All geek questions in one place

Authorization denied while creating ASP.NET web API with API key verification

I want to authorize my web api with a key, but it always says: "Authorization was rejected for this request." Below is the last code I tried.

This is the delegation handler class:

// Message Handler class public class APIKeyFilter: DelegatingHandler { // Default API Key private const string APIKEY = "b018a9c5105d427127e"; protected override Task<HttpResponseMessage> SendAsync( HttpRequestMessage request, CancellationToken cancellationToken) { var query = request.RequestUri.ParseQueryString(); string key = query["key"]; if (APIKEY!=key) { var response = new HttpResponseMessage(HttpStatusCode.Forbidden); var tsc = new TaskCompletionSource<HttpResponseMessage>(); tsc.SetResult(response); return tsc.Task; } return base.SendAsync(request, cancellationToken); } }

This is a global class:

 public class Global : HttpApplication { void Application_Start(object sender, EventArgs e) { AreaRegistration.RegisterAllAreas(); GlobalConfiguration.Configure(WebApiConfig.Register); RouteConfig.RegisterRoutes(RouteTable.Routes); GlobalConfiguration.Configuration.MessageHandlers.Add(new Filter.APIKeyFilter()); } }

This is my api controller:

  [Authorize] public class CategoriesController : ApiController { private WebAPI2Context db = new WebAPI2Context(); // GET: api/Categories public IQueryable<Category> GetCategories() { return db.Categories; } }

Is there any way to fix this? I am trying to do this, all the results that I found do not work for me.

0
source share
1 answer

Nothing too obvious is wrong, although don't confuse filters with handlers.

Perhaps you are trying to make calls to the web API controller from a website running in another process, on a different port. Possible problem 1, 2, or both, may be caused.

Possible reason 1

Perhaps this is a CORS problem. It is hard to say without additional information from the answer. Try adding this to your Global:

 var cors = new EnableCorsAttribute("*", "*", "*"); GlobalConfiguration.Configuration.EnableCors(cors);

and for checks before the fight, I will add the following to If , which you have in your custom handler:

 if (request.Headers.Contains("Origin") && request.Method.Method == "OPTIONS") { var response = new HttpResponseMessage(); response.StatusCode = HttpStatusCode.OK; response.Headers.Add("Access-Control-Allow-Origin", "*"); response.Headers.Add("Access-Control-Allow-Headers", "Origin, Content-Type, Accept, Authorization"); //Worked before for deletes but CORS came back out of blue for deletes so changed * for DELETE and content doing al CRUD at the moment.. response.Headers.Add("Access-Control-Allow-Methods", "DELETE, POST, PUT, OPTIONS, GET"); }

If you need all this, install NuGet: Microsoft.AspNet.WebApi.Cors

Possible reason 2

You also need to make sure that machineKey set to the same configuration file for both.

Follow the instructions in the following URL to match the settings between the applications, and you should be fine:

https://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx

+1
source

Source: https://habr.com/ru/post/1257732/

More articles:


All Articles