How do I pass through the web-request user to the sql connection on the webservice

Question

I have a simple web-service (C#,ASP.NET Core3) that exposes a few stored procs in my database.

The website is running on Windows Authentication (it's an intranet app), so I know the identity of each user that calls a method on the service and I know that the user has been authenticated.

Now, I'd like to establish the connection from the web-service to SQL using the identity of the user that made the web-request. I don't want to connect to the database as some generic user that has super-access to my db.

It's almost obvious that I would also like to use the logged in user in SQL to populate the user id field in my Audit-tables.

Is this possible at all? If anyone knows what terms I should even google for - I'd really appreciate any pointers. All my searches so far seems to return results that are way off topic. I guess, I'm missing a crucial terms for this kind of thing - or it might just not be possible...

Is there any other way to pass the userid to SQL without altering every proc in the database to accept a username? That just seems slightly ridiculous.

Answer 1

You have to use Trusted Connection in your connection string (See What is a Trusted Connection?)

Server=myServerAddress;Database=myDataBase;Trusted_Connection=True;

You must also ensure that each user has the right to execute the stored procedures (See Grant execute permission for a user on all stored procedures in database?)

Then you can use SUSER_NAME(), SUSER_ID(), SUSER_SNAME(), SUSER_SID() in your queries.