Show local login with ASP.NET Web API
Switch branches/tags
Nothing to show
Clone or download
MikeWasson Merge pull request #7 from AronVanAmmers/master
Logout from cookie-based authentication through .AspNet.Cookies too
Latest commit f480239 Oct 14, 2016

Secure a Web API with Individual Accounts and Local Login

This sample shows how to perform local login in ASP.NET Web API.

If you want to recreate this app from scratch, here are the steps that I followed.

  1. Create a new ASP.NET Web Application project. In the New Project dialog, select the Web API template.

  2. If the dialog does not list Individual User Accounts under Authentication, click Change Authentication. Then select Individual User Accounts.

  3. Add Knockout.js to the project, using NuGet. From the Tools menu, select NuGet Package Manager > Package Manager Console. In the console window, type the following command.

    Install-Package knockoutjs

    This adds the Knockout.js files to your Scripts folder.

  4. In App_Start/BundleConfig.cs, add a new script bundle.

     bundles.Add(new ScriptBundle("~/bundles/app").Include(
  5. Add the app.js file to Scripts folder. The code in app.js defines a view model for Knockout.js. The view model data-binds to the HTML form controls in the app.

  6. Update Views/Home/Index.cshtml with the app UI. This file defines the MVC view for the home page.

  7. Enforce SSL.

    • Enable SSL for the project.

    • Add the RequireHttpsAttribute filter to the MVC pipeline.

        public static void RegisterGlobalFilters(GlobalFilterCollection filters)
            filters.Add(new HandleErrorAttribute());    
            // New code:
            filters.Add(new RequireHttpsAttribute());
    • Add a custom RequireHttpsAttribute filter to the Web API pipeline. (See Working with SSL in Web API.)

        config.Filters.Add(new LocalAccountsApp.Filters.RequireHttpsAttribute());
    • Remove AllowInsecureHttp from OAuthOptions.

        OAuthOptions = new OAuthAuthorizationServerOptions
            TokenEndpointPath = new PathString("/Token"),
            Provider = new ApplicationOAuthProvider(PublicClientId),
            AuthorizeEndpointPath = new PathString("/api/Account/ExternalLogin"),
            AccessTokenExpireTimeSpan = TimeSpan.FromDays(14)
            //AllowInsecureHttp = true
  8. I replaced the ValuesController class with the following code, just to make the Web API responses more interesting.

     public class ValuesController : ApiController
         // GET api/values
         public string Get()
             var userName = this.RequestContext.Principal.Identity.Name;
             return String.Format("Hello, {0}.", userName);

    This code adds the user name to the response, which shows the request has a valid principal.