none
[WEB API] AntiForgery.GetTokens failed RRS feed

  • Question

  • Hello,

    I want to generate a token by calling a web api, like this :

    [AllowAnonymous]
    [Route("getAntiForgeryToken", Name = "getAntiForgeryToken")]
    [HttpGet]
    public async Task<IHttpActionResult> GetAntiForgeryToken()
    {
    	try
    	{
    		string cookieToken, formToken;
    		AntiForgery.GetTokens(null, out cookieToken, out formToken);
    		return Ok(cookieToken + ":" + formToken);
    	}
    	catch (Exception ex)
    	{
    		return Content(System.Net.HttpStatusCode.BadRequest, ex.Message);
    	}
    }

    This method is call in javascript (angularjs). I have this error :

    "A claim of type 'http://schemas.xmlsoap.org/ws/200…' was not present on the provided ClaimsIdentity."

    What should I do ?

    thanks in advance

    Thursday, September 15, 2016 6:33 PM

Answers

  • Hi SandrAzure,

    >> In fact, I want to generate a token for anonymous user also

    What is the useful of a token for anonymous user? In my option, we use AllowAnonymous and Authorize while developing web api. For AllowAnonymous method, there is no need to login and every one could call it, so there is no need to generate a token for anonymous user to call AllowAnonymous method. For Authorize method, it will need user to login, and it will generate Bearer Tokens, so there is also no need to generate a token for anonymous user to call Authorize method. If you want to generate a token for anonymous user to call Authorize method, why do not just change Authorize to AllowAnonymous? I think it is unreasonable to generate a token for anonymous user.

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Thursday, September 29, 2016 7:03 AM

All replies

  • Ok, I just figured my problem.

    I need a claim for my anonymous users! :)

    In my startup class (in my web api), i've this :

    public void ConfigureOAuth(IAppBuilder app)
    {
    	app.UseExternalSignInCookie(Microsoft.AspNet.Identity.DefaultAuthenticationTypes.ExternalCookie);
    	OAuthBearerOptions = new OAuthBearerAuthenticationOptions();
    
    	OAuthAuthorizationServerOptions OAuthServerOptions = new OAuthAuthorizationServerOptions()
    	{
    		AllowInsecureHttp = true,
    		TokenEndpointPath = new PathString("/users/getToken"),
    		AccessTokenExpireTimeSpan = TimeSpan.FromDays(1),
    		Provider = new EcoColisAuthProvider(),
    		RefreshTokenProvider = new EcoColisRefreshTokenProvider(),
    	};
    	app.UseOAuthAuthorizationServer(OAuthServerOptions);
    	...
    }
    /users/getToken allow user to login on a HTML5 App (the HTML5 app is not on the same server than the web api).

    /users/getToken do this :

    var identity = new ClaimsIdentity(context.Options.AuthenticationType);
    identity.AddClaim(new Claim(ClaimTypes.Name, user.Guid.ToString()));
    identity.AddClaim(new Claim(ClaimTypes.Role, "user"));
    identity.AddClaim(new Claim("guid", user.Guid.ToString())); ;
    
    var props = new AuthenticationProperties(new Dictionary<string, string>
    	{
    		{
    			"as:client_id", (context.ClientId == null) ? string.Empty : context.ClientId
    		},
    		{
    			"guid", user.Guid.ToString()
    		},
    		{
    			"pseudo", user.Pseudo
    		}
    	});
    
    var ticket = new AuthenticationTicket(identity, props);
    context.Validated(ticket);

    How can I do for the anonymous user ?

    Thursday, September 15, 2016 7:39 PM
  • Hi SandrAzure,

    >> How can I do for the anonymous user ?

    Have your issue been resolved? Based on your follow up reply, you said “figured my problem” and asked this question. I am not sure whether your issue has been resolved or not.

    Based on my understanding, it seems you need to use Bearer token which is a particular type of access token, with the property that anyone can use the token.

    A simple code like below:

    PublicClientId = "self";
    OAuthOptions = new OAuthAuthorizationServerOptions
    {
        TokenEndpointPath = new PathString("/Token"),
        Provider = new ApplicationOAuthProvider(PublicClientId),
        AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
        AccessTokenExpireTimeSpan = TimeSpan.FromDays(14),
        // Note: Remove the following line before you deploy to production:
        AllowInsecureHttp = true
    };
    // Enable the application to use bearer tokens to authenticate users
    app.UseOAuthBearerTokens(OAuthOptions);

    You could refer the link below for more information.

    # Configuring the Authorization Server
    http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api

    The link below might be useful.
    # Token Based Authentication using ASP.NET Web API 2, Owin, and Identity
    http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/

    Best Regards,

    Edward

    Disclaimer: This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Friday, September 16, 2016 6:47 AM
  • Hello,

    I'm Back.

    In fact, I want to generate a token for anonymous user also.

    On my API methods, I use theses attributes :

    [AllowAnonymous] and [Authorize]

    Tuesday, September 27, 2016 9:17 AM
  • Hi SandrAzure,

    >> In fact, I want to generate a token for anonymous user also

    What is the useful of a token for anonymous user? In my option, we use AllowAnonymous and Authorize while developing web api. For AllowAnonymous method, there is no need to login and every one could call it, so there is no need to generate a token for anonymous user to call AllowAnonymous method. For Authorize method, it will need user to login, and it will generate Bearer Tokens, so there is also no need to generate a token for anonymous user to call Authorize method. If you want to generate a token for anonymous user to call Authorize method, why do not just change Authorize to AllowAnonymous? I think it is unreasonable to generate a token for anonymous user.

    Best Regards,

    Edward


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.


    Thursday, September 29, 2016 7:03 AM