1

I'm trying to set up a simple Web API with ASP.NET Core. I'm working with a custom OAuth set up by the company. The Web API will not support web pages directly. The front end will call it from a separate website using a SPA.

So, I thought I would set up a middle ware component that get the Bearer Token from the API call. I then see if I have that user stored (for 5 minutes - stored in a singleton hopefully that is right too) and if not I send an HTTP request to the authentication server to determine if the user is valid. If they are I get the user information including roles, etc. But then, how do I set the Principal? I've done this in WebAPI 2.*, but haven't seen any tutorials for ASP.NET Core.

This seems like a fairly normal workflow so I don't understand why there aren't many tutorials on the subject. They seemed to be all geared toward when you have a web page - same for WebAPI 2.*.

Any help is much appreciated. If someone can just point me in the right direction that would be great!

Jon49
  • 3,994
  • 2
  • 31
  • 66
  • 1
    I think you need to add `app.UseJwtBearerAuthentication` to your startup before your call to `app.UseMvc` to allow your api to accept bearer tokens and configure the principal – Eric B Jan 26 '17 at 20:44
  • @EricB, So, where do I put the custom code to validate the Bearer Token? I've found this: http://stackoverflow.com/a/39822153/632495 But the docs on Microsoft.IdentityModel.Tokens.ISecurityTokenValidator are nonexistent. I have written all the code in a middleware. But I wanted to do it properly. The ASP.NET Security team has made something that is relatively simple into a pile of Spaghetti code that is hard to decipher. I can understand why people are running to Node.js. I love .NET but man, I'm really frustrated at how incomprehensible this code is. – Jon49 Jan 26 '17 at 23:30
  • that depends on exactly what your custom code needs to do. What do you need to accomplish that isn't handled for you by the available middleware/options ? – Eric B Jan 27 '17 at 14:08
  • @EricB, Looks like I finally found the answer. http://stackoverflow.com/a/31688792/632495 Still, way more complicated than it needs to be. Thanks for your help! – Jon49 Jan 27 '17 at 15:03
  • Possible duplicate of [Authorizing a user depending on the action name](http://stackoverflow.com/questions/31687955/authorizing-a-user-depending-on-the-action-name) – Jon49 Jan 27 '17 at 15:04

0 Answers0