth (which is not a token based auth but I guess you already know that). In this case, you can have a specific basic authentication middleware for you ASP.NET Web API application. There is actually one BasicAuthenticationMiddleware implementation by the Katana project but it was never released. If you want to write your own authentication middleware, you can take a look at the "Writing an AuthenticationHandler for Katana" by Pablo M. Cibraro (aka Cibrax).