20

I am new to AngularJS and trying to evaluate it for my new web application.

Requirement:

I will have one ASP.NET Web API which will be consumed from an Android, an iPhone and from a web application (ASP.NET MVC) too. ASP.NET Identity will be implemented in Web API. All three applications will call the login method of Web API to get the auth token.

Problem:

My problem is how to get ASP.NET MVC server side authentication work (in sync with Web API so I don't have to login for ASP.NET MVC separately) while Angular makes a call to get the HTML template/view, JavaScript files or other resources. I have went through many articles and blogs on AngularJS but still unable to find a security model which fits in my requirement.

Possible Solution:

Would it be a good idea to make the login call to ASP.NET MVC application instead of Web API directly, and ASP.NET MVC application would call the Web API to login, and once authenticated, save the auth token in session plus create a FormsAuthentication cookie and in cookie data save the encrypted auth token. Moreover set the auth token in ng-init somewhere in HTML to have the token in AngularJS scope. Now when AngularJS tries to make a call to ASP.NET MVC application to get HTML, then authenticate/authorize the user by matching the cookie decryted data with auth data in session. Also, AngularJS will send the auth token in header to call the Web API methods directly for all the subsequent calls for data manipulation through Web API.

Improve this question

    3 Answers 3

    Reset to default
    9

    I solved the problem with a very strait forward solution. I just made sure I have following two lines of code in the Register method of WebApiConfig:

    config.SuppressDefaultHostAuthentication(); config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

    That's it. Now my MVC controllers look for the session cookie for authorization whereas my Web API controllers look for the auth token in the header of each request. Moreover, the Web API sends a token (JSON) and a session cookie itself in response to the login/authentication request e.g. http:\\www.mydomain.com\token.

    So now I send my login request to Web API to get the token as well as the session cookie. Session cookie will automatically be sent will each request so I don't have to worry about the authorization of my MVC controllers. For Web API calls I am sending the auth token in the header for each request as Web API controllers don't care about the session cookie being sent with the request.

    Improve this answer
    8
    • can you please explain how is your http:\\www.mydomain.com\token controller?
      – bto.rdz
      CommentedJun 20, 2014 at 18:42
    • You don't have to write a controller to get a token. It's part of asp.net identity. So I don't have any controller in my source code for this. ASP.NET identity takes care of this.
      – Haider
      CommentedJun 23, 2014 at 17:32
    • @Haider - I am facing a similar situation. How did you end up passing the token to the AngularJS app. Did you use ng-init to set it?
      – user3410575
      CommentedSep 5, 2014 at 10:30
    • ng-init is used when you put a value in it on server side e.g. using Razor whereas I make a login call to Web API which returns the token in json. Once you have token in json you can store it in a cookie or in browser memory.
      – Haider
      CommentedSep 8, 2014 at 11:07
    • @Haider, how did you find out about this? Some specific books, experience from some examples?
      – Mikhail Orlov
      CommentedSep 18, 2014 at 10:33
    5

    Also worth a look:

    https://bitbucket.org/david.antaramian/so-21662778-spa-authentication-example/overview

    (based on this SO question)

    Warning: it's not for the faint-hearted...

    • ASP.NET Web API 2
    • HTML5 + AngularJS + $ngRoute
    • NuGet scaffolding
    • Yeoman (Grunt/Bower)
    • Owin framework (OAuth 2.0)
    • CORS
    Improve this answer
    1
    • 2
      Thank you. That's the best example I have seen. Very well explained
      – Maxwell Weru
      CommentedJun 19, 2015 at 6:07
    1

    I think you are on the right path. I would store the tokens in an Angular Service to make it easier on yourself (http://blog.brunoscopelliti.com/deal-with-users-authentication-in-an-angularjs-web-app). I'm a little confused on what you mean by "AngularJS tries to make a call to ASP.NET MVC application to get HTML", you shouldn't need to secure the MVC app, it's just running your Angular right? The API is the piece you want to secure as well.

    Improve this answer

      Start asking to get answers

      Find the answer to your question by asking.

      Ask question

      Explore related questions

      See similar questions with these tags.