WebApi + MembershipProvider + Postman


CMS 11

Is there a way of using Postman with any authentication, to call an webapi directly and authenticate to SqlServerMembershipProvider (a user in db)

    [System.Web.Http.Authorize(Roles = "CmsAdmins")]
    public class MyApiController : ApiController

I do get unauthorized when using basic authentication in postman

Is it possible?

Sep 07, 2022 12:56

Mr Gosso, are you trying to authenticate first and then call your webapi controller? Or are you trying to do it all in one request?

Sep 08, 2022 20:26

yes, same in one request.... or what possibilities do I have?

Sep 10, 2022 14:40

You could do the following in conjunction with Postman and cookie authentication:

  • As part of your webapi collection create a SignIn method. Use the ApplicationSignInManager to log in your user.
  • This will create an authentication cookie add it to the response
  • In postman take the cookie from the response and store it in a global (or collection) variable.
  • In your next request to web api that requires you to be authenticated and authorized as a 'cmsadmin', add the stored cookie to your request and execute.
  • You should find your webapi method now executes under your logged in user.

This is two calls...but if you wanted one call....maybe you could create a custom authorization attribute?

Sep 11, 2022 11:32

A custom authorize attibute will be your best bet, this will enable authentication either via Postman or programmatically in one request.

Example code I've used in the past to implement WebAPI basic authentication, the Role is hardcoded as I used it purely for authentication purposes but you can pass the role as a parameter to the attribute

public class ApiBasicAuthenticationAttribute : AuthorizationFilterAttribute
		private UserService _userService;

		public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
			if (actionContext.Request.Headers.Authorization == null)
				actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);
				//Retrieve username and password from header
				var authenticationHeader = actionContext.Request.Headers.Authorization.Parameter;
				var decodedHeader = Encoding.UTF8.GetString(Convert.FromBase64String(authenticationHeader));
				var credentials = decodedHeader.Split(':');
				_userService = ServiceLocator.Current.GetInstance<UserService>();

				var isAuthorised = Task.Run(() => _userService.ValidateUserAndRole(credentials[0], credentials[1], "ApiClients")).Result;

				if (!isAuthorised)
					actionContext.Response = actionContext.Request.CreateResponse(HttpStatusCode.Unauthorized);


The UserService method is just a wrapper for the ApplicationUserManager

public async Task<bool> ValidateUserAndRole(string username, string password, string role)
			var user = await _userManager.FindAsync(username, password);

			var isAuthorised = user != null && await _userManager.IsInRoleAsync(user.Id, role);

			return isAuthorised;
Sep 21, 2022 7:16
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.