I'm setting up an Azure API Management with with an ASP.NET WebApi 2 app behind it. API Management recommends setting up Basic auth between the API Management proxy and the ASP.NET WebApi to make sure the WebApi is only accessible through the API Management proxy.
(Of course OAuth tokens will be still sent with requests for the "real" authentication, but I'll add that later.)
With this in mind, I don't really want to implement the Basic auth in the application, I would like to have it handled by IIS exclusively, via Web.config.
Question: How can I set up my Web.config to do basic auth with a username/password stored in Web.config?
What I've tried:
I tried to follow this article Apply ASP.NET Authentication and Authorization Rules to Static Content with IIS 7.0's Integrated Pipeline Feature but didn't have much luck.
This question is unanswered, but they probably ask for similar thing: web.config single user basic auth
Other answers I found here include adding the authentication inside the application which I don't want to do.
Here is my Web.config:
<?xml version="1.0"?>
<configuration>
<configSections>
<!-- For more information on Entity Framework configuration, visit http://go.microsoft.com/fwlink/?LinkID=237468 -->
<section name="entityFramework" type="System.Data.Entity.Internal.ConfigFile.EntityFrameworkSection, EntityFramework, Version=6.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" requirePermission="false"/>
</configSections>
<appSettings configSource="bin\debug-appSettings.config"/>
<connectionStrings configSource="bin\debug-connectionStrings.config"/>
<system.web>
<compilation targetFramework="4.5.2"/>
<httpRuntime targetFramework="4.5.2"/>
<authentication mode="Forms">
<forms>
<credentials passwordFormat="Clear">
<user name="test" password="test" />
</credentials>
</forms>
</authentication>
<authorization>
<allow users="test" />
<deny users="*" />
</authorization>
</system.web>
<system.webServer>
<handlers>
<remove name="ExtensionlessUrlHandler-Integrated-4.0"/>
<remove name="OPTIONSVerbHandler"/>
<remove name="TRACEVerbHandler"/>
<add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0"/>
</handlers>
<modules>
<remove name="FormsAuthenticationModule" />
<add name="FormsAuthenticationModule" type="System.Web.Security.FormsAuthenticationModule" />
<remove name="UrlAuthorization" />
<add name="UrlAuthorization" type="System.Web.Security.UrlAuthorizationModule" />
</modules>
<security>
<authentication>
<basicAuthentication enabled="true" />
</authentication>
</security>
</system.webServer>
<runtime>
<assemblyBinding xmlns="urn:schemas-microsoft-com:asm.v1">
<dependentAssembly>
<assemblyIdentity name="Microsoft.Azure.AppService.ApiApps.Service" publicKeyToken="31BF3856AD364E35" culture="neutral"/>
<bindingRedirect oldVersion="0.0.0.0-0.9.64.0" newVersion="0.9.64.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Newtonsoft.Json" culture="neutral" publicKeyToken="30ad4fe6b2a6aeed"/>
<bindingRedirect oldVersion="0.0.0.0-7.0.0.0" newVersion="7.0.0.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Net.Http.Formatting" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
<bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.Web.Http" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
<bindingRedirect oldVersion="0.0.0.0-5.2.3.0" newVersion="5.2.3.0"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="MiniProfiler" publicKeyToken="b44f9351044011a3" culture="neutral"/>
<bindingRedirect oldVersion="0.0.0.0-3.2.0.157" newVersion="3.2.0.157"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="System.IdentityModel.Tokens.Jwt" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
<bindingRedirect oldVersion="0.0.0.0-4.0.20622.1351" newVersion="4.0.20622.1351"/>
</dependentAssembly>
<dependentAssembly>
<assemblyIdentity name="Microsoft.WindowsAzure.Storage" publicKeyToken="31bf3856ad364e35" culture="neutral"/>
<bindingRedirect oldVersion="0.0.0.0-6.1.0.0" newVersion="6.1.0.0"/>
</dependentAssembly>
</assemblyBinding>
</runtime>
<entityFramework>
<defaultConnectionFactory type="System.Data.Entity.Infrastructure.LocalDbConnectionFactory, EntityFramework">
<parameters>
<parameter value="mssqllocaldb"/>
</parameters>
</defaultConnectionFactory>
<providers>
<provider invariantName="System.Data.SqlClient" type="System.Data.Entity.SqlServer.SqlProviderServices, EntityFramework.SqlServer"/>
</providers>
</entityFramework>
</configuration>
I send a request with PostMan with the following headers:
Authorization: Basic dGVzdDp0ZXN0
Content-Type: application/json
But all I get is the 401.1 page by IIS.
What am I missing?
I ended up implementing BasicAuthentication as a HttpModule. I will update this answer later with the details.
Edit:
NuGet package: https://www.nuget.org/packages/Hexasoft.BasicAuthentication
Source: https://github.com/hexasoftuk/Hexasoft.BasicAuthentication