locked
multiple authentications: ignore OWIN OAuth Bearer middleware depends on request RRS feed

  • Question

  • User2082812578 posted

    I want to have WebApi with multiple authentications. I'm planning to enable/disable its with AuthorizeAttribute on controller's actions e.g. MyAuthOne, MyAuthTwo

    Then I want to use User and work with claims.

    I have appBuilder.UseOAuthBearerAuthentication(xxx) in my WebApi server configurations

    Problem: When request comes with valid token in request Authorization header then middleware authenticate token and set User principal.

    Questions: How can I disable middleware and doesn't react to Authentification header? Maybe I have just to overwrite Principal in my filters or I do in incorrect way?

    Monday, November 6, 2017 8:20 AM

Answers

  • User2082812578 posted

    I found answers for my questions:

    1. I need to enable OAuth owin middleware with AuthenticationMode.Passive.
    2. In my custom BeareTokenAuthenticationFilter I need call owin middleware and authenticate token:

      OwinContext ctx = null; var request = context.Request;

      if (request.Properties.ContainsKey("MS_OwinContext")) ctx = request.Properties["MS_OwinContext"] as OwinContext;

      var authenticationResult = await ctx.Authentication.AuthenticateAsync(new[] {"Bearer"})

      // and I have claims in AuthenticateResult // https://msdn.microsoft.com/en-us/library/microsoft.owin.security.authenticateresult(v=vs.113).aspx

    3. set principal context.Principal = authenticationResult...

    Thank you for yours answers

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 7, 2017 8:58 PM

All replies

  • User1168443798 posted

    Hi olegmkr,

    >> I'm planning to enable/disable its with AuthorizeAttribute on controller's actions e.g. MyAuthOne, MyAuthTwo

    It seems you want to control controller’s access with different authentication, am I right?

    If so, I think you could override the AuthorizeAttribute IsAuthorized method. Step through the code for the different login scenarios, you'll have different claims. Then you can decide whether your Controller.Action is authorized for a particular claim value in IsAuthorized.

    You could refer below link for more information.

    # How do you setup mixed authorizations for different authentications in .net (web api 2 + owin)

    https://stackoverflow.com/questions/23200404/how-do-you-setup-mixed-authorizations-for-different-authentications-in-net-web/23203501#23203501

    Best Regards,

    Edward

    Tuesday, November 7, 2017 5:13 AM
  • User2082812578 posted

    I found answers for my questions:

    1. I need to enable OAuth owin middleware with AuthenticationMode.Passive.
    2. In my custom BeareTokenAuthenticationFilter I need call owin middleware and authenticate token:

      OwinContext ctx = null; var request = context.Request;

      if (request.Properties.ContainsKey("MS_OwinContext")) ctx = request.Properties["MS_OwinContext"] as OwinContext;

      var authenticationResult = await ctx.Authentication.AuthenticateAsync(new[] {"Bearer"})

      // and I have claims in AuthenticateResult // https://msdn.microsoft.com/en-us/library/microsoft.owin.security.authenticateresult(v=vs.113).aspx

    3. set principal context.Principal = authenticationResult...

    Thank you for yours answers

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Tuesday, November 7, 2017 8:58 PM