Passing user identity from MVC to Web Api

Question

I have an MVC application using Windows Auth which consumes a Web Api service. Both are hosted within the same domain but sat on different servers (MVC is publicly accessible). Now lets suppose the Web Api service has a method "CreateFooBar" which requires that the user is in a particular AD group. At the MVC layer I can easily check that the user is indeed in the group, package up a JSON message and call "CreateFooBar". But how does the service perform such a check? How can I tell it which user has made the request?

Initial thought is just to add the userID to the JSON message and let the service method retrieve the details but this would allow someone to just pass in any userID they like so clearly this won't work. Can someone point me in the right direction please?

Answer 1

You should look into what windows identity foundation can do for you. By setting up adfs in your environment and using claims you will address most the problems you are talking about.

you'll need the identity and access plugin for visual studio and you can test the idea out using a self hosted sts.

Answer 2

You should use something like Kerberos delegation. The user will be authenticated in the MVC application using Kerberos then the Kerberos token will be passed to the Web API call.

We do that currently at work to pass credentials from an ASP.NET app to an Exchange Webserver. It works fine.

If you want more info check this KB: http://support.microsoft.com/kb/810572