问题
Long story short. I have a login form in the header on every single page, when I log in successfully it works fine but when the user is incorrect for example it redirects to the default login page (a view that was originally created with MVC project) with the model errors. I don't want to do that, I want to show errors next to the login form without redirecting. So I decided to implement a login via WEB API - i.e. it does $.ajax jQuery request to the Login API Controller, tries to log user in and returns errors if needed so I can output them where I want.
All examples I've seen say to use Bearer Access Token. I don't understand why would I need to go this path - save the token somewhere and pass it along with every single request in the headers? That's what I did in my Login API Controller:
var user = await UserManager.FindAsync(model.UserName, model.Password);
if (user != null)
{
Authentication.SignOut(DefaultAuthenticationTypes.ExternalCookie);
var identity = await UserManager.CreateIdentityAsync(user, DefaultAuthenticationTypes.ApplicationCookie);
Authentication.SignIn(new AuthenticationProperties() { IsPersistent = false }, identity);
}
else
{
error = "Invalid username or password.";
}
This is the same functionality that is available out of the box when you create MVC5 project. I just moved it from regular controller to API controller. And it works without needing to take care of some bearer access tokens. What's the point of it if you could just do it like I did? I think it just makes requests more complicated when you use bearer token. Am I missing anything?
回答1:
As I understand this, the bearer token would make more sense when you need to have a separately available backend authenticated with the same login as the front end we site in a pass through so the back end can "see" the request as coming from the same user.
You can verify that after logging in this way both the front end web site and backend api are sending the same session cookie, and if so you are golden. If on different domains, you may have problems with that, but otherwise not. If so, then a bearer token to pass that user to the backend may come back into play.
来源:https://stackoverflow.com/questions/25275583/mvc-5-web-api-login-without-bearer-token