Using bearer tokens and cookie authentication together

asp.net-mvc asp.net-web-api oauth-2.0 owin

36,449

Solution 1

I think I worked this out:-

Startup.Auth is wiring up the OWIN pipeline, so it is right to include Cookies and Tokens there. But one change to the cookie options specifies the authentication type it should apply to:

CookieOptions = new CookieAuthenticationOptions
{
  AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie   
};

Then I needed to configure WebAPI to only use tokens:

public static void Configure(HttpConfiguration config)
{
   // Configure Web API to use only bearer token authentication.
   config.SuppressDefaultHostAuthentication();
   config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
}

This seems to achieve what I want. WebAPI just uses bearer tokens and no cookies, and a few conventional MVC pages use cookies once logged in (using the AuthenticationManager).

Solution 2

you can add jwt token to cookie (here my jwt token cookie name is "access_token") in http-only mode,and make a middleware like this

public class JwtCookieMiddleware
{
    private readonly RequestDelegate _next;

    public JwtCookieMiddleware(RequestDelegate next)
    {
        _next = next;
    }

    public Task Invoke(HttpContext ctx)
    {
        if (ctx.Request.Cookies.TryGetValue("access_token", out var accessToken))
        {
            if (!string.IsNullOrEmpty(accessToken))
            {
                string bearerToken = String.Format("Bearer {0}", accessToken);
                ctx.Request.Headers.Add("Authorization",bearerToken);
            }
        }
        return this._next(ctx);
    }
}
public static class JwtCookieMiddlewareExtensions
{
    public static IApplicationBuilder UseJwtCookie(this IApplicationBuilder build)
    {
        return build.UseMiddleware<JwtCookieMiddleware>();
    }
}

And you need use the middleware in startup like this:

app.UseJwtCookie();
app.UseAuthentication();
app.UseMvc();

the above code will add jwt token to http request header if this request with a token cookie;

36,449

Author by

Appetere

Updated on January 27, 2021

Comments

Appetere over 3 years
I have a single page app - more or less based on the MVC5 SPA template - using bearer tokens for authentication.

The site also has a couple of conventional MVC pages which need to be secured, but using cookie authentication.

In Startup.Auth I can enable both types of authorisation:
```
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOAuthBearerTokens(OAuthOptions);
```
However, this seems to have a side-effect in that whenever an AJAX request is sent from the SPA, it sends both the bearer token in the header and the cookie.

Whereas the behaviour I really want is that only the bearer token is used for WebAPI calls, and only the cookie for MVC calls.

I'd also like the MVC calls to redirect to a login page when not authorised (set as a CookieAuthenticationOption), but obviously I don't want this to happen when making an API call.

Is there some way to have this type of mixed-mode authentication within one application? Perhaps through a path/route filter?
ThisGuy over 9 years

Steve, I'm going to do the same thing. One concern I have is the cookie and the token (i.e. local storage) getting out of sync. In other words, do the cookie and token need to expire at the same time or is there a mechanism to gracefully deal when one or the other is missing?
ThisGuy over 9 years

BTW, there is also an option in CookieAuthenticationOptions called "CookieHttpOnly" which will prevent JavaScript from passing the cookie to your API.
Appetere over 9 years

@ThisGuy This is probably worth asking as a new question. But take a look at KatanaProject v3 (released 19 Aug 14). Search for Options.UseTokenLifetime in OpenIdConnectAuthenticationHandler to see how cookie & token lifetime can be aligned.
Alexander Boychenko over 9 years

@Steve, just want to clarify one thing. Do you use separate login pages in SPA and MVC parts? Or you able to achieve this through single login page? If it's a case how you do it?
Appetere over 9 years

The login pages might look the same, but the SPA has to manage the token, so the functionality is different behind. By the way, for anything other than a low-security system you should now be looking at OpenId Connect instead of OAuth2. The specification describes various "flows" which would be used with a SPA (implicit or hyrbid flow) and MVC pages (code or hybrid flow). Only problem is the Katana Project doesn't fully support all the flows, making it hard to use stuff out of the box.
Pepito Fernandez about 9 years

@Steve, I have an application where people must create an local native account (not thru third parties). Then this app will collect overtime their activities in the website. Then, I want to expose that data to other apps in the form of an API. So, I was thinking, for my local website, I will use Cookies... for the apps requesting access to the API, I will use OAuth to Authenticate and Authorize the Client access to the User data. Is your approach aiming at this?
Pepito Fernandez about 9 years

@Steve, here is a detailed explanation of my problem. stackoverflow.com/questions/28414205/….
Dan Turner over 8 years

@ThisGuy That is incorrect. "CookieHttpOnly" will simply prevent the value of the cookie from being read in JavaScript, it will not prevent the cookie being sent on an AJAX request.
ThisGuy over 8 years

@Dan Turner, I misread the description of CookieHttpOnly. You are right. That aligns with browser support for "HttpOnly" cookies as well.
SomethingOn over 8 years

I have implemented your code, but I don't get a cookie. The Set-Cookies header never seems to get set and I added the Kentor NuGet package to help with this to no avail. Is there something else that needs to be set in the Start.Auth.cs or WebApiConfig.cs?
Appetere over 8 years

@SomethingOn If you are using Katana middleware and things don't work as you expect, I recommend downloading the Katana source code then change your project references to point at the relevant debug DLLs in the source code. Then you can put a breakpoint in the CookieAuthenticationHandler Invoke method and see for yourself what is going on.
Benjamin Martin almost 8 years

To those who are wondering why SuppressDefaultHostAuthentication() and HostAuthenticationFilter can not befound: You need to install this package: via nuget: Install-Package Microsoft.AspNet.WebApi.Owin
maracuja-juice almost 7 years

It was so easy... THANKS
anatol over 4 years

I believe the question is not about asp.net core
anatol over 4 years

could you provide more details, please?