authentication,,oauth,castle-windsor,claims-based-identity , OAuth: ASP.NET Web API User.Identity doesn't load claims set by authentication token provider

OAuth: ASP.NET Web API User.Identity doesn't load claims set by authentication token provider


Tag: authentication,,oauth,castle-windsor,claims-based-identity

I am using OAuth bearer authentication, configured like this in Startup.cs:

        OAuthBearerAuthenticationOptions oAuthBearerOptions = 
            new OAuthBearerAuthenticationOptions
                AccessTokenProvider = new AccessTokenProvider(),
                AuthenticationMode = AuthenticationMode.Active

... where AccessTokenProvider is implemented as:

public class AccessTokenProvider : AuthenticationTokenProvider
    public override async Task ReceiveAsync(AuthenticationTokenReceiveContext context)
        // Internal logic to get data needed for building identity...

        // Create claims identity
        ClaimsIdentity identity = new ClaimsIdentity(identityName);
        identity.AddClaim(new Claim(ClaimTypes.NameIdentifier, nameIdentifier));
        // Add other claims

        // Set claims identity
        context.SetTicket(new AuthenticationTicket(identity, new AuthenticationProperties()));

If I set a breakpoint at the end of ReceiveAsync, I can verify that the identity is built correctly (has claims) and that SetTicket is reached.

But when I try to access the identity from a Web API controller:

public abstract class BaseStorageController : ApiController
    protected IStorageService StorageService;

    protected BaseStorageController(IStorageServiceFactory storageServiceFactory)
        StorageService = storageServiceFactory.CreateStorageService(User.Identity as ClaimsIdentity);


... the list of claims on the identity is empty!

What can be causing this?

Side note: I don't know if this is related, but I am using Castle Windsor as an IOC container to inject dependencies into my controllers (in the above case, IStorageServiceFactory). The above seemed to work (claims were not empty) before I added that. However, I'm not using CW to manage anything related to authentication. Here is my CW installer for api controllers:

public class ApiControllerInstaller : IWindsorInstaller
    public void Install(IWindsorContainer container, IConfigurationStore store)


I found the answer. It was not related to dependency injection/inversion of control. I'm not sure how I thought it was working prior to adding that.

The issue is similar to what is described here (but in my case the solution is different): User (IPrincipal) not avaliable on ApiController's constructor using Web Api 2.1 and Owin

Basically IPrincipal is not accessible from the constructor of the api controller, which is why there are no claims (the user is not yet authenticated). User.Identity is only accessible from the controller's actions, not the constructor. I changed my base controller implementation to the following to get around this issue:

public abstract class BaseStorageController : ApiController
    private readonly IStorageServiceFactory _storageServiceFactory;
    private IStorageService _storageService;

    protected BaseStorageController(IStorageServiceFactory storageServiceFactory)
        _storageServiceFactory = storageServiceFactory;

    protected IStorageService StorageService
            if (_storageService == null)
                _storageService = _storageServiceFactory.CreateStorageService(User.Identity as ClaimsIdentity);
            return _storageService;

Since StorageService is only accessed from controller actions, User.Identity is authenticated and has claims populated by the time that the StorageService getter gets called.

Hope this helps someone!


Web API and MVC in the same project with Session States

I'm been working around an ASP .Net MVC application that is going take log in requests from different sites with different configurations (so I cannot use the FormsAuthentication SSO way). The way I decided to resolve this was by creating temporal login request tokens, so each token could be used...

Route parameter with slash ā€œ/ā€ in URL,routing,,,attributerouting
I know you can apply a wildcard in the route attribute to allow / such as date input for example: [Route("orders/{*orderdate}")] The problem with wildcard is only applicable to the last paramter in URI. How do I solve the issue if want to have the following URI: [Route("orders/{orderdate}/customers")] ? EDIT:...

No 'Access-Control-Allow-Origin' header on one site, but not on another

We have a system made up of a website, written in ASP.NET/MVC, and a webservices site, written in ASP.NET/WEBAPI. The user loads pages from the website, which make AJAX calls into the webservices site, using JQuery. We're building this with VS2013, and deploying it with MS's Web Deploy, run from...

Web API translating input into random int

not sure whether the subject is the best description for this problem but I am getting an unusual problem where I have a single Web API operation and a single field on a request and for some odd reason the value gets manipulated. Depending on the input this gets converted...

Association Error with Sorcery Gem in Rails

I used Sorcery to set up authentication in Rails and I'm trying to create a model where the user id for the user is linked as reference to the model for data entered, but I get an error: Couldn't find User without an ID it refers to the following code:...

Bluemix authentication ios8 with google and facebook

I am trying to implement two types of authentication from an iOS8 device in the bluemix platform. I succeeded in adding one type of authentication: google. I am using a ADVANCED MOBILE ACCESS module, and I am at the User Authentication part. It looks from a dashboard like I can...

Authentication with OAuth and JWT but without OpenID Connect

Iā€™m wondering if I really need OpenID Connect to provide authentication on top of OAuth2. It seems to me if I generate JWTs (JWE) as my access token and I store user claims, roles/permissions, etc. in the access token, then the OpenID Connect's id token isn't needed. Resource servers can...

Paging in .NET Web API

I have to do paging for an odata endpoint built using Entity Framework . I know I can do it using private ODataQuerySettings settings = new ODataQuerySettings(); settings.PageSize = myPageSize; // I keep this value in web.config of solution and options.ApplyTo(IQueryable, settings); But I am constrained not to use ApplyTo...

WebApi Put how to tell not specified properties from specified properties set to null?

Here is the scenario. There is an web api put call to change an object in sql server database. We want only to change the fields on the database object if they were explicitly specified on webapi call json. For example: { "Name":"newName", "Colour":null } That should change the Name...

Using middleware to call an Authentication API using ExpressJS

I'm using two Node.js + Express applications: Backend Authentication And my front-end is built in AngularJS Basically I'm trying to send a json web token with every request to the Backend, and then use a route middleware to call the Authentication API. It validates that token and add user data...

How can I handle exceptions in Web API 1.0 at my BaseAPIController

I am currently using Web API 1.0 and .NET 4.0 I need a function that can take care of the noise of catching and handling exceptions in my Base API so that I dont need to write that in every RESTful operation. public int Get(WelcomeTeamNotes note) { try { return...

Error Hashing + Salt password

Someone can help me to fix this problem: TypeError: can't concat bytes to str I am trying to safely store hash+salt passwords, I think the problem is that my salt is a byte object how can I transform it into a string? Or is there a way to hash it...

python requests with redirection

Trying to authenticate on site, noticed that there were a redirect to Found that there were 302 POST with plain credentials in data form. Copying headers from Chrome can reproduce that in cURL, but still can't reach in requests module. Warning: page is full of russian letters, registration...

Is it nessesarry to send credentials on every single request to MVC Web Api?

I am about to create my first restfull web service where i chose MVC WEB API to be the "provider". After reading about authentication i am a little confused. My requirements is that on call to any url of webservice i want client to be authenticated, except sign in url....

Difference between django.contrib.auth.login and django.contrib.auth.views.login

What's the difference to use django.contrib.auth.login or django.contrib.auth.views.login? First in and second in I saw that code and it differs from each other. Same is with some other views, for example 'logout'. As I understand, django.contrib.auth.views.login is used when I want to redefine some parametrs of that view?

query multi-level entity with filter at the lowest level

So I have 3 entity classes: public partial class Event { public Event() { Recurrences = new HashSet<Recurrence>(); } public int Id { get; set; } public ICollection<Recurrence> Recurrences { get; set; } } public partial class Recurrence { public Recurrence() { AspNetUsers = new HashSet<AspNetUser>(); } public int Id...

Loopback Angular SDK response code 401 intercept

I'm using the Angular Loopback SDK and am trying to implement a 401 handler that automatically detects when the user needs to authenticate. Loopback responds to a data request with a 401 and I use that to invoke a login dialog. Basically using the strategy described here - However,...

Connecting to database using Windows Athentication

I would like to use window authentication in my program to connect to my sql server. users already have certain permissions on the SQL server and I would like to leverage that in my program. The way I currently connect to the server is using this connection string. Dim ConnectionString...

X509Certificate: what is the difference between getIssuerDN() and getSubjectDN() methods

I'm using X509Certificate class in java, and when I want to get the subject name I try: x509certificate.getIssuerDN().getName(); and x509certificate.getSubjectDN().getName(); both methods have the same result. So what is the difference between them ??...

Rails basic auth not working properly

I am building a small API that uses basic authentication. What I have done, is that a user can generate a username and password, that could be used to authenticate to the API. However I have discovered that it is not working 100% as intended. It appears that a request...

How to setup Request.Header in FakeHttpContext for Unit Testing

I have a FakeHttpContext I have been trying to modify to include some headers for testing purposes public static HttpContext FakeHttpContext() { var httpRequest = new HttpRequest("", "http://stackoverflow/", ""); var stringWriter = new StringWriter(); var httpResponse = new HttpResponse(stringWriter); var httpContext = new HttpContext(httpRequest, httpResponse); var sessionContainer = new HttpSessionStateContainer("id",...

Riak CS LDAP authentication

I read here that Riak CS supports LDAP for authentication: "Pluggable Authentication/Authorization for Integration with Existing Infrastructure ā€“ Riak CS provides an extensible authentication system, enabling integration with existing directory services (LDAP, ActiveDirectory, NIS, PAM)." However I cannot find anything relating to the LDAP authentication configuration in the docs....

Can't access any of Linq methods

I'm writing a simple ApiController for getting product stocks, but I'm having a strange issue. I get the data from a method that returns a System.Linq.IQueryable (In a library), but I can't apply any of the Linq methods, like Count or ToList(). The import directive is present and doesn't report...

Null parameter on web api post method

I have a very simple web api controller: public class CarrinhoController : ApiController { [HttpPost] public string Adiciona([FromBody] string conteudo) { return "<status>sucesso</status"; } } Now I'm running the server and trying to test this method via curl like this: curl --data "teste" http://localhost:52603/api/carrinho The request is arriving in my...

Where should I store WebAPI controllers inside ASP.NET-MVC 5 project?,,odata
I have completed an ASP.NET-MVC5 application(website) where I have lot of MVC controllers: I would like to extent the functionality of my application by exposing WEB API with OData. For instance I would like to create another controller for Person model class, but this time it should be Web API...

JQuery Add expiration to authentication token stored with HTML5 localStorage?

I am making a mobile game with JQuery Mobile, a multipage template (so all pages in 1 html file, which makes it usable with PhoneGap). Since it is HTML I am using JQuerys $.post function to send data to php scripts such as login.php, register.php, which add/update/delete data from the...

Multi service with one-login authentication (Single sign-on)

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them. (from wikipedia) now, I have more web service:...

Simple token-like authentication

Does the following authentication system seem reasonable: Client calls the login end point with a user name and password to the main server. The main server sends this off to another authentication server (which will receive no further mention), which returns a yes/no if this is valid and a user...

shall I use Spring framework for a performance-critical proxy application? [closed]

I've created a servlet (Tomcat) application which has these functions: It performs HTTP Basic Authentication. It connects to a user and role database. It works as "security facade" for some geodata servers behind It forwards requests after doing some authorization tests In case the response contains XML data, it performs...

Losing HttpContext with async await in ASP.NET Identity GetRolesAsync

This is more of an async/await question than ASP.NET Identity. I am using Asp.Net Identity, and have a custom UserStore, with a customized GetRolesAsync method. The UserManager is called from a WebApi controller. public class MyWebApiController { private MyUserManager manager = new MyUserManager(new MyUserStore()); [HttpGet] public async Task<bool> MyWebApiMethod(int x)...

DataTables Warning: Requested unknown parameter 'pCodigo' for row 0,datatables
I'm trying to populate a table on a button click, getting the data from an ASP.NET ApiController. I've tried with almost all solutions posted in SO to other similar issues but always get that error. Hope someone sees the problem. The html markup: <input type="button" ID="btnSearch" name="btnSearch" class="btn btn-success" value="Buscar"...

Web API Basic Auth inside an MVC app with Identity Auth

So I have a C# MVC app using Identity for its authentication. I now have a need to expose a few things via Web API to some of my clients. Instead of building a separate app, project, deployment... I've simply added an API Controller to my existing project. To keep...

OnAuthorization Method of AuthorizationFilterAttribute will execute every time when request arrives?

I am writing Web API ( v2.2 ) for accessing another REST API. Reason is that I want restrict some functional and provide more friendly data. In short I am writing wrapper for some REST API. I am providing authentication/authorization via my Implementation of AuthorizationFilterAttribute. Here is snippet of code:...

Web Api 2 or Generic Handler to serve images?

I want to create an image handler, but i am torn between using Web API 2 or just a normal Generic Handler (ashx) I have implemented both in the past, but which one is the most correct one. I found an old SO post LINK but is it still really...

What's the best way to map objects into ember model from REST Web API?

The topic of this post is: my solution is too slow for a large query return. I have a Web Api serving REST results like below from a call to localhost:9090/api/invetories?id=1: [ { "inventory_id": "1", "film_id": "1", "store_id": "1", "last_update": "2/15/2006 5:09:17 AM" }, { "inventory_id": "2", "film_id": "1", "store_id":...

how to update multiple data in entityframework through async web api

I am using web api 2, and entity framework 6. I have created an async web api, which updates all the records at once. I am also using Autofac for dependency injection. My service interface is as follows : Task<Approval> TakeAction(int id, bool isApprove) void TakeAction(bool isApprove) These are my...

Manually validate Model in Web api controller,,
I have a class called 'User' and a property 'Name' public class User { [Required] public string Name { get; set; } } And api controller method is public IHttpActionResult PostUser() { User u = new User(); u.Name = null; if (!ModelState.IsValid) return BadRequest(ModelState); return Ok(u); } How do i...

Passing complex array from Controller to View ASP.NET MVC

I have a model in my ASP.NET MVC application: public class SearchArrayModel { public long ID { get; set; } public string Name { get; set; } public struct AttribStruct { public string AttribName { get; set; } public string[] AttribValues { get; set; } } public AttribStruct[] AttribStructTable {...

Database error in web api

I am trying to create an odata endpoint for a table valued function in sql database. I get the exception: The specified type member is not supported in LINQ to Entities. Only initializers, entity members, and entity navigation properties are supported. I am sure with my code and unable to...

Laravel 5: How to add Auth::user()->id through the constructor ?

I can get the ID of the authenticated user like this: Auth::user()->id = $id; Great it works, ... but I have a load of methods which need it and I want a cleaner way of adding it to the class as a whole,so I can just reference the $id in...

How to respond in Middleware Slim PHP Framework

I am creating middleware for auth into REST API. My API is created using Slim PHP Framework ,which in case provide great features to build APIs. One of this feature is Middleware. I need to check credentials in Middleware and respond with an error (HTTP code with JSON descriptions) to...

Web api with mvc 6 get element based on string

I am creating a web api using mvc 6. now i am trying to get a element from my db. the key in this table is a string (email adress). i do not have acces to this database so i cant change the key of this table. Now when creating...

How to enable multiple login tries in forms authentication?

I have a MVC project with forms authentication. Basically it works fine: The user wants to access a controller with Authorize-Attribute and gets redirected to login-page if not authenticated. On redirect the parameter returnUrl gets forwarded as well. However, in case the first try of the login fails, the return...

Client certificate authentication

I am new to SSL and Certificates . I have been doing my research about client certificate authentication. I have read this and wiki. So If I have to implement a client certificate auth solution for my B2B REST service should I do following Ask clients to generate their own...

Cannot read property 'client' of undefined using SignalR,signalr,signalr-hub
I've been working all day on this with no luck. I have also tried (almost) every single SO question, but I didn't get it to work... I'm running web api with very simple SignalR push message and separately simple front end to show this push message. In my case the...

Third-party security providers like Google, Twitter etc. in ASP.Net,authentication
I have created a standard ASP.Net web project in Visual Studio 2013 and enabled authentication. A class called 'StartupAuth.cs' is created auotmatically, with following lines. When the app runs on localhost dev server it throws an exception as pasted in screen shot below the code. I need to have it...

Web API AuthorizeAttribute does not return custom response

How can I make IsAuthorized return my custom object while function returns false? In my WebAPI project I have a class like; public class CustomAuthorizeAttribute : AuthorizeAttribute { protected override bool IsAuthorized(System.Web.Http.Controllers.HttpActionContext actionContext) { StandardWebAPIResponse invalidUserResponse = new StandardWebAPIResponse() { code = (int) Constants.ErrorCodes.InvalidCredentials, data = "InvalidCredentials.", StatusCode = HttpStatusCode.Unauthorized...

.NET web API calls are getting intercepted by angular js UI Router, returning HTML instead of calling API

I have an angularjs app, that sits on top of an MVC5 app and an WEB API backend. I am using UI Router for the Angular js routing and for now, have removed ALL $urlRouterProvider.when and $urlRouterProvider.otherwise calls, but still when I try to do a $http:get... it is returning...