Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Retrieve user's AD credentials in for C# REST Api controller

  • 09-02-2016 9:55am
    #1
    Registered Users, Registered Users 2 Posts: 40


    Hi

    I have been tasked to develop an intranet solution using AngularJS and a REST API (Microsoft C#). The app should be single sign-on - the login process is transparent as the user is authenticated using groups retrieved from Active Directory, so if the user doesn't belong to the relevant groups, he/she is effectively directed to a "no access" page.

    I have 2 questions in relation to this, and I hope someone can give me some advice:
    1. Can a users’ AD Groups be retrieved (using Windows Authentication in IIS) in the Web API controller without the need to bring in MVC into the equation? I understand that REST API calls are stateless, so I gather it is up to the browser to pass along the logged in users’ credentials (AD logged-in name) along with the REST call (credentials embedded in the headers)?
    2. Do I need to retrieve the groups with every single REST call, or is there some mechanism for caching this (cookies/JWT perhaps - and setting the expiry timeframe short)

    My design approach, if possible, is to keep the REST service a pure Web API based project without mixing it with MVC. I also tend to design my solutions from empty projects as opposed to using the templates provided with Visual Studio - as these sometimes comes with unnecessary clutter. Also, I want to keep the two parts (the web app and the api app) in 2 completely separate projects if possible.

    Any advice on this would be appreciated.

    Regards


Comments

  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    You should use Token authentication and use Active Directory as the source of authentication. Given that there is no web page for Web API you'll need to ask for username and password on an endpoint, and if successful issue a Token which the consumer will persist and send with subsequent requests.

    I'm not sure why you would want to keep your web and API projects separate but that's up to you. .Net Identity framework gives you a lot of the required functionality you'll need so most of the work will be around installing and configuring that.


  • Registered Users, Registered Users 2 Posts: 40 MidnightHawk


    Hi

    I suppose there is no real reason for keeping the angular app and REST API projects separate. I do that to keep it clean so that the APP is pure HTML and the REST API project can be located on separate servers if required (and also incorporating CORS). But if this is not a good practice I am happy to merge the two projects.

    The app is essentially used internally (intranet) based on AD groups, so single sign-on is the requirement (so I cannot use login boxes etc, nor should the user be requested to enter credentials on the APP - the user would only need to do this when logging into the AD domain).

    I agree with issuing tokens - one method I am considering is using Json Web Tokens. When the first call to the API is made, the AD groups for the user is verified. If the user does not have the required groups, a response is sent back to the APP redirecting the user to a page informing them of "No Access". If the groups are valid, I create a JWT (and set the expiry to 30min - 1 hour) and send that back to the client. The APP can then make calls to the API with the JWT as long as the JWT is valid. When it expires, I simply re-retrieve the groups and re-authenticate the JWT (say every hour or so, depending on the expiry timeframe), thus minimizing the overhead of hitting AD every time. The risk is of course if someone's credentials are revoked for the APP while the JWT is still valid, but I suppose this is a minor consideration.

    With respect to authenticating the users credentials, and seeing that REST is stateless, the only mystery to me is whether I can depend on IIS to pass on the user's AD email/username (via Windows Authentication) so I know at least (reliably) whose AD credentials to look up. (So the user's AD username is passed to the REST service via the HTTP headers, which I can then use for authentication)

    Perhaps I am missing something or I am not understanding the Windows Authentication mechanism properly.


  • Registered Users, Registered Users 2 Posts: 14,378 ✭✭✭✭jimmycrackcorm


    With respect to authenticating the users credentials, and seeing that REST is stateless, the only mystery to me is whether I can depend on IIS to pass on the user's AD email/username (via Windows Authentication) so I know at least (reliably) whose AD credentials to look up. (So the user's AD username is passed to the REST service via the HTTP headers, which I can then use for authentication)

    You can configure that in IIS for the site or virtual folder authentication. Conveniently you could also restrict access also in authorization to only allow specific user groups. That way you could authorize access without having to check the users credentials


  • Registered Users, Registered Users 2 Posts: 40 MidnightHawk


    Ok thanks - so I can then use
    Thread.CurrentPrincipal
    
    in the Web API to get the user domain logon name by setting the API's webconfig setting
    <authentication mode = "windows"/>
    
    ?


  • Registered Users, Registered Users 2 Posts: 2,793 ✭✭✭John_Mc


    Ok thanks - so I can then use
    Thread.CurrentPrincipal
    
    in the Web API to get the user domain logon name by setting the API's webconfig setting
    <authentication mode = "windows"/>
    
    ?

    You should be able to if you follow the steps on this thread on stackoverflow


  • Advertisement
Advertisement