I have the following architecture:
- A website, that needs role control and user authentication.
- An API, that handle authentications via OWIN, by getting email/pwd and checking whether the user exists in the DB. If so, it creates a Claims and sends it back to the website.
Here's the OWIN authentication code:
OnGrantResourceOwnerCredentials = async context =>
{
Trainer trainer = Datastore.SignInTrainer(context.UserName, context.Password);
if (trainer != null)
{
var claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
claimsIdentity.AddClaim(new Claim("Email", context.UserName));
claimsIdentity.AddClaim(new Claim("Id", trainer.Id.ToString()));
claimsIdentity.AddClaim(new Claim("Firstname", trainer.Firstname));
claimsIdentity.AddClaim(new Claim("Lastname", trainer.Lastname));
claimsIdentity.AddClaim(new Claim("UserType", "Trainer"));
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, "Trainer"));
trainer.UpdateLastApiLogon();
context.Validated(claimsIdentity);
return;
}
Administrator administrator = Datastore.SignInAdministrator(context.UserName, context.Password);
if (administrator != null)
{
var claimsIdentity = new ClaimsIdentity(context.Options.AuthenticationType);
claimsIdentity.AddClaim(new Claim("Email", context.UserName));
claimsIdentity.AddClaim(new Claim("Id", administrator.Id.ToString()));
claimsIdentity.AddClaim(new Claim("Firstname", administrator.Firstname));
claimsIdentity.AddClaim(new Claim("Lastname", administrator.Lastname));
claimsIdentity.AddClaim(new Claim("UserType", "Administrator"));
claimsIdentity.AddClaim(new Claim(ClaimTypes.Role, "Administrator"));
administrator.UpdateLastApiLogon();
context.Validated(claimsIdentity);
return;
}
context.Rejected();
},
My problem is that both the API and the Website controllers need access regulation, with role checks, because i have different types of users (Trainer/Administrator).
Right now, from the website, i authenticate properly on the API and can retrieve the token, but can i retrieve the encoded Claims in the website ? Once the authentication is OK on the API and i got the token back in the website, how am i supposed to handle access control in the website ?
My current option is to store the bearer token, retrieve the Trainer/administrator object from the api, store the desired data in cache and then check whether the data exists to control access to controllers. But i'm pretty sure that's a bad option and i could use OWIN to do that access control.
If my description is incomplete, i'd gladly answer your questions. Thanks in advance.
EDIT: Here's a link showing how to use third-party authentication and then use it in your application, so i guess, i should be able to use MY third-party authentication and then use it in my website. Have you done it already ?