question

Stesvis-5434 avatar image
0 Votes"
Stesvis-5434 asked Stesvis-5434 commented

Authenticate user on website using an API access token

Hello,

I have a common scenario. A user is logged in to the MVC Web API using a mobile app (so the user has a valid access token) and therefore can consume any protected API endpoint with that token.

Some functionality is only available on the website, so the mobile app just redirects the user to the proper page on the website.

The website however redirects back to the login page because it uses Cookie authentication.

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                ExpireTimeSpan = TimeSpan.FromDays(30),
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                Provider = new CookieAuthenticationProvider
                {
                    // Enables the application to validate the security stamp when the user logs in.
                    // This is a security feature which is used when you change a password or add an
                    // external login to your account.
                    OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
                        validateInterval: TimeSpan.Zero,
                        regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager)),
                },
            });


Is it possible to skip the login page since I have a valid token?
How can I implement it so that the token is passed in the URL or as a payload and the website can take that token and automatically log in the user and load the page directly?

dotnet-aspnet-mvc
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Stesvis-5434 ,

What's the type of your project? Asp.net Core? If your project is asp.net core, what's your version? Do you want to use cookie authenticate with JWT?

0 Votes 0 ·

It's Entity Framework MVC 5, the access token is not JWT.

0 Votes 0 ·

1 Answer

Bruce-SqlWork avatar image
0 Votes"
Bruce-SqlWork answered Stesvis-5434 commented

you don't explain how the mobile calls the website.

the website can support both bearer token and cookie tokens, by defining multiple authentication schemes.

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/limitingidentitybyscheme?view=aspnetcore-5.0

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Bruce-SqlWork this is good old MVC, not Core.
I am not sure the way the mobile app calls the website matters too much, however, it is done in Xamarin Forms + Xamarin Essentials, so the code is like this:

await Browser.OpenAsync("https://mywebsite.com/my_private_route");


I need to do also the same from another React website. What matters is that I have an access_token and I am wondering if there is a way to make a call to https://mywebsite.com/my_private_route?token=[access_token] and then implement something in the MVC website to recognize that token and set my cookies to make it look like i am effectively logged in.

1 Vote 1 ·