I have a local api that is making a secondary request to an external api for authentication purposes. Before the local api does its work, it is forwarding the request headers (which should include XHR authentication headers) to the authentication api via WebRequest. If the request doesn't fail (401 unauthorized), then the local api carries out its work. If the secondary request does throw, then I return unauthorized. This is all working --- Except when I make an uncredentialed request via my local api, the browser prompts me with the native Windows username/password login popup. If I make the same uncredentialed request directly against the secondary api rather than going through my local api, the request simply fails and I never get prompted. I want my local api to exhibit this same behavior:
I've tried playing with request.PreAuthenticate
and request.Credentials
, but no values that I've tried seem to keep the popup from showing up.
// Create the authorization request object
string authUrl = @"https://auth-service-url.com/api/";
HttpWebRequest request = (HttpWebRequest)WebRequest.Create(authUrl);
// Relay any params from this request onto the outgoing authorization request
CopyHttpParameters(request);
// Retrieve the response
try {
WebResponse response = request.GetResponse();
// If GetResponse doesn't throw, then the user is authorized
return Request.CreateResponse(HttpStatusCode.OK);
}
catch(Exception)
{
// If GetResponse throws, then the user is unauthorized
return Request.CreateResponse(HttpStatusCode.Unauthorized);
}
The CopyHttpParameters
method above (based on this answer ) is not included, but it works. An incoming request with embedded XHR credentials succeeds as expected. It's the uncredentialed requests that are the problem, so for our purposes the CopyHttpParameters
function call could be removed altogether. What I want is for the following try block to simply fail, without prompting the user to login. This is how the authUrl
service above behaves when I hit it directly from the browser. How can I get this behavior when I make an uncredentialed WebRequest
call?
The problem seems to be here:
return Request.CreateResponse(HttpStatusCode.Unauthorized);
This combined with windowsAuthentication
in my applicationhost.config
appears to be triggering the popup.
Adding the following to my Web.config seems to suppress the popup:
<location path="api">
<system.webServer>
<security>
<authentication>
<windowsAuthentication enabled="false" />
</authentication>
</security>
</system.webServer>
</location>
The location
block may not be necessary, but I didn't want to override the site-wide defaults just in case. This ensures that Windows authentication gets turned off just for my api route.
Now when I return Unauthorized
, the request simply fails as expected.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.