Retrieve user's AD credentials in for C# REST Api controller

MidnightHawk

Hi

I have been tasked to develop an intranet solution using AngularJS and a REST API (Microsoft C#). The app should be single sign-on - the login process is transparent as the user is authenticated using groups retrieved from Active Directory, so if the user doesn't belong to the relevant groups, he/she is effectively directed to a "no access" page.

I have 2 questions in relation to this, and I hope someone can give me some advice:
1. Can a users’ AD Groups be retrieved (using Windows Authentication in IIS) in the Web API controller without the need to bring in MVC into the equation? I understand that REST API calls are stateless, so I gather it is up to the browser to pass along the logged in users’ credentials (AD logged-in name) along with the REST call (credentials embedded in the headers)?
2. Do I need to retrieve the groups with every single REST call, or is there some mechanism for caching this (cookies/JWT perhaps - and setting the expiry timeframe short)

My design approach, if possible, is to keep the REST service a pure Web API based project without mixing it with MVC. I also tend to design my solutions from empty projects as opposed to using the templates provided with Visual Studio - as these sometimes comes with unnecessary clutter. Also, I want to keep the two parts (the web app and the api app) in 2 completely separate projects if possible.

Any advice on this would be appreciated.

Regards

John_Mc

You should use Token authentication and use Active Directory as the source of authentication. Given that there is no web page for Web API you'll need to ask for username and password on an endpoint, and if successful issue a Token which the consumer will persist and send with subsequent requests.

I'm not sure why you would want to keep your web and API projects separate but that's up to you. .Net Identity framework gives you a lot of the required functionality you'll need so most of the work will be around installing and configuring that.

MidnightHawk

Hi

I suppose there is no real reason for keeping the angular app and REST API projects separate. I do that to keep it clean so that the APP is pure HTML and the REST API project can be located on separate servers if required (and also incorporating CORS). But if this is not a good practice I am happy to merge the two projects.

The app is essentially used internally (intranet) based on AD groups, so single sign-on is the requirement (so I cannot use login boxes etc, nor should the user be requested to enter credentials on the APP - the user would only need to do this when logging into the AD domain).

I agree with issuing tokens - one method I am considering is using Json Web Tokens. When the first call to the API is made, the AD groups for the user is verified. If the user does not have the required groups, a response is sent back to the APP redirecting the user to a page informing them of "No Access". If the groups are valid, I create a JWT (and set the expiry to 30min - 1 hour) and send that back to the client. The APP can then make calls to the API with the JWT as long as the JWT is valid. When it expires, I simply re-retrieve the groups and re-authenticate the JWT (say every hour or so, depending on the expiry timeframe), thus minimizing the overhead of hitting AD every time. The risk is of course if someone's credentials are revoked for the APP while the JWT is still valid, but I suppose this is a minor consideration.

With respect to authenticating the users credentials, and seeing that REST is stateless, the only mystery to me is whether I can depend on IIS to pass on the user's AD email/username (via Windows Authentication) so I know at least (reliably) whose AD credentials to look up. (So the user's AD username is passed to the REST service via the HTTP headers, which I can then use for authentication)

Perhaps I am missing something or I am not understanding the Windows Authentication mechanism properly.

jimmycrackcorm

MidnightHawk wrote:

With respect to authenticating the users credentials, and seeing that REST is stateless, the only mystery to me is whether I can depend on IIS to pass on the user's AD email/username (via Windows Authentication) so I know at least (reliably) whose AD credentials to look up. (So the user's AD username is passed to the REST service via the HTTP headers, which I can then use for authentication)

You can configure that in IIS for the site or virtual folder authentication. Conveniently you could also restrict access also in authorization to only allow specific user groups. That way you could authorize access without having to check the users credentials

MidnightHawk

Ok thanks - so I can then use

Thread.CurrentPrincipal

in the Web API to get the user domain logon name by setting the API's webconfig setting

<authentication mode = "windows"/>

?

John_Mc

MidnightHawk wrote: »

Ok thanks - so I can then use

Thread.CurrentPrincipal

in the Web API to get the user domain logon name by setting the API's webconfig setting

<authentication mode = "windows"/>

?

You should be able to if you follow the steps on this thread on stackoverflow