Web Connection
Multiple authentication methods in the same app
Gravatar is a globally recognized avatar based on your email address. Multiple authentication methods in the same app
  Carl Chambers
  All
  Apr 2, 2018 @ 11:46am

What I have read so far indicates that you cannot have both Windows Authentication and Basic Authentication enabled at the same time.

In my case, I employ WWWC Custom Authentication for browser users but I also have a web service to provide JSON data where I would like to use Basic Authentication (currently, I'm using a custom authorization header). Further, my Admin tasks are secured by Windows Authentication and my site is on a shared host.

For example, Twilio provides a user/password login as well as Basic Authentication using different credentials for API calls.

What would I need to do with my app to have something similar?

Gravatar is a globally recognized avatar based on your email address. re: Multiple authentication methods in the same app
  Rick Strahl
  Carl Chambers
  Apr 2, 2018 @ 12:52pm

You can have both. In fact Web Connection enables both and the admin interface security works with either...

In general I would advise against using Windows (Basic also is 'Windows' security because it also authenticates against Windows accounts) security inside of an application. The main reason we use Windows/Basic is that there's no setup required.

FWIW, even with the auth interface you could use ASP.NET Forms authentication as well, but that's a bit more work to set up and requires configuration whereas Windows/Basic just works which is why I use it in the Module admin bits.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Multiple authentication methods in the same app
  Carl Chambers
  Rick Strahl
  Apr 2, 2018 @ 02:02pm

Thanks Rick,

As I suspected, I misunderstood Basic Authentication.
Since I don't have control of the server, it looks like Basic Authentication is not an option since a Windows account would need to be created for each client.
That being the case, I might as well stick with a custom Authorization header for my JSON web service.

Do I have that right?

Gravatar is a globally recognized avatar based on your email address. re: Multiple authentication methods in the same app
  Rick Strahl
  Carl Chambers
  Apr 2, 2018 @ 02:21pm

Basic Authentication is not an option since a Windows account would need to be created for each client

That's not really accurate. If you enable Basic Auth in IIS you are enabling Basic Authentication tied to specific Windows User Accounts. If you turn off Basic Auth, your application is still free to implement Basic Auth any way you want. It's really easy to implement Basic Auth yourself - it's just a challenge (401 - Not Authorized) to request authentication and check uid/pwd to ensure you're logged in.

Since Basic Auth passes uid/pwd it's easy to build custom Basic Auth functionality but I would recommend not doing so because it's very insecure as uid/pwd are sent on each request even after auth - Basic auth using the uid/pwd as a sort of auth token that's unencrypted (well base64 encoded).

For WWWC - the right choice is wwUserSecurity based authentication, which lets you implement your own custom logic ontop of the base Session tracked authentication.

+++ Rick ---

Gravatar is a globally recognized avatar based on your email address. re: Multiple authentication methods in the same app
  Carl Chambers
  Rick Strahl
  Apr 2, 2018 @ 04:19pm

For WWWC - the right choice is wwUserSecurity based authentication, which lets you implement your own custom logic ontop of the base Session tracked authentication.

Right. That's what I'm doing for browser users.
But my app also provides a data service (not truly a REST service but I'll call it that for the sake of discussion) and I am currently using a custom Authorization header with a single unencrypted token over HTTPS. This service could be called by either another web site or a desktop app.

I was wondering if it's possible to replace the custom authorization header with a Basic Authorization header just for the purpose of having it look a bit more standardized in the eyes of developers who would be making requests to the service. But if the User ID / Password are tied to a Windows account or if a login prompt will be displayed, it's not an option.

Gravatar is a globally recognized avatar based on your email address. re: Multiple authentication methods in the same app
  Rick Strahl
  Carl Chambers
  Apr 2, 2018 @ 06:30pm

Like I said you can implement Basic Authentication on your own. It's pretty simple if you really want to do that. Turn of Basic Auth in IIS and then handle auth requests in your app by looking for the basic Auth header. If it's not there send a 401 Unauthorized to force the browser to authenticate.

But really at that point you're no better off than using a custom implementation. For APIs the typical approach is to connect to an open endpoint to login and get back a token, then use the token for subsequent requests. This solves both the need for a single point of authentication and the problem of passing credentials over the wire because only a limited lifetime token goes over the wire.

+++ Rick ---

© 1996-2024