Extensions to the Web API/MVC + Forms/Basic Auth Sample: Claims Transformation and AJAX

I got two questions on the sample from yesterday.

AJAX Clients
”Will AJAX clients be able to use the Forms Authentication cookie against Web API?”

Yes, indeed. In that case add the following flag to the authentication configuration:

var authConfig = new AuthenticationConfiguration


    InheritHostClientIdentity = true



In that case the authentication handler will use the host provided client identity if no other credential is used.

Claims Transformation
”Is it possible to apply the same claims transformation to both the Forms and Basic Authentication clients?”

Yes, indeed ;) To verify that, I added a claims authentication manager to my configuration:



    <claimsAuthenticationManager type=…ClaimsTransformer, …/>




We now need to “install” that claims transformer in both the MVC and Web API pipelines.

MVC goes into the HTTP pipeline:

protected void Application_PostAuthenticateRequest()


    if (ClaimsPrincipal.Current.Identity.IsAuthenticated)


        var transformer = FederatedAuthentication.FederationConfiguration

var newPrincipal = transformer.Authenticate(
string.Empty, ClaimsPrincipal


        Thread.CurrentPrincipal = newPrincipal;

        HttpContext.Current.User = newPrincipal;




And Web API to the authentication handler:

var authConfig = new AuthenticationConfiguration


    InheritHostClientIdentity = true,

    ClaimsAuthenticationManager = FederatedAuthentication



Job done…The full sample is here.


This entry was posted in ASP.NET, IdentityModel, WebAPI. Bookmark the permalink.

8 Responses to Extensions to the Web API/MVC + Forms/Basic Auth Sample: Claims Transformation and AJAX

  1. Tom Weitzel says:

    I’m working on a similar scenario with the exception of doing passive federation with IdentityServer instead of membership. Requests for MVC resources are redirected to the STS login page and all is good there once the user has logged in. My problem is with Web API requests that will come from clients other than the browser. When I try and set things up as in this example, requests to my web apis end up redirecting to the login page. When setting up basic authentication in the WebApiConfig, can I substitute something for Membership.ValidateUser() that will call into my federation config?

    // setup authentication against membership
    ( userName, password ) => Membership.ValidateUser( userName, password ) );

    Or have I missed the mark?


    • Hey,

      well – it is not that easy. You obviously don’t want redirects for web apis. That means you first have to request a token programmatically (e.g. from IdSrv’s OAuth2 endpoint) and send that to your web API. From the tt.idm can help you with validating the token.

      • Tom Weitzel says:

        Many thanks for the response! Actually, I’d been working on doing it that way prior to seeing this post, only with the simple get endpoint and a saml2 token. I had trouble creating the principal from the token:

        string saml = // from headers . . .
        SecurityToken token = null;
        IReadOnlyCollection claims = null;

        WSFederationAuthenticationModule fam = application.Modules[“WSFederationAuthenticationModule”] as WSFederationAuthenticationModule;

        SecurityTokenHandlerCollection handlers = fam.FederationConfiguration.IdentityConfiguration.SecurityTokenHandlers;

        token = handlers.ReadToken( new XmlTextReader( new StringReader( saml ) ) );
        claims = handlers.ValidateToken( token );

        IPrincipal principal = new ClaimsPrincipal( claims );
        context.User = principal;

        This failed on the call to handlers.ReadToken() with “Digest verification failed for reference . . .” Being that the simple get endpoint is deprecated anyway, I’ll look into oauth2. Browsing the IdentityModel code, it’s not obvious to me where to start. Is there another post that covers this or a class you suggest I start with?

        Thanks again,

  2. Graham says:

    Not specifically related to this post, but I am reading it because of such, I wanted to thank you for your posts, video, presentations, etc., on the the new security model. Your posts, while missing random IM’s about sleeping off tins of beer, makes my job and life easier. I can’t tell you how much I appreciate that. Thank you!

  3. Thanks very helpful for my mixed MVC/WebApi project! Just one more question: Would it also be possible to enable Basic Authentication for standard MVC controller calls IF there is no auth cookie present? I’d like to have some calls from API clients to go to regular MVC controllers instead of API controllers and of course they could only use basic http auth.

    • Well – MVC is intended to be used by humans (forms auth) – whereas Web API is consumed by machines (basic auth). I am sure you can hack it up somehow, but i would need to investigate myself.

Leave a Reply to Dominick Baier Cancel reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s