CODEWITHSUNDEEP
c#asp.net-core
Axelly
Axelly

Reputation: 859

Is it possible to use ASP.NET Core Identity (cookie based) for securing WebAPI?

I think I'm having a little misconception that

Identity = only MVC - returning Views

andWebAPI => you gotta go for token-ish way of authentication like JWT

So, I'd want to ask

Is it possible to use that default AspNetCore's Identity with WebAPI?

Or maybe I should ask Is javascript post/get attaching Cookies to it?

Upvotes: 2

Views: 2591

Answers (4)

Alexander
Alexander

Reputation: 9642

You can use either cookie authentication or token based authentication and even both if you want. It depends on your needs.

In javascript you can send both cookies and authorization headers to authorize.

Upvotes: 0

Sasan
Sasan

Reputation: 4230

From a technical point of view Cookie is just a http header just like the Authorization header, so you can protect your API with cookie.

As a matter of fact if your API is just serving a SPA on the same domain, cookie is a better and safer option.

Token base authentication is for scenarios where an API is serving multiple clients on different domains with different access levels. It makes sense to separate the authentication server from API server in those cases.

I recommend reading these articles:

Be careful of the JWT hype train

Please Stop Using Local Storage

Upvotes: 2

AlbertK
AlbertK

Reputation: 13227

Is it possible to use that default AspNetCore's Identity with WebAPI?

Yes. It will work very similar like it works in the default Asp.Net Mvc template. Your AccountController may look like this:

public class AccountController : Controller
{
    private readonly SignInManager<ApplicationUser> _signInManager;
    public AccountController(SignInManager<ApplicationUser> signInManager)
    {
        _signInManager = signInManager;
    }

    public async Task<IActionResult> Login(string login, string password)
    {
        var result = await _signInManager.PasswordSignInAsync(login, password, true, lockoutOnFailure: false);

        if (result.Succeeded)
        { 
            //process successful result
        }
        else
        {
            //process failed result
        }
    }
}

SignInManager<>.PasswordSignInAsync() will assign necessary cookies to process authentication.

Upvotes: 0

Shane Bauer
Shane Bauer

Reputation: 263

Yes, it's possible. Some JS libraries require you to enable the passing of cookies, though. Axios, for example, requires you to set withCredentials: true.

Upvotes: 1

Related Questions