Reputation: 99
AccessToken generated in MVC application is not valid in Crossdomain API
Hi I created a MVC SPA application with Individual Account enabled and successfully able to get the access token after registration process
I also created a WEB API project with Individual account enabled. and hosted both MVC and API projects in localhost.
I tried to access the API from the MVC application with the Bearer token saved in my session storage. It works fine as long as both the projects are in localhost. I hosted the API project in Azure and the API call returns 'Unauthorized' always if I try to access it from the localhost MVC app with the bearer token created by the web application.
Sample Code:
MVC Application :
$.ajax({
url: 'https://azureapi/api/getProducts',
headers: {
'Authorization': 'Bearer ' + accesstoken,
'Content-Type': 'application/json; charset=utf-8'
},
type: "POST", /* or type:"GET" or type:"PUT" */
dataType: "json",
data: JSON.stringify(model),
success: function (result) {
},
error: function (e) {
debugger;
console.log(e.responseText);
}
});
API Project:
[Authorize]
[Route("getProducts")]
[HttpPost]
public HttpResponseMessage GetProducts(ProductCriteria model)
{}
Enabled CORS in WEB API
// Configure Web API to use only bearer token authentication.
config.SuppressDefaultHostAuthentication();
config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));
var enableCORS = new EnableCorsAttribute("*", "*", "*");
config.EnableCors(enableCORS);
Upvotes: 0
Views: 369
Answers (1)
Reputation: 5252
As Chris mentioned in his comment, to allow Site A to pass a token to Site B and site B to 'verify' or 'authorise' it, both sites must share the same MachineKey.
I believe this can be set in both site's Web.Config files but I've not tried it (for fear of breaking my site!).
There is a discussion here: How to set machineKey on Azure Website
I asked a similar question here as part of a bigger task: ASP.NET Identity 2.0 - Is the expiry timespan stored in the token & different sub-domains
Upvotes: 1
Related Questions
- How to pass a OAuth2 authentication token from MVC5 wepapplication to a WebAPI2 application
- User login not being authenticated using OWIN bearer tokens
- Get access token in MVC application
- Web API 2 OWIN Bearer token authentication - AccessTokenFormat null?
- open authentication cross domain redirection issue
- ASP.NET Web Api trouble with getting token cross-origin
- MVC WebAPI Status 500 Authentication Error when using httpclient and json
- 401 when authenticating an OAuth 2.0 bearer token with Microsoft Azure Active Directory in an MVC API
- Cross domain issues while accessing ASP.NET Web API Restful services:
- Using Forms authentication cross domain