locked
How web api with form auth works with other c# client RRS feed

  • Question

  • User264732274 posted

    i am new in web api.i want to design web api whose most of the function will be secured with

    authorize attribute

    .so only authorized client can call web api function.

    the web api has login and logout functions. login function validate user credentials and return auth cookie.

    i have two questions

    1) how to pass user credentials from my c# winform client to web api login function and when login function return auth cookie then how to store it for future use ?

    2) after authentication pass how my winform client can pass auth cookie to web api for calling any secured function.

    i got a code which is doing something similar but still not very clear.

    HttpWebRequest request = (HttpWebRequest)WebRequest.Create("url");
    request.Method = "Get";
    request.KeepAlive = true;
    request.Proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;
    request.UseDefaultCredentials = true;
    request.Credentials = new NetworkCredential("username", "password", "domain");
    request.ContentType = "application/json";
    //request.ContentType = "application/x-www-form-urlencoded";
    
    //get cookie from Web API
    HttpWebResponse response = (HttpWebResponse)request.GetResponse();
    foreach (Cookie cookieValue in response.Cookies)
    {
    Console.Write("Cookie: " + cookieValue.ToString());
    //store in your winform application
    }
    //get content
    string myResponse = "";
    using (System.IO.StreamReader sr = new System.IO.StreamReader(response.GetResponseStream()))
    {
    myResponse = sr.ReadToEnd();
    }

    3) why below two lines are required

    request.Proxy.Credentials = System.Net.CredentialCache.DefaultCredentials;
    request.UseDefaultCredentials = true;

    because credentials are passing this way

    request.Credentials = new NetworkCredential("username", "password", "domain");

    4) why we need to pass domain info ? what is

    domain in credentials

    ? generally what user send info for

    domain

    ?

    5)

    what is Proxy.Credentials ?

    what is request.UseDefaultCredentials ?

    what is request.Credentials ?

    below code is used for subsequent calls

    // create request
                HttpWebRequest request = (HttpWebRequest)WebRequest.Create("url");
                request.Method = "GET";
                IWebProxy theProxy = request.Proxy;
                if (theProxy != null)
                {
                    theProxy.Credentials = CredentialCache.DefaultCredentials;
                }
                CookieContainer cookies = new CookieContainer();
                request.UseDefaultCredentials = true;
                request.CookieContainer = cookies;
                request.ContentType = "application/json";
                request.CookieContainer = cookies;
                string authToken = "api_token";
                byte[] bytes = Encoding.ASCII.GetBytes(authToken);
                authToken = Convert.ToBase64String(bytes);
                // write the "Authorization" header
                request.Headers.Add("Authorization", "Basic " + authToken);
    
                HttpWebResponse response = (HttpWebResponse)request.GetResponse();
                //get content
                string myResponse = "";
                using (System.IO.StreamReader sr = new System.IO.StreamReader(response.GetResponseStream()))
                {
                    myResponse = sr.ReadToEnd();
                }

    6) in above code just see cookie is send and auth token is also send.......any idea why two is required ?

    7) in form authentication what happen that when we try to access protected resource then login form comes in

    MVC/web

    form automatically. when user fill with credential and send then server side routine validate credentials and allow access the protected resource.

    if credential wrong then again login form comes or appear. when cookie expire then again login form comes.

    so tell me in case of web api what will happen when we first time try to access protected resource ? web api automatically send unauthorized code to client side ?

    and client will read that http status code to know is it unauthorized code return if yes then client will send credentials ?

    how to handle cookie expire situation in web api server side routine ?.

    please read my points and help me to design the form auth with web api.

    thanks

    Tuesday, August 9, 2016 11:51 AM

All replies

  • User36583972 posted

    Hi sudip_inn,

    Thanks for posting here.

    For your case about Windows Form, please go to winform forum for suitable help.

    Your understanding and cooperation will be grateful.

    Best Regards,

    Yohann Lu

    Wednesday, August 10, 2016 2:56 AM