Best approach for API Auth without losing the default calls


I’m having some issues on getting the best way to do two authentications on the same API and I’ll prefer to ask here what are you guys doing for

  • using the [Authenticate] flag, authenticate the API Calls (table ServiceUsers)
  • as this is a service that has users and they can login and register under a Company Guid (multi-tenant app) I want to have the default auth/register/oauth/oauth2 behavior

In simple words, the table ServiceUsers has a simple username/password for API calls authentication, and, as this is a multi-tenant based web application, each tenant is actually a Company, and all API calls need to have, without exception, a CompanyId

My thoughts so far:

create a custom ApplicationAuthSession that contains only one property public Guid CompanyId {get;set;} and a ApplicationAuthProvider that overrides Authenticate and TryAuthenticate

In the Authenticate override, verify if there’s a X-MyAppToken header, if exists, authenticate using the ServiceUsers table…

The CompanyId then, for each API Call, should be automatically pupulate from a X-MyAppCompany header …

but I can’t get this to work right :frowning:

code example:

Can anyone share some light on this issue? What would be the best approach on this?

I’m not clear on what the actual issue you’re running into is, but 1 thing that stands out is if you’re inheriting from AuthUserSession (whch as it’s a [DataContract]) you should also annotate each property with a [DataMember] attribute so they’re serializable, e.g:

public class MyApplicationAuthSession : AuthUserSession
    public Guid CompanyId { get; set; }

For the rest, if you can break down your problem into specific tasks you’re trying to do and focus on what’s not working correctly, it will be easier for others to identify what the issue might be.