If you bypass authentication, how do you distinguish internal or public requests for api? This causes security bug. So you shouldn't bypass authentication.
If you use openidconnect authentication in mvc application then you can set SaveTokens=true
. It enables you to store access token in cookie. When you call api in mvc action you can send this access_token
to api.
Another way using two different authentication middleware, one for internal another for public access(This is hard to implement).
I would go with first approach.
Update
To achieve your goal, a tricky way is coming to my mind but i am not sure it is good way:
Create a filter provider:
public class EncFilterProvider : IFilterProvider
{
public int Order
{
get
{
return -1500;
}
}
public void OnProvidersExecuted(FilterProviderContext context)
{
}
public void OnProvidersExecuting(FilterProviderContext context)
{
// remove authorize filters
var authFilters = context.Results.Where(x =>
x.Descriptor.Filter.GetType() == typeof(AuthorizeFilter)).ToList();
foreach(var f in authFilters)
context.Results.Remove(f);
}
}
Then register it conditionally based on config value
public void ConfigureServices(IServiceCollection services)
{
if(config["servermode"] = "internal")
{
services.AddScoped<IFilterProvider, EncFilterProvider>();
}
}
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…