I got two questions on the sample from yesterday.
AJAX Clients
”Will AJAX clients be able to use the Forms Authentication cookie against Web API?”
Yes, indeed. In that case add the following flag to the authentication configuration:
var authConfig = new AuthenticationConfiguration
{
InheritHostClientIdentity = true
};
In that case the authentication handler will use the host provided client identity if no other credential is used.
Claims Transformation
”Is it possible to apply the same claims transformation to both the Forms and Basic Authentication clients?”
Yes, indeed ;) To verify that, I added a claims authentication manager to my configuration:
<system.identityModel>
<identityConfiguration>
<claimsAuthenticationManager type=“…ClaimsTransformer, …“/>
</identityConfiguration>
</system.identityModel>
We now need to “install” that claims transformer in both the MVC and Web API pipelines.
MVC goes into the HTTP pipeline:
protected void Application_PostAuthenticateRequest()
{
if (ClaimsPrincipal.Current.Identity.IsAuthenticated)
{
var transformer = FederatedAuthentication.FederationConfiguration
.IdentityConfiguration
.ClaimsAuthenticationManager;
var newPrincipal = transformer.Authenticate(
string.Empty, ClaimsPrincipal.Current);
Thread.CurrentPrincipal = newPrincipal;
HttpContext.Current.User = newPrincipal;
}
}
And Web API to the authentication handler:
var authConfig = new AuthenticationConfiguration
{
InheritHostClientIdentity = true,
ClaimsAuthenticationManager = FederatedAuthentication
.FederationConfiguration
.IdentityConfiguration
.ClaimsAuthenticationManager
};
Job done…The full sample is here.
HTH!
leastprivilege.com 
I’m working on a similar scenario with the exception of doing passive federation with IdentityServer instead of membership. Requests for MVC resources are redirected to the STS login page and all is good there once the user has logged in. My problem is with Web API requests that will come from clients other than the browser. When I try and set things up as in this example, requests to my web apis end up redirecting to the login page. When setting up basic authentication in the WebApiConfig, can I substitute something for Membership.ValidateUser() that will call into my federation config?
// setup authentication against membership
authConfig.AddBasicAuthentication(
( userName, password ) => Membership.ValidateUser( userName, password ) );
Or have I missed the mark?
Thanks,
Tom
Hey,
well – it is not that easy. You obviously don’t want redirects for web apis. That means you first have to request a token programmatically (e.g. from IdSrv’s OAuth2 endpoint) and send that to your web API. From the tt.idm can help you with validating the token.
Many thanks for the response! Actually, I’d been working on doing it that way prior to seeing this post, only with the simple get endpoint and a saml2 token. I had trouble creating the principal from the token:
string saml = // from headers . . .
SecurityToken token = null;
IReadOnlyCollection claims = null;
WSFederationAuthenticationModule fam = application.Modules[“WSFederationAuthenticationModule”] as WSFederationAuthenticationModule;
SecurityTokenHandlerCollection handlers = fam.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;
token = handlers.ReadToken( new XmlTextReader( new StringReader( saml ) ) );
claims = handlers.ValidateToken( token );
IPrincipal principal = new ClaimsPrincipal( claims );
context.User = principal;
This failed on the call to handlers.ReadToken() with “Digest verification failed for reference . . .” Being that the simple get endpoint is deprecated anyway, I’ll look into oauth2. Browsing the IdentityModel code, it’s not obvious to me where to start. Is there another post that covers this or a class you suggest I start with?
Thanks again,
Tom
https://leastprivilege.com/2012/11/01/oauth2-in-thinktecture-identityserver-v2-resource-owner-password-flow/
Not specifically related to this post, but I am reading it because of such, I wanted to thank you for your posts, video, presentations, etc., on the the new security model. Your posts, while missing random IM’s about sleeping off tins of beer, makes my job and life easier. I can’t tell you how much I appreciate that. Thank you!
:) you’re welcome!
Thanks very helpful for my mixed MVC/WebApi project! Just one more question: Would it also be possible to enable Basic Authentication for standard MVC controller calls IF there is no auth cookie present? I’d like to have some calls from API clients to go to regular MVC controllers instead of API controllers and of course they could only use basic http auth.
Well – MVC is intended to be used by humans (forms auth) – whereas Web API is consumed by machines (basic auth). I am sure you can hack it up somehow, but i would need to investigate myself.