I have a .Net Core 2.0 application that uses JWT tokens to authorize a user. All this works fine, but I want to have some kind of API key mechanism that allows other applications to integrate, but I cannot get this to work with current authentication.
code:
Startup.cs
public void Configure(IApplicationBuilder app, IHostingEnvironment env, ILoggerFactory loggerFactory, IMemoryCache cache, IServiceProvider serviceProvider) { app.UseAuthentication(); ApiKeyMiddlewear(app, serviceProvider); app.UseMvc(routes => { routes.MapRoute( name: "default", template: "{controller=Home}/{action=Index}/{id?}"); routes.MapSpaFallbackRoute( name: "spa-fallback", defaults: new { controller = "Home", action = "Index" }); }); } } private static void ApiKeyMiddlewear(IApplicationBuilder app, IServiceProvider serviceProvider) { app.Use(async (context, next) => { if (context.Request.Path.StartsWithSegments(new PathString("/api"))) { // Let check if this is an API Call if (context.Request.Headers["ApiKey"].Any()) { // validate the supplied API key // Validate it var headerKey = context.Request.Headers["ApiKey"].FirstOrDefault(); var settingsProvider = serviceProvider.GetService<ISettingsService<OmbiSettings>>(); var ombiSettings = settingsProvider.GetSettings(); var valid = ombiSettings.ApiKey.Equals(headerKey, StringComparison.CurrentCultureIgnoreCase); if (!valid) { context.Response.StatusCode = (int) HttpStatusCode.Unauthorized; await context.Response.WriteAsync("Invalid API Key"); } else { var identity = new GenericIdentity("API"); identity.AddClaim(new System.Security.Claims.Claim("Origin", "Api")); identity.AddClaim(new System.Security.Claims.Claim("role", "Admin")); var principal = new GenericPrincipal(identity, new[] {"ApiUser"}); context.User = principal; await next(); } } else { await next(); } } else { await next(); } }); } }
So, in the code above, you can see that I intercept HTTP requests that contain the ApiKey header, and then check it for what I saved. This part works, but when calling the API method with the Authorize attribute, it does not work, and I get the following error logs:
2017-09-19 08:15:17.280 +01:00 [Information] Request starting HTTP/1.1 POST http://localhost:52038/api/v1/Identity/ application/json 372 2017-09-19 08:15:21.967 +01:00 [Information] Authorization failed for user: "API". 2017-09-19 08:15:21.976 +01:00 [Information] Authorization failed for the request at filter '"Microsoft.AspNetCore.Mvc.Authorization.AuthorizeFilter"'. 2017-09-19 08:15:21.981 +01:00 [Information] Executing ForbidResult with authentication schemes ([]). 2017-09-19 08:15:21.991 +01:00 [Information] AuthenticationScheme: "Bearer" was forbidden. 2017-09-19 08:15:21.996 +01:00 [Information] Executed action "Ombi.Controllers.IdentityController.CreateUser (Ombi)" in 38.8268ms 2017-09-19 08:15:22.004 +01:00 [Information] Request finished in 4723.032ms 403
Now I assume that this is because the request contains only the ApiKey header and not the Authorization header with the correct JWT token.
How can I provide only the ApiKey header and when there is no ApiKey header, and then abandon the need to use the JWT token?