SPA authN + authZ

We are ripping and replacing our authN and authZ implmentation of our current SPA angular ASP.NET MVC 5 web site.
We have a vanilla MVC5 web app, with a hosted ServiceStack API at /api. We only really use MVC to provide ASP.NET cookie authN, and do authZ for some HTML pages, that’s it. Most of the actual app is in angular on the browser.

Our intital design relied on ASP.NET cookies with OWIN, only becuase that was what MVC5 used by default.

To leverage the ASP.NET identity and authN framework, we had to wrap a bunch of the Microsoft.AspNet.Identity.EntityFramework.IdentityUser and Microsoft.Owin.Security.IAuthenticationManager stuff that ultimately created ASP.NET cookies that we pass onto to the browser.

To do AuthZ we had our own custom AuthZRequestAttribute that checked the HttpContext.Current.User for the userName and userId, Roles etc, which are fetched from the IPrincipal of the running thread.

We also added AntiForgeryToken creation/validation between Angular App and our services using custom RequestAttributes and ResponseAttributes.

Now we want to rip all that out and replace with ServiceStack AuthFeature.

Just wanted some affirmation on a direction to go.

This is what I think I need to do:

  • AuthN - we rip out entirely the ASP.NET cookies, OWIN AuthN, and replace with ServiceStack AuthFeature + AuthProvider + sessions, and rely on session cookies. The MVC controllers can access the session if
  • AuthZ - we replace our custom AuthZRequestAttribute with
    ServiceStack’s [Authenticate] and [RequiresAnyRole] attribute on our services DTOS.
  • CSRF - we keep our AntiForgeryToken implementation with its
    RequestAttribute and ResponseAttribute

Is that how this should go down with ServiceStack?

OK, from examples at: ServiceStack.Mvc that I can still use the [Authenticate] and [RequiresAnyRole] atttributes on a Controller derived from ServiceStackController. Which is good.