ASP.NET Core with optional authentication/authorization

Question

I want to build an ASP.NET Core based WebApi for accessing data from a database. This WebApi could be used in two ways, either as a public WebApi which would need authentica

Answer 1

If you bypass authentication, how do you distinguish internal or public requests for api? This causes security bug. So you shouldn't bypass authentication.

If you use openidconnect authentication in mvc application then you can set SaveTokens=true. It enables you to store access token in cookie. When you call api in mvc action you can send this access_token to api.

Another way using two different authentication middleware, one for internal another for public access(This is hard to implement).

I would go with first approach.

Update

To achieve your goal, a tricky way is coming to my mind but i am not sure it is good way:

Create a filter provider:

public class EncFilterProvider : IFilterProvider
{
    public int Order
    {
        get
        {
            return -1500;
        }
    }

    public void OnProvidersExecuted(FilterProviderContext context)
    {
    }

    public void OnProvidersExecuting(FilterProviderContext context)
    {
        // remove authorize filters
        var authFilters = context.Results.Where(x => 
           x.Descriptor.Filter.GetType() == typeof(AuthorizeFilter)).ToList();
        foreach(var f in authFilters)
            context.Results.Remove(f);
    }
}

Then register it conditionally based on config value

  public void ConfigureServices(IServiceCollection services)
  {
      if(config["servermode"] = "internal")
      {
          services.AddScoped<IFilterProvider, EncFilterProvider>();
      }
   }

Answer 2

I would recommend to authenticate both applications: web application and the Web API one. You will have everything secured. For skipping an authentication that is not a good idea. Simply create an user for your web application (in the Web API application) which will be used to authenticate when getting data from the Web API.