locked
Sign in for the current request only RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User373134933 posted

    My web application uses cookie authentication. The user can sign in and remains authenticated until they sign out or cookies are deleted.

    For automation purposes, I need to create a way to let the user sign in for a single request via an access token in the URL. Now I'm at the point where I need to do something when I see this token. I don't want to set any cookies, but still have all the claims around that are normally there as the rest of the application relies on them.

    I normally do something like this:

    var claims = new List<Claim>
{
	new Claim("UserId", user.Id.ToString()),
	new Claim(ClaimTypes.Name, user.LoginName)
};
var claimsIdentity = new ClaimsIdentity(
	claims,
	CookieAuthenticationDefaults.AuthenticationScheme);
await HttpContext.SignInAsync(
	CookieAuthenticationDefaults.AuthenticationScheme,
	new ClaimsPrincipal(claimsIdentity),
	new AuthenticationProperties
	{
		IsPersistent = true
	});

    Now I tried that:

    var claims = new List<Claim>
{
	new Claim("UserId", user.Id.ToString()),
	new Claim(ClaimTypes.Name, user.LoginName)
};
var claimsIdentity = new ClaimsIdentity(claims);
await context.HttpContext.SignInAsync(new ClaimsPrincipal(claimsIdentity));

    But it doesn't work. HttpContext.User.Identity.IsAuthenticated returns false and HttpContext.User.Claims is empty. This would normally be different.

    What can I do to achieve this per-request authentication?

    Wednesday, October 17, 2018 4:02 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User475983607 posted

    I don't see how this design could possibly work.  The web is anonymous so unless the browser, or I guess the user, stashed the token somewhere there's no way to identity the user if the user logged out.

    Maybe store the token in a cookie but I'm not sure how it gets there in the first place.  Otherwise the user will need to save the token in a notepad then append the token to the URL at a later time.

    Wednesday, October 17, 2018 6:24 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User373134933 posted

    As I already said, I need this for automation purposes. This is clearly not a feature that an end-user would use. The use case is well-defined and does work. I just need an implementation for it. While I could just set the cookie and remain logged it, I prefer a transient login for this use case.

    Wednesday, October 17, 2018 7:06 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User475983607 posted

    ygoe

    As I already said, I need this for automation purposes. This is clearly not a feature that an end-user would use. The use case is well-defined and does work. I just need an implementation for it. While I could just set the cookie and remain logged it, I prefer a transient login for this use case.

    Still not clear where the token is coming from or what kind of token is in use.  If it is a JWT then there are APIs for handling JWT.  Also not sure what kind of application this is as that will tell us fi we're updating the global.asax, OWIN configuration or DI in ASP Core.

    Anyway, reading the token from within the HTTP pipeline should be straight forward once we know the technology.

    Wednesday, October 17, 2018 8:01 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User373134933 posted

    The specific use case is that the application starts a headless browser that requests a page from the same web application to render it as PDF. Since the URL to the web application is constructed by the web application itself, it can easily specify a random secret value that is only valid for as long as the operation runs. I have already found a good code location to handle that value (in MVC routing, as this is specific to my application), I just need to tell the request that it is now authenticated, without issuing any cookies or such.

    Hm, yeah, and it is ASP.NET Core, sorry I forgot that.

    Wednesday, October 17, 2018 8:29 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User475983607 posted

    The specific use case is that the application starts a headless browser that requests a page from the same web application to render it as PDF. Since the URL to the web application is constructed by the web application itself, it can easily specify a random secret value that is only valid for as long as the operation runs. I have already found a good code location to handle that value (in MVC routing, as this is specific to my application), I just need to tell the request that it is now authenticated, without issuing any cookies or such.

    Hm, yeah, and it is ASP.NET Core, sorry I forgot that.

    Add a claims identity to the current context.

    https://docs.microsoft.com/en-us/aspnet/core/migration/claimsprincipal-current?view=aspnetcore-2.1

    Wednesday, October 17, 2018 8:36 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User373134933 posted

    That wasn't overly helpful. I've decided to drop my idea and instead just do a normal cookie sign-in just with session cookies. That works now.

    Monday, October 22, 2018 3:07 PM