ASP.NET Web Api - Authorise from querystring values and API security

Question

In designing and learning about an ASP.NET Web API I've come across a few challenges I'd like some help and discussion on.

Inspired by this excellent post on designing a Secure REST API without OAuth I'm wondering how best to approach validating the various tokens and information I intend to ask for.

Brief summary is I'll be asking for (in the querystring) the following info..

• user id
• api key
• timestamp
• a signature hash based on a secret key the user has been issued and hashed together with the request values

My question / wondering is this :

If this is a sound approach, what would be the best way to implement this using ASP.NET Web API?

I'm currently thinking about either using a custom attribute that I can mark my methods with, kind of an Authorize attribute that grabs the required from the query string or some POCO type object that contains all the values and I can use to keep all the authorisation type code in one place.

Has anyone got any experience or thoughts on this?

Thanks :)

Answer 1

Currently, as you might have seen, the AuthorizeAttribute approach is used in Web API. I think that this is a fairly good approach in that we can put this attribute on individual items that need authorization.

I have done authorization by extending the System.Web.Http.Filters.AuthorizationFilterAttribute. After you extend it, all authorization details are up to you and you have plenty approaches to choose from.