Web API and Identity authentication and authorization RRS feed

  • Question

  • Hi, I am trying to create a simple Web API with a controller based on a single model class and authorize the controller's actions through Identity's "roles" stored in a database.

    I've added AddIdentity in the Startup.cs, created two user roles and tried to authorize an action so that it can be specifically accessed by users with one of the two roles. However, no matter what I try to use to test it, my request doesn't even enter the the specified action (presumably because I am trying to enter the action "anonymously"). So far I tried using Postman and Swagger UI, neither of which provided me with a proper response.

    The action that I am trying to access would be this one:

            // GET api/media
            [Authorize(Roles = "Member")]
            public IEnumerable<Media> Get()
                return _mediaData.Get();

    Here's how I added Identity support in the Startup.cs class:

    services.AddIdentity<User, Role>(config => { config.SignIn.RequireConfirmedEmail = false; })

    What I expected was a JSON object, but as a result Swagger provides me with an error which states that it was expected for me to login, but I am not sure how I can do that. I suppose I need to learn more stuff regarding the SignIn and UserManager, but I have no idea how I would "login and open a session" (that's what I assume would solve the problem) and I've been unable to find any resource explaining how to do it, much less how get the result via Postman or Swagger UI.

    I presume that I need to create a controller that will work with accounts (login, register, logout) and that I need to login to the API first and then access the action, but I can't think of a way to do it. The above code was enough when I put it directly in a .NET Core MVC app, but not when I make a Web API which I try to access via Postman, Swagger or a WinForms application (using Flurl or anything else).

    Tuesday, May 14, 2019 5:11 PM

All replies

  • WebAPI is a MVC based solution so that you can have Views and controllers that can be controllers and views in the solution using Identity authorization. 


    But for a standalone WebAPI, it may not be applicable  and token base security may need to be applied.

    Anyway, WebAPI can be discussed at the ASP.NET forums.


    • Edited by DA924x Tuesday, May 14, 2019 7:36 PM
    Tuesday, May 14, 2019 5:45 PM
  • Hi MarkCallaway,

    Thank you for posting here.

    Since this thread is related to Web API, you could post in the following forum.


    The Visual C# forum discusses and asks questions about the C# programming language, IDE, libraries, samples, and tools.

    Best Regards,


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Wednesday, May 15, 2019 1:18 AM