We are ripping and replacing our authN and authZ implmentation of our current SPA angular ASP.NET MVC 5 web site.
We have a vanilla MVC5 web app, with a hosted ServiceStack API at
/api. We only really use MVC to provide ASP.NET cookie authN, and do authZ for some HTML pages, that’s it. Most of the actual app is in angular on the browser.
Our intital design relied on ASP.NET cookies with OWIN, only becuase that was what MVC5 used by default.
To leverage the ASP.NET identity and authN framework, we had to wrap a bunch of the
Microsoft.Owin.Security.IAuthenticationManager stuff that ultimately created ASP.NET cookies that we pass onto to the browser.
To do AuthZ we had our own custom
AuthZRequestAttribute that checked the
HttpContext.Current.User for the userName and userId, Roles etc, which are fetched from the
IPrincipal of the running thread.
We also added
AntiForgeryToken creation/validation between Angular App and our services using custom
Now we want to rip all that out and replace with ServiceStack AuthFeature.
Just wanted some affirmation on a direction to go.
This is what I think I need to do:
- AuthN - we rip out entirely the ASP.NET cookies, OWIN AuthN, and replace with ServiceStack AuthFeature + AuthProvider + sessions, and rely on session cookies. The MVC controllers can access the session if
- AuthZ - we replace our custom
[RequiresAnyRole]attribute on our services DTOS.
- CSRF - we keep our AntiForgeryToken implementation with its
RequestAttribute and ResponseAttribute
Is that how this should go down with ServiceStack?