locked
Api with Custom Authorization RRS feed

  • Question

  • User-1952516322 posted

    Hello,

    I have project application has views and the ajax, and in different (second) project in same solution has API Controllers.. I want to check how can I send the Authorization Role (Example: admin - HR... ) to API Method.. 

    I need to check from API,  if the Role is Admin then he has an access to use this method (in API) ....  but how can I send the authorization from Ajax ( First Project - Application ) to ( Second Project - API )

    Q1: How can I send the Role from Ajax.

    Q2: How can I check the role in API..

    Best Regards

    Wednesday, April 10, 2019 8:31 AM

Answers

  • User475983607 posted

    No the API not anonymous,, there is some method in API for admin, and there is another method for HR, how can I pass the role through ajax from View, to API to check on the method, if this user Role Admin, the he has an access to login to this Method, otherwise, not

    You have not answered how your security works.  

    Again, the common approach is sending a token (JWT) to the API.  The API reads the token which provides the request's identity.  A token is just an encoded string that contains data passed in the HTTP bearer header.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 10, 2019 12:06 PM
  • User-134105967 posted

    Hi Khalid,

      If you are using token based authentication you can opt for extra field in the token to mention the user role and the API can get the user role from the token. 

      If you are not using token method, you can pass user role in some parameter but you will need to cross check it again with the server from the API also. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 10, 2019 1:12 PM

All replies

  • User-134105967 posted

    Hi Khalid,

      Is your API anonymous? If not, what kind of authentication/authorization is applied to API? Is it token based?

    Wednesday, April 10, 2019 11:10 AM
  • User475983607 posted

    The common approach is using a token.

    Wednesday, April 10, 2019 11:17 AM
  • User-1952516322 posted

    Hello Titto Thomas,mgebhard

    No the API not anonymous,, there is some method in API for admin, and there is another method for HR, how can I pass the role through ajax from View, to API to check on the method, if this user Role Admin, the he has an access to login to this Method, otherwise, not

    Wednesday, April 10, 2019 11:32 AM
  • User475983607 posted

    No the API not anonymous,, there is some method in API for admin, and there is another method for HR, how can I pass the role through ajax from View, to API to check on the method, if this user Role Admin, the he has an access to login to this Method, otherwise, not

    You have not answered how your security works.  

    Again, the common approach is sending a token (JWT) to the API.  The API reads the token which provides the request's identity.  A token is just an encoded string that contains data passed in the HTTP bearer header.

    https://developer.mozilla.org/en-US/docs/Web/HTTP/Authentication

     

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 10, 2019 12:06 PM
  • User-134105967 posted

    Hi Khalid,

      If you are using token based authentication you can opt for extra field in the token to mention the user role and the API can get the user role from the token. 

      If you are not using token method, you can pass user role in some parameter but you will need to cross check it again with the server from the API also. 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 10, 2019 1:12 PM
  • User-1952516322 posted

    Thanks again 
    mgebhard
    Titto Thomas

    I tried what both of you mentioned, and the issue solved.

    Thursday, April 11, 2019 12:28 PM