Setup of Mixed-Authentication WebApi
Hi all!
I was asked at work to start a new WebApi project, where authentication should work in "two layers":
Authentication Flow:
I started the project by creating more authorization policies where each one applied a specific authentication scheme, but i had problems when setting the defaultScheme
Second question, what's the difference between Policies and Filters?
Third question, am i following the optimal path?
I was asked at work to start a new WebApi project, where authentication should work in "two layers":
- 1° Software authentication [Done by cookie]: Where the client tell us which is the software trying to contact us
- 2° User authentication [WindowsAuth / Negotiate]: Where the client tell us who's the user trying to contact us
Authentication Flow:
- Client authenticates itself (so our webapi checks if the credentials given match the ones in a specific table)
- User authenticates itself by an authenticated client (so with the claim generated by negotiate we get the domain user and we check if the user is present/enabled in another table)
I started the project by creating more authorization policies where each one applied a specific authentication scheme, but i had problems when setting the defaultScheme
Second question, what's the difference between Policies and Filters?
Third question, am i following the optimal path?
