Web API [Authorize] Attribute Without User Logging In Or Requesting Token With Password?

Question

Correct me if I'm not understanding something. I'm working with a fresh Web API application generated from a VS template.

• The user does register right on the login page of the Web API app.
• It appears that a user can register from outside the Web API app (from ANY device that knows the api/Accounts URL), but it requires passing sensitive information in plain text.
• The sample ValuesController has the [Authorize].
• Accessing /api/Values from the browser will throw a 401 if the user is not logged in.
• Accessing /api/Values from Fiddler will also throw a 401 even if the user is logged in. This is because it requires an Authorize: Bearer header, which the access token isn't available from outside the web application.
• There is a token endpoint that we can use to request a token from outside the app, but using the built-in token endpoint requires the user's username and password as plain text to be sent.

I guess all the work needs to be done from an external trusted client application (which must have access to the same database that stores user info). From the client application, how would I create an access token so that I can make a request that would have that access token in the header?

Suppose that I was able to achieve generating an acceptable access token from the client. Will the [Authorize] attribute still block access because the user would technically not be logged in? Or does [Authorize] actually log the user in if it doesn't result in a 401?

Answer 1

Your steps are all right. But i think you are mixing you understanding of the last part with cookies authentication and token authentication.

Will the [Authorize] attribute still block access because the user would technically not be logged in? Or does [Authorize] actually log the user in if it doesn't result in a 401?

With cookie authentication this would be a problem that the user would technically need to be logged in and a valid session would need to exist on the server.

However this would not be the case on with token authentication. As long as you have a valid bearer token, you may access the api from any device.

Answer 2

The AuthorizeAttribute will block access when the IsAuthenticated property of the current IIdentity is false. This is entirely separated from the access token.