How do I get the AD username in order to initiate bearer token authentication with angular-js SPA / ASP.NET-MCV

Question

I am developing an Angular JS SPA for my company which uses bearer tokens to authenticate users. Using ASP MCV as the back end, I have set up OWIN middlewear to handle bearer tokens at the server. My intention is to generate bearer tokens for users of the web app to lock down the APIs exposed. The complication here is that I need to generate the bearer token based on the Doamain\Username of the AD user, but for bearer tokens to work, I can't enable windows authentication. Logging in is not an option, the user must be validated on their AD credentials.

So far what I have managed to achieve: With windows authentication disabled and anonymous authentication enabled, I have got my APIs to validate a request based on the bearer token passed to it in the header. To do this, I have created a dummy user.

What I need to achieve: Get the AD username in the form 'DOMAIN\Username' for the user so that I can create a bearer token based on this. (so far I can only do this with windows authentication enabled)

The issue I have faced is that I can't have windows authentication enabled otherwise when I place the [Authorize] attribute on the API, it will validate based on the windows authentication, regardless of a valid bearer token or not.

You might think what I'm trying to do is pointless as I have windows authentication at my disposal, but I need bearer tokens so that APIs can only be called from my SPA for security.

So far I managed to obtain the user ID by creating an API in a different web project with windows authentication enabled, however, the page load time was impacted so I want to avoid going off to get the user ID this way.

Answer 1

Figured it out eventually and can now answer my own question.

I have set windows authentication to enabled and user impersonation and anonymous authentication to false in the web.config.

Then also in the web.config I added the following code inside of the configuration node

<location path="api">
    <system.webServer>
      <security>
        <authentication>
          <anonymousAuthentication enabled="true" />
          <windowsAuthentication enabled="false" />
        </authentication>
      </security>
    </system.webServer>
  </location>

This is saying that for all api calls which include 'API' in the location path (all of my APIs that require bearer token authentication have a route prefix starting with 'api'), disable windows authentication and enable anonymous authentication. By having anonymous authentication enabled I am allowing the bearer tokens to authenticate the API calls rather than letting windows authentication have to final say.

When finding the user ID with windows authentication, this must call an API which doesn't have a route prefix starting with 'api', so in my case my 'AuthenticateUser' api has a route prefix of

[RoutePrefix("authentication")]

The web.config doesn't then disable windows authentication, enabling me to get the value of the current user using

HttpContext.Current.Request.LogonUserIdentity.Name

For all other APIs that need authorization, ensure that they have a route prefix starting with 'api and are using the [Authorize] attribute.

EDIT I should point out that in order to enable/disable anonymous authentication and windows authentication as I did in the web.config, you must first allow them to be overridden in the IIS HostFile, otherwise it won't work.