All geek questions in one place

ASP.NET Kernel with Extra Authentication / Authorization

I want to create ASPA Core for ASP.NET to access data from a database. This WebApi can be used in two ways: either as a public WebApi that requires authentication, or as a private backend service for a web application. In the latter case, there is no need for authentication, since only authenticated users can access the web application, and both the web application and WebApi will work on the same computer, WebApi will be hidden from the outside.

Since we need authentication for the first scenario, I will have all the public APIs marked with the Authorize attribute. But for a private scenario, I would like to get around any authentication.

Is there a way to make authentication optional depending on some flag in the configuration?

Update

Speaking of two use cases, I mean two completely different settings! Each of them has its own configuration file. The decision on whether authentication is required should be performed for each installation without a request in one installation! My goal is to have only one code base and switch in the configuration.

+1
source share
2 answers

If you bypass authentication, how do you distinguish between internal or public requests for api? This causes a security error. Therefore, you should not bypass authentication.

If you use openidconnect authentication in the mvc application, you can set SaveTokens=true . It allows you to store the access token in a cookie. When you call api in mvc action, you can send this access_token in api.

Another way to use two different intermediate authentication programs is one for internal sharing (this is hard to implement).

I would go with the first approach.

Update

To achieve your goal, it comes to my mind a difficult way, but I'm not sure if this is a good way:

Create a filter provider:

 public class EncFilterProvider : IFilterProvider { public int Order { get { return -1500; } } public void OnProvidersExecuted(FilterProviderContext context) { } public void OnProvidersExecuting(FilterProviderContext context) { // remove authorize filters var authFilters = context.Results.Where(x => x.Descriptor.Filter.GetType() == typeof(AuthorizeFilter)).ToList(); foreach(var f in authFilters) context.Results.Remove(f); } }

Then register it conditionally based on the configuration value

  public void ConfigureServices(IServiceCollection services) { if(config["servermode"] = "internal") { services.AddScoped<IFilterProvider, EncFilterProvider>(); } }
+3
source

I would recommend authenticating both applications: the web application and the web API. You will have everything secured. To skip authentication is not a good idea. Just create a user for your web application (in the web API application) that will be used for authentication when retrieving data from the web API.

0
source

Source: https://habr.com/ru/post/1261167/

More articles:


All Articles