Umbraco Web API Authentication from non-Umbraco ASP.Net MVC website
Hi,
I have a scenario where I have two websites. One is a standard ASP.Net MVC web application with membership and the other is an Umbraco powered website.
From the MVC website I want to post data to the Umbraco website and had figured creating a Web API on the Umbraco website would be the way to do this but I am having trouble understanding how to authenticate the request.
I've seen lots of good examples on how to protect an Umbraco Web API method so am happy enough with that and also have a back office user account set up in Umbraco that has the necessary permission to access the API methods. So running the API methods when I'm logged in to the back office is okay.
In reality though no users will be logged in to the Umbraco back office so I need a way of sending an authentication request from the MVC web application to the Umbraco Web API so that I can then get access to the secured API methods from the MVC web application.
I had originally been considering the auto login idea with the API returning a token to the MVC application which it would then use for all future requests within the session.
Your idea of securing the API with a custom key is interesting though. Presumably you send this encrypted in the message body?
Hi Craig, have you found some solution? I've your same problem to manage.
I couldn't figure out how to secured web api for an external client, i.e. allow authentication and authorization before to send resources.
Umbraco Web API Authentication from non-Umbraco ASP.Net MVC website
Hi,
I have a scenario where I have two websites. One is a standard ASP.Net MVC web application with membership and the other is an Umbraco powered website.
From the MVC website I want to post data to the Umbraco website and had figured creating a Web API on the Umbraco website would be the way to do this but I am having trouble understanding how to authenticate the request.
I've seen lots of good examples on how to protect an Umbraco Web API method so am happy enough with that and also have a back office user account set up in Umbraco that has the necessary permission to access the API methods. So running the API methods when I'm logged in to the back office is okay.
In reality though no users will be logged in to the Umbraco back office so I need a way of sending an authentication request from the MVC web application to the Umbraco Web API so that I can then get access to the secured API methods from the MVC web application.
Any help would be very much appreciated.
Obviously you can't use backoffice authentication to do this (unless you are going to auto login the MVC app prior to the call).
Another option (as we used) is to secure the API with a custom API key that only the MVC application knows.
Thanks for the reply Phil.
I had originally been considering the auto login idea with the API returning a token to the MVC application which it would then use for all future requests within the session.
Your idea of securing the API with a custom key is interesting though. Presumably you send this encrypted in the message body?
encrypted in message header
Thanks Phil
Have a look at the repo of Warren
https://github.com/warrenbuckley/Umbraco-JWT-AuthTokens
Dont know if it works on the latest umbraco version. But maybe you have some inspiration
Thanks Marcel.
Hi Craig, have you found some solution? I've your same problem to manage. I couldn't figure out how to secured web api for an external client, i.e. allow authentication and authorization before to send resources.
Thank you
Antonio
is working on a reply...