Reputation: 413
How can I validate Web Api 2 Owin Token send via URL?
TL;DR Version
I have a situation on my Cordova AngularJS App where I need to open a browser and make a request. But I've found out that I can't send headers on this requisition, simply because $window doesn't accept them. But I can send it in URL.
How can I validate the token received via URL on Web API?
Detailed Version
I am building a Cordova App, using AngularJs and ngCordova. On last few days, I tried to download a PDF file and leave it avaliable for the user, so he could read it anytime. But all I could achieve was download it using CordovaFileTransfer on background (without Android download manager) and access it through a File Explorer App (because the file did not appeared on conventional Download Folder/App), which is not good for me (I would be happy to receive any thougths about this).
So I decided to try another aproach. Using CordovaInAppBrowser I managed to successfully download my file, but only without any authorization token, because the plugin does not support any headers.
If I could send the valid token on URL, CordovaInAppBrowser would work just fine. But I have no idea on how to valid it manually on Web Api. I've found those two pages that have info on that, but I failed to understand it to use on my application.
Retrieving bearer tokens from alternative locations in Katana/OWIN
Passing the access token on the URL
Can someone point me on right direction?
Upvotes: 0
Views: 704
Answers (1)
Reputation: 4324
Whether you want to extract your token from the headers or from the URL query string, the principle is the same; you need to extract the data from your request to validate the token.
I have used two approaches, depending on where exactly do you want to do this.
First approach would be to create a custom attribute by overriding AuthorizeAttribute or even plain ActionFilterAttribute. There are ton of resources about this topic out there, but you can find some info here and here. This approach works great if you don't want to do this on all your API methods and API controllers. You just simply put your custom attribute where you want it.
Second approach would be to create a custom OWIN middleware. Here and here you can find great resources on how to do this. This approach is more centralized as all of your API calls would go through it.
Upvotes: 1
Related Questions
- How to implement ValidateAntiForgeryToken with angular 7 and asp.net web api
- OWIN token authentication 400 Bad Request on OPTIONS from browser
- Web Api OWIN - How to validate token on each request
- .NET Web API 2 OWIN Bearer Token Authentication
- How to check web api token is valid or not in angularjs
- Passing and verifying the OWIN Bearer token in Query String in WebAPI
- .NET Web API 2 OWIN Bearer Token Authentication direct call
- Explicitly token validation
- AngularJS - Authentication with Bearer Token and Web API 2.0
- AngularJS / Web API 2 token Authenticaion