I have two projects - first a Web API on .NET 8 and second a Blazor Web App, also on .NET 8. I need to deploy both of these projects to IIS on a Windows Server. Thing is I'm required to use SSO as auth.
My initial idea was to use Windows auth on the webpage and then pass on the credentials to the Web API so it could create a JWT Token and use the claims to know the role type and further auth on the other endpoints.
[HttpGet]public async Task<ActionResult<AuthenticateResponse>> Login(){ string Name = HttpContext.User.Identity; Console.WriteLine(Name); if (Name != null) { // This creates a JWT token var auth = await _loginService.Authenticate(Name); if (auth != null) return Ok(auth); } return Unauthorized();}Problem is, the Web API ends up using the user on the web app application pool when I consume this endpoint, instead of the clients Windows username.
I've also set the UseDefaultCredentials to True on the requests through the webpage.
UseDefaultCredentials = true // Ensure Windows Authentication credentials are usedThe authentication itself is done by checking a domain and looking if that user exists in it.
I've tried using
System.Security.Principal.WindowsIdentity.GetCurrent().Name; but that didn't work.
I've tried setting the credentials off and couldn't even get the app pool user.
I've tried changing app pool.
I've thought about sending the username trough the request but then anyone could access to anyone's token. Maybe I could use some Cors policy and only accept the web app requests and put an endpoint in which you enter the username and it gives you back the token?