Reputation: 155
Owin Self-Host WebApi Windows Authentication and Anonymous
I have a self-hosted Owin WebAPI. I want to protect a few routes with authentication. The majority of the routes should be accessible anonymously.
I have succesfully implemented Windows-Auth, but now I get 401 - Unauthorized when trying to access the routes marked with [AllowAnonymous] when accessing them anonymously. If I call the method with valid credentials all works fine.
The perfect solution would be to allow anonymous by default and only require credentials when the action has the [Authorize] attribute.
Owin config
public void Configuration(IAppBuilder appBuilder)
{
// Enable Windows Authentification
HttpListener listener = (HttpListener)appBuilder.Properties["System.Net.HttpListener"];
listener.AuthenticationSchemes = AuthenticationSchemes.IntegratedWindowsAuthentication;
HttpConfiguration config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
appBuilder.Use(typeof(WinAuthMiddleware));
appBuilder.UseWebApi(config);
}
WinAuth OwinMiddleware
public class WinAuthMiddleware : OwinMiddleware
{
public WinAuthMiddleware(OwinMiddleware next) : base(next) {}
public async override Task Invoke(IOwinContext context)
{
WindowsPrincipal user = context.Request.User as WindowsPrincipal;
//..
}
}
An example Action
public class ValuesController : ApiController
{
[AllowAnonymous] // attribute gets ignored
[Route("Demo")]
[HttpGet]
public string Get()
{
//..
}
}
Upvotes: 6
Views: 4586
Answers (1)
Reputation: 244
Your issue is that you configured the HttpListener to support only Windows authentication. This is similar to configuring an IIS site with just Windows Authentication: every request to the site has to go through windows Authentication.
To selectively activate authentication, you need to allow both Windows authentication and anonymous authentication by changing your configuration to this
public void Configuration(IAppBuilder appBuilder)
{
// Enable Windows Authentification and Anonymous authentication
HttpListener listener =
(HttpListener)appBuilder.Properties["System.Net.HttpListener"];
listener.AuthenticationSchemes =
AuthenticationSchemes.IntegratedWindowsAuthentication |
AuthenticationSchemes.Anonymous;
HttpConfiguration config = new HttpConfiguration();
config.MapHttpAttributeRoutes();
appBuilder.Use(typeof(WinAuthMiddleware));
appBuilder.UseWebApi(config);
}
Do that and your standard [Authorize] and [AllowAnymous] tags start working as expected.
Upvotes: 5
Related Questions
- OWIN-hosted web api: using windows authentication and allow anonymous access
- Hosting WebAPI using OWIN in a windows service
- Mixed authorization (Windows NTLM & anonymous) in selfhosted owin application not working - "Authorization has been denied for this request"
- Configure IdentityServer4 with OWIN self-hosted WebApi
- How to run self-hosted(owin based) web api on IIS?
- WebApi with OWIN SelfHost and Windows Authentication
- owin self-host with windows authentication - AllowAnonymous not working
- ASP.NET Web API Self-Host with Windows Authentication
- Claims Auth with OWIN Self Hosted WebApi
- c# web api owin authentication