I have one solution with two projects. One is the ASP.NET MVC web application, and the other is a web API project. What I want to do is share files between two applications. When deployed to a server, the first application is hosted on mydomain.com , and the other is hosted on api.mydomain.com (subdomain). I also use https. I use the ASP.NET identifier in the MVC project as an authentication system. After reading numerous articles on the Internet, I did the following:
1) The following machine key tag was included in the web.config file in both projects.
<machineKey validationKey="3DF5D185FFB897592E14ED51A6DDC3E2729827A2F2180151A1BC39BE5C035D15F23700C928EFDBACEAEE498D05B76C65537FDEFB673039BCD961045C3BA8ACD3" decryptionKey="CE274BA1DB61C086A80F5D8BD1AC5AC92A8BA19F37E04FC7" validation="SHA1" />
2) In the MVC project, I configured the ASP.NET Identity Cookie as follows:
app.UseCookieAuthentication(new CookieAuthenticationOptions { AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie, LoginPath = new PathString("/Home/index"), Provider = new CookieAuthenticationProvider { OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(TimeSpan.FromMinutes(30), (manager, user) => user.GenerateUserIdentityAsync(manager)) }, SlidingExpiration = true, ExpireTimeSpan = TimeSpan.FromMinutes(45), CookieName = "MyCookie", CookieDomain = ".mydomain.com" });
3) In the web API project, I enabled and configured CORS, and I added the following configuration to web.config (CORS works fine in a production environment):
<httpProtocol> <customHeaders> <add name="Access-Control-Allow-Credentials" value="true"></add> <add name="Access-Control-Allow-Origin" value="mydomain.com" /> <add name="Access-Control-Allow-Headers" value="content-type" /> <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" /> </customHeaders> </httpProtocol>
4) I added the httpCookies section (in both projects) as follows:
<httpCookies requireSSL="true" domain=".mydomain.com" httpOnlyCookies="true" />
In my web API controllers, I applied the Authorize attribute as follows:
[Authorize] public class MyController : ApiController {
Finally, from an MVC project, I am trying to call my service using a jQuery Ajax request.
$.ajax({ url: viewModelParameters.myUrl, type: "get", dataType: "json", data: { userId: viewModelParameters.id }, xhrFields: { withCredentials: true }, crossDomain: true, statusCode: { 200: function (user) { } } });
I get the following message:
Authorization was rejected for this request.
In the request headers, I see that the cookie is included in the request. Could you suggest a solution or think about what I missed? Thank you in advance.