Last post Mar 10, 2017 04:04 PM by bruce (sqlwork.com)
Mar 09, 2017 03:52 PM|WhiteKarma|LINK
We have developed a ASP.NET MVC CORE 1.1 application with default authentication scheme. We are also using claims based structure for profile differentiation to allow / prevent access to some information on some views. Now some of the views will be showed
on a outside website based on joomla / php that has to authenticate to allow POST and GET actions on some controllers.
I have not been able authenticate from the joomla php website using basic HTTP authorization first with a header containing a valid user a pass base64 encoded. I also tried to extract the token authentication cookie and the request verification hidden field
token to post on the /Account/Login form with valid information to get legitimate access to our application. I've lost too much time with this and i am looking for solution to get legitimate access to the application from outside. We are using Kestrel as a
webserver. Can you please advise and present an example on how to do this?
Thanks in advance
Mar 09, 2017 04:06 PM|Dmitry Sikorsky|LINK
saves the cookies and then send them with every request.
So. If you want to process GET or POST requests from another website to the restricted pages of your website, another website needs to "login" first - to get the cookies and save them. But this is a bit strange behavior. I would suggest considering using
some API or token. For example, you may add some action that will receive username and password, check them and send the auth token. Then you may use that token on the Joomla website and pass it with every request to the API.
Mar 09, 2017 07:56 PM|WhiteKarma|LINK
Thank you Dmitry,
Can that be done with ASP.NET MVC CORE or do i have to add another layer with WebAPI to issue the token?
Mar 10, 2017 04:04 PM|bruce (sqlwork.com)|LINK
asp.net core does not come with support for basic authentication, you need to supply your own middleware. with basic authentication, you never use a login page, as the authorization header is included with each request. just return a 401 if header missing
or invalid. here is a sample implementation:
I've never used it but it looks pretty straight forward. you add the middleware and supply a username/password validation routine.