current community

your communities

more stack exchange communities

Stack Exchange
tour help
careers 2.0
Take the 2-minute tour ×
Stack Overflow is a question and answer site for professional and enthusiast programmers. It's 100% free, no registration required.
up vote 0 down vote favorite
1

I am working on a project needs AngularJS on the client side and ASP.NET Web Api on the server side, seems I am fairly new to Angualrjs, I couldn't find a good way to handle access control in AngularJS. AngularJS routing seems to only "work" within "App", if a user access a URL directly (http://www.test.com/customer?userid=12345), it will not work. Therefore I am thinking to let ASP.NET MVC to handle the routing for each AngularJS apps and let AngularJS routing to handle routing within each app.

My question is, once the client app (angularjs) is authenticated by the server (Token), How do I add that authentication in my ASP.NET MVC ? so I can use something like User.Identity and get all the necessary Claims from the server? or I should do the other way to let ASP.NET MVC to make the authentication call with API and store the token somewhere else for angularjs to pick it up? or is there any other way to do it ?

share|improve this question

1 Answer 1

up vote 1 down vote accepted

Once the client app (angularjs) is authenticated by the server (Token), how do I add that authentication in my ASP.NET MVC?

You have to insert the [Authorize] attribute in the actions and/or controllers that require Authentication and Authorization. There are other possibilities to achive that implementing an Authorize filter or Authenticate filter, but for the moment [Authorize] attribute it's a good point to start.

Can use something like User.Identity and get all the necessary Claims from the server?

Yes, of course. Once you retrieve the user from Db

IdentityUser user = await repository.FindUser(context.UserName, context.Password);

you will be able to get Claims, Roles, ... But this is only an example. You will be able to get the user from the token sent by you AngularJS. In fact, to get the user claims, there exists the class ClaimsPrincipal of the System.Security.Claims for this prupose.

However, it's quite difficult to answer this questions without code, so I recommend you the following series of tutorials. I'm sure they will help you:

  1. Token Based Authentication
  2. AngularJS Token Authentication
  3. Enable OAuth Refresh tokens

Edited

If you have 2 projects, one for ASP.NET MVC and other for Web API project, you have to be sure that both WebConfig files have the same machineKey tag:

<system.web>
...
<machineKey validationKey="57B449BBA8F9E656087FF7848727E122C5F5966F65AC0FC25FB3532193B59CFCD13B370883FFC184C1F1500638F33E6F67B37CAED1D9BC65BBC6CFFB232BFD0B" decryptionKey="6D9FBE88D16B3FA5B5E6B37460BBE50DA85D5B4C482159006B5A337C58AA9E79" validation="SHA1" decryption="AES" />
...
</system.web>

Use this machine Key Generator. Token is created based on the machineKey, so you have to be sure that this field is identical. If not, the token created on one project will not be valid for the other.

share|improve this answer
    
but I am using angularjs to make the /token call to my webapi, you are saying ASP.NET MVC will pick up the authenticated object, even I made the call in angularjs instead of asp.net mvc? I tried it, but my Principal object always null when I do User.Identity. –  DesireToKnowMore Sep 9 at 14:11
    
I guess you have 2 different projects. One for WepApi and one for ASP.NET MVC. You have to put the identical machineKey in both webconfig files. –  Freerider Sep 9 at 14:19
    
Any recommend post on identical machineKey ? I assume I should make the authentication call within MVC? like HttpClient? because if I made the call by using Angularjs directly, server will not be aware of it right? –  DesireToKnowMore Sep 9 at 14:23
    
@DesireToKnowMore I have Edited my answer to show you how. –  Freerider Sep 9 at 14:25
    
Cool! How about the authentication call made from ? HttpClient? or $http ? I assume it should be called from HttpClient, so MVC can decrypt the token by the key. Angularjs will have no access to the machinekey. Am I correct? –  DesireToKnowMore Sep 9 at 14:34

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.