User ID is NULL when consuming an API in POSTMAN

Question

I am trying to learn Web API and MVC. I, initially created a basic MVC project. Now, in the controllers folder ,I added a WebAPI controller.

In the WebAPI controller, I added the below code

public class SampleController : ApiController
{
    [HttpPost]
    public IHttpActionResult SampleData()
    {

        var userID = User.Identity.GetUserId();
        return Ok();
    }
}

The Method User.Identity.GetUserId() works fine in MVC.

I searched about on SO and found the following thread

User.Identity.GetUserId() method not working in a Web Api 2 Controller

This was not that helpful for me, as in my case I have added the API controller as part of the MVC project itself in the controllers folder.I have not created a separate project for WebAPI.

The above mentioned thread talks about the accesstoken already being present in code , whereas in my case, I dont see that code anywhere, as I just added only a single web api controller.

I am using POSTMAN for calling the API.

I have also looked at the following link https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/individual-accounts-in-web-api

In this case too, a separate WebAPI project is being talked about and not a single controller.

If I am mistaken somewhere, kindly guide me on the same.

Are you sending an authorization header in Postman? Nothing in the question indicates you're sending the request as an authenticated user. — , Mar 20 '19 at 12:10
perhaps, your connection is new and you haven't logged in yet — kowsikbabu, Mar 20 '19 at 12:12
Hi Amy, No , i am not sending an authorization header. But, I am testing POSTMAN only after logging in to the application. — Shankar, Mar 20 '19 at 12:14
@Amy Also, to send the header, I have to know the token, I believe, which I don't, at present. If I could get some guidance regarding the same, it would be much appreciated. The links I have added in my post weren't particularly directed towards my scenario of having a single Web API controller in the controllers folder.I am not quite sure, how I am supposed to get the accesstoken in my scenario,which is where I am stumped. — Shankar, Mar 20 '19 at 12:15
@kowsikbabu I have logged into the application several times and I run POSTMAN only after I log into the application.Yet, UserID is NULL in the API. — Shankar, Mar 20 '19 at 12:19
Insert a breakpoint in that particular line inside ApiController and run the application in debugging to see further information as to why this behaviour occurs. Are you using IISExpress to host your application? — kowsikbabu, Mar 20 '19 at 12:22
The application doesn't know you're "logged in" unless you send the proper headers with the request... — , Mar 20 '19 at 12:25
@kowsikbabu I had inserted a breakpoint in the application earlier.On evaluation of the expression User.Identity.GetUserID(), it shows up as Null .Actually, I have not done any setup in IIS,to be honest. I run the application in debug mode. — Shankar, Mar 20 '19 at 12:27
@Amy Thanks for your reply. If its not too much hassle, Could u tell me how to get the access token,for my particular scenario,where there is only one API controller and no other autogenerated code.I have gone through all the documents and I am not able to grasp how I get the access token,to send in the Request headers.The documents speak about adding a WebAPI project itself,while I have only added a single API controller..Kindly guide a newb. — Shankar, Mar 20 '19 at 12:32
As @Amy mentions, you might have logged into the application in one place, but Postman is a different client so there's nothing to tie the two sessions together. You either need to provide the access token in the API request header, or include any session cookies that can tie the API request to your authenticated session. — Tom Troughton, Mar 20 '19 at 12:32
@getsetcode I think I got what Amy was trying to explain to me.I am,at present stuck in how to get the access token only for a single controller API(Not sure,if thats the correct term).I have not added a new Web API project to have autogenrated code.The autogenerated code might have code for accesstoken. But,I am stuck at generating the accestoken for a single API controller. Could I get some guidance ,please. The documents do not refer to my situation of having a single controller and no autogenerated code.No new API project ether — Shankar, Mar 20 '19 at 12:40
Your request from Postman will be coming in as anonymous. You dont have any authorization attribute on the `SampleData()` so no login is required to access it so no user or user ID exists. Have a read through https://learn.microsoft.com/en-us/aspnet/web-api/overview/security/authentication-and-authorization-in-aspnet-web-api — MikeS, Mar 20 '19 at 12:41
@MikeS Thanks for your reply.I have been through that document and gone through the project given there.I have also linked in my post.Its just that ,my particular scenario is not discussed there.It might be trivial but I have added a new controller,while the docs discuss adding a new project.When a new Web API project is added, we get some autogenerated code for the accesstoken.I dont get that code as I have only added a new Web API controller.This is where I am facing difficulty.How can I get that accesstoken to send in the Request Header? — Shankar, Mar 20 '19 at 12:49
Also,Yes there is no Authorize attribute on my action, but UserID is NULL.I want the userID,which is why I am logging in before running POSTMAN. Kindly guide me on how to get the Accesstoken only for a single API controller added and not an all new API entire project.That scenario is not discussed in that doc,I believe.Please correct me,if I am mistaken. — Shankar, Mar 20 '19 at 12:49
You have an API controller. Therefore, you have an API project. You are placing *far* too much emphasis on "I only have a single API controller". Follow the tutorials on setting up Web API authentication. No tutorial is going to exist for "a single API controller without an API project" because that detail is not relevant. — , Mar 20 '19 at 12:51
I also thinking you're putting too much emphasis on access tokens. It sounds like you already have authentication implemented and expect your API controller to use the same auth mechanism. When you say you're logging in, are you talking about a web browser session? If so it's likely you'll have a cookie in your browser which represents your authenticated session. Add this cookie to your Postman request and your API call will resolve the identity the same way your main app does. You can use something like Fiddler to analyse specific HTTP requests. — Tom Troughton, Mar 20 '19 at 12:55
@Amy Ok,thanks.I have been through that tutorial and found I was not seeing the autogenerated code for the access token,that they speak of.I will go through it again and see if I missed something. — Shankar, Mar 20 '19 at 12:57
@getsetcode Yes, I am able to log into the MVC application and while trying to understand authentication,I saw the code and yes,it uses CookieAuthentication,which is the Default,I believe .I will try what you just said and see if that works. Thanks. — Shankar, Mar 20 '19 at 12:59
@getsetcode I think you're putting the cart in front of the horse. OP doesn't sound like he's set up any authentication in Web API. Auth would work for MVC out of the box, because he set up a MVC project and its part of the default template. But by default, I don't think Web API will have any authentication unless its set up manually, or unless the default template is used to set up the project. He needs to follow the tutorials first. — , Mar 20 '19 at 12:59
@Amy That would be true if they were separate projects, but OP says they've simply added a WebAPI controller to an existing MVC project, so they will share authentication. — Tom Troughton, Mar 20 '19 at 13:01
@getsetcode That's exactly what I have done.Just added a new controller and not followed the default template for setting up a new Web API project,which all the docs I have read follow.I will try what you mentioned and if it doesn't work, its back to the tutorials. — Shankar, Mar 20 '19 at 13:08
OK good luck. Just remember that when you authenticate with a web app you're establishing a session between the client and the server. A web browser and Postman are different clients. Like @Amy mentioned, your Postman session is anonymous unless you tie it to an authenticated session either via session cookie, access token or similar. — Tom Troughton, Mar 20 '19 at 13:12

User ID is NULL when consuming an API in POSTMAN

0 Answers0