ASP.NET Web API Security: The Web Host and Service

I will be using the same web hosted Web API service for the sample. The service is very simple:

[Authorize]

public class IdentityController : ApiController

{

    public ViewClaims Get()

    {

        return ViewClaims.GetAll();

    }

}

…and the ViewClaims class simply returns the claims of the current user from a service point of view:

public class ViewClaims : List<ViewClaim>
{
    public static ViewClaims GetAll()
    {
        var principal = ClaimsPrincipal.Current;
 
        var claims = new List<ViewClaim>(
            from c in principal.Claims
            select new ViewClaim
            {
                Type = c.Type,
                Value = c.Value
            });
 
        var vc = new ViewClaims();
        vc.AddRange(claims);
 
        return vc;
    }

}

 

In addition there are two built-in “clients” for the service – an MVC controller that renders the client’s identity server-side:

[Authorize]
public ActionResult IdentityMvc()
{
    return View(ViewClaims.GetAll());

}

…and the corresponding view:

@model Thinktecture.Samples.ViewClaims
 
@{
    ViewBag.Title = "Client identity";
}
 
@section featured {
    <section class="featured">
        <div class="content-wrapper">
            <hgroup class="title">
                <h1>Client identity.</h1>
            </hgroup>
        </div>
    </section>
}
 
<br />
 
<table>
    @foreach (var claim in Model)
    {
        <tr>
            <td>
                <strong>@claim.Type</strong>
            </td>
            <td>
                <span>@claim.Value</span>
            </td>
        </tr>
    }

</table>

 

As well as as an AJAX style client that uses the Web API service to fetch the data and render the claims on the client:

@{
    ViewBag.Title = "Client identity";
}
 
@section featured {
    <section class="featured">
        <div class="content-wrapper">
            <hgroup class="title">
                <h1>Client identity.</h1>
            </hgroup>
        </div>
    </section>
}
 
<br /> 
 
<table data-bind="foreach: items">
    <tr>
        <td>
            <strong data-bind="text: type"></strong>
        </td>
        <td>
            <span data-bind="text: value"></span>
        </td>
    </tr>
</table>
 
@section scripts
{
    <script src="~/Scripts/knockout-2.2.0.js"></script>
    
    <script type="text/javascript">
 
        $(function () {
            var viewModel = new IdentityViewModel();
 
            ko.applyBindings(viewModel);
 
            $.get("../api/identity", function (items) {
                $.each(items, function (idx, item) {
                    viewModel.add(item.Type, item.Value);
                });
            }, "json");
        });
        
        function IdentityViewModel() {
            var self = this;
 
            function Claim(root, type, value) {
                var self = this;
 
                self.type = ko.observable(type);
                self.value = ko.observable(value);
            };
 
            self.items = ko.observableArray();
 
            self.add = function (type, value) {
                self.items.push(new Claim(self, type, value));
            };
        };
 
    </script>

}

The output of both pages is identical (as expected):

ClaimsOutput

The name claim comes from standard Forms Authentication and the localClaim from claims transformation:

public class ClaimsTransformer : ClaimsAuthenticationManager

{

    public override ClaimsPrincipal Authenticate(
      string resourceName, ClaimsPrincipal
incomingPrincipal)

    {

        if (!incomingPrincipal.Identity.IsAuthenticated)

        {

            return base.Authenticate(resourceName, incomingPrincipal);

        }

 

        incomingPrincipal.Identities.First().AddClaim(

            new Claim(“localClaim”, “someValue”));

 

        return incomingPrincipal;

    }

}

In the following posts we will write some clients against this service and host. stay tuned.
The source code so far can be found here.

This entry was posted in ASP.NET, IdentityModel, IdentityServer, WebAPI. Bookmark the permalink.

5 Responses to ASP.NET Web API Security: The Web Host and Service

  1. markgmarkg says:

    Hi,

    Please, elaborate on scenario when WebAPI runs as additional application.

    What is a preferred way to gain security token in JS client and pass it to Web API?

    Regards

  2. bayger says:

    Hi,

    Do you plan creating another course at pluralsight regarding claims-based security and Web API? I’ve just finished your introductory one (http://pluralsight.com/training/Courses/TableOfContents/iac-intro) which is excellent! Thanks for it.

    Regards

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s