Correct me if I'm not understanding something. I'm working with a fresh Web API application generated from a VS template.
- The user does register right on the login page of the Web API app.
- It appears that a user can register from outside the Web API app (from ANY device that knows the api/Accounts URL), but it requires passing sensitive information in plain text.
- The sample
ValuesController
has the[Authorize]
. - Accessing /api/Values from the browser will throw a 401 if the user is not logged in.
- Accessing /api/Values from Fiddler will also throw a 401 even if the user is logged in. This is because it requires an Authorize: Bearer header, which the access token isn't available from outside the web application.
- There is a token endpoint that we can use to request a token from outside the app, but using the built-in token endpoint requires the user's username and password as plain text to be sent.
I guess all the work needs to be done from an external trusted client application (which must have access to the same database that stores user info). From the client application, how would I create an access token so that I can make a request that would have that access token in the header?
Suppose that I was able to achieve generating an acceptable access token from the client. Will the [Authorize]
attribute still block access because the user would technically not be logged in? Or does [Authorize]
actually log the user in if it doesn't result in a 401?