Access a different webapi within the same site

Question

0.00/5 (No votes)

See more:

Hi,

In our product setup we have some separate webservices that are hosted as a single site.
The webservices come from separate .NET projects. This is so that all webservices can be maintained as separate products with separate release versions.

They are installed together within a single site as webapps underneath this site.

/site/webserviceA
/site/webserviceB

The problem we have is that sometimes webserviceA requires to call webserviceB.
But how do you do this? The /site requires the user to logon.

Next this we have hangfire that runs jobs in the background. This proces will run under the credentials of the application pool user. Which is not added to the group which is allowed to access the site.

There is an admin user. And we can select this from the membership provider, but how do we pass the credentials?

What I have tried:

Right now, we are just creating a temporary user with a generated password.
Logon with this user through a cookie aware webclient.
Do the call.
Delete the user.

This works, but it cannot be the right way to do this.

Posted 31-Jul-17 20:48pm

Sebastiaan Meijerink

Updated 1-Aug-17 22:49pm

Add a Solution

Comments

Thomas Nielsen - getCore 1-Aug-17 4:14am

Doesn't it work simply to put [authorize] on the services and use a path for routing and let .net handle the rest? It's perfectly standard to define services in libraries and just merely instantiate them, doesn't relate to anything but the identity is authorized and it will be if the user is logged in who do you need to explicitly handle the situation of the login as it relates to services, doesn't your users have access to use the service?

Sebastiaan Meijerink 1-Aug-17 4:18am

I need to call one webservice from another inside the C# code itself. Not from the client perspective.

Thomas Nielsen - getCore 1-Aug-17 5:37am

But you have a call chain with authenticated identity accessing your first service?
First service does run with [Authorize] attribute??

Sebastiaan Meijerink 1-Aug-17 5:49am

Not if it is running a background proces. Then there is no first service call

Thomas Nielsen - getCore 1-Aug-17 6:16am

ok, well if you're using webapi in the first case, you're already running asyncronously to your website so there really is no reason to use background services or tasks within the actual method call, if that means that you'll loose your identity is there? And if you do you can pass the identity information as state.
How your actual code looks or a mockup of it is essential to anybody inhere being able to help properly :) *hint*

David_Wimbley 1-Aug-17 13:04pm

If i understand your question right. You say you create a user, authenticate to web service B, make your call to web service B, then delete your user.

Why? That is the point of API's is that you have clients who authenticate to your API to utilize it.

Also, why not just combine your web services into one web service. Maybe you've tried to micro-anize your services to much now that its become an architectural issue.

In my web api setups, If i have to make a call from separate services, Service A to Service B, and both Service A & B require authentication, I implement auth bearer token authentication and then within whatever web api action in Service A that needs to call Service B, it just performs the auth request first, then the main request second. Also, prior to this I'd setup a user in Service B so that way I can use that user/pass to request a token from Service B when calling it from Service A.

Another option is you'd have an auth api that shares the machine code between services so that you can auth 1 time and that token will be acceptable for both services.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Thomas Nielsen - getCore · Accepted Answer · 2017-08-01T22:49:00

For what you're trying to do, connecting from one web service to another service without using passthrough authentication it seems you'll need to authenticate usage of that service in another way.

So there's always indigo or WCF as it came to be called. Windows Communication Foundation is the enterprise 'serious' way of binding together enterprise services. it supports a range of protocols and authentication methods, one is authenticatino by certificate and basically that gives you the option of creating your own X509 certificate and registering on both endpoints (service access points) and then essentially you bypass the user credentials aspect by using that machine authentication method.

Web api is essentially designed to service clients requesting http or https. WCF can use a range of protocols for instance net.tcp which is way faster in terms of not having the http bloating ... don't get me started on thisone :))

Anyway, to continue in your case that your web api host authenticates to your other service with a certificate is hightly secure, found this article i think will help you out and if not the web is overflowing with examples.

Nine simple steps to enable X.509 certificates on WCF[^]

There's also somebody doing this for web api requests and eventually succeeds, but i doubt that won't take a lot of extra work on your behalf to make happen, especially if you're using ajax c# - How to use a client certificate to authenticate and authorize in a Web API - Stack Overflow[^]