9

I have an MVC 5 application that uses Individual User Accounts as authentication.

I add an Web Api2 empty controller to my Controllers folder, and an post action.

[Authorize]
public class AttendancesController : ApiController
{
    [HttpPost]
    public IHttpActionResult Attend([FromBody]int Id)
    {

I run the application, i log in and then i use Postman or Fidler to send a post request. I always get response with the Login page of my application.

The [Authorize] attribute does not work on my api controller but will work on a mvc controller. Why?

Improve this question

2 Answers 2

Reset to default
4

WebApi and MVC filters aren't interchangeable.

See this post which explains how to create WebApi filters (albeit with IoC containers which you can ignore): https://damienbod.com/2014/01/04/web-api-2-using-actionfilterattribute-overrideactionfiltersattribute-and-ioc-injection/

In particular, this opening paragraph:

Important! Filters for Web API are not the same as filters for MVC. The Web API filters are found in the System.Web.Http.Filters namespace.

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

The System.Web.Http.Filters namespace contains AuthorizationFilterAttribute class. But I think, OP needs an AuthorizeAttribute instance, that is defined in System.Web.Http namespace.
2

If you have encountered this issue, be sure to verify that the Startup.Auth has the app.UseOAuthBearerTokens, sometimes you create the OAuthAuthorizationServerOptions but do not apply them:

Startup.Auth.cs

// Configure the application for OAuth based flow
PublicClientId = "self";
OAuthOptions = new OAuthAuthorizationServerOptions
{
    TokenEndpointPath = new PathString("/Token"),
    Provider = new OAuthServerProvider(PublicClientId),
    AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
    AccessTokenExpireTimeSpan = TimeSpan.FromDays(365),
    // In production mode set AllowInsecureHttp = false
    AllowInsecureHttp = true
};

// Enable the application to use bearer tokens to authenticate users
app.UseOAuthBearerTokens(OAuthOptions);

Then check your Web Api Routes configuration class, be sure that it calls the SuppressDefaultHostAuthentication:

WebApiConfig.cs

public static void Register(HttpConfiguration config)
{
    // Web API configuration and services
    // Configure Web API to use only bearer token authentication.
    config.SuppressDefaultHostAuthentication();
    config.Filters.Add(new HostAuthenticationFilter(OAuthDefaults.AuthenticationType));

    // Web API routes
    config.MapHttpAttributeRoutes();

    config.Routes.MapHttpRoute(
        name: "DefaultController",
        routeTemplate: "api/{controller}/{action}",
        defaults: new { id = RouteParameter.Optional }
    );

    // Register Additional Filters
    config.Filters.Add(new WebApiPlatformFilters());
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.