Reputation: 4763
Error 401 Unauthorized. How to Use the same token for different Urls?
In ASP.Net Identity using Oauth2 a token is created once the user is authenticated posting User and Password.
Before making a call to an action from one API, the user must ask for a token:
http://mysite/auth/token
Once the token is received, all Web Api calls can be done, sending the
Authorization: Bearer <token> header:
GET http://mysite/auth/product/1
PUT http://mysite/auth/client/42
I have several Web Apis that use a centralised Security System for Authentication, the problem is that I receive Unauthorizaed (401) when I try to call different Api (with different URL). For example:
GET http://mysite/myapi/product/1
If the Security is centralised and both APIs are using the same Users Database for Authentication, how can I use the same token for different Urls?
Upvotes: 2
Views: 2308
Answers (1)
Reputation: 4763
Finally I found the solution adding the same machineKey tag in both Web.config files:
<system.web>
...
<machineKey validationKey="57B449BBA8F9E656087FF7848727E122C5F5966F65AC0FC25FB3532193B59CFCD13B370883FFC184C1F1500638F33E6F67B37CAED1D9BC65BBC6CFFB232BFD0B" decryptionKey="6D9FBE88D16B3FA5B5E6B37460BBE50DA85D5B4C482159006B5A337C58AA9E79" validation="SHA1" decryption="AES" />
...
</system.web>
as is suggested on the accepted answer here using a machineKey generator.
From the documentation:
Sharing Authentication Tickets Across Applications
If you need a single logon to work across multiple applications located in separate virtual directories, you need to share a common authentication ticket. To configure a common authentication ticket, you must manually generate validationKey and decryptionKey values and ensure that each application shares these values. If you want to share tickets across all applications on your server you can set these manual values on the element in the machine level Web.config file. To share tickets across specific applications, you can use a element with common validationKey and decryptionKey values in the relevant application's Web.config files.
Updated - Security Warning
Security warning
There are many web sites that will generate a element for you with the click of a button. Never use a element that you obtained from one of these sites. It is impossible to know whether these keys were created securely or if they are being recorded to a secret database. You should only ever use configuration elements that you created yourself.
Read the Appendix A on the link to know how to generate your own machineKey element.
Upvotes: 1
Related Questions
- C# Owin Auth - Common Token for the Webite and API
- reuse token asp.net web api c#
- Multiple JWT authorization token in Web API
- Windows and Token Auth for same WEB API
- asp.net OAuth token error 401: unauthorized
- use authorization token on multiple api websites
- How to set up Web API to allow Acces Token in the URL as a parameter with DotnetOpenAuth in WEB API 2
- Webapi with multiple oauth tokens for different users
- ASP.NET Web Api: How to pass an access token (oAuth 2.0) using URL parameter?
- Implementating OAuth access token in ASP.NET Web API2 webservice