Menu
I'm trying to build a secure asp.net web api. You can find a lot of ways of how to secure your API, but I want to know what is the best way or the 'industry standard' to implement this for my case.
These are my requirements - The API will be used by a small number of third-party developers for websites/mobile apps etc. - Developers who want to use this API have to be given a key to access the API (Authorization) - Users (Visitors/consumers) have to login into the third-party apps to see their personalized information. - The API will use an ASP membership database for managing/authenticating the users.
I know it's possible to use http basic authentication for authenticating users, but how do I implement the authorization part of the API?
Is OAuth 2.0 a solution?
816
Web API provides a built-in authorization filter, AuthorizeAttribute. This filter checks whether the user is authenticated. If not, it returns HTTP status code 401 (Unauthorized), without invoking the action. You can apply the filter globally, at the controller level, or at the level of individual actions.
In IIS Manager, go to Features View, select Authentication, and enable Basic authentication. In your Web API project, add the [Authorize] attribute for any controller actions that need authentication. A client authenticates itself by setting the Authorization header in the request.
There are three ways to authenticate users when calling a web API: API key authentication. Basic authentication. Session-based authentication.
There is a very good article describing the authentication/authorization with token/key:
It also describes some other good practices regarding ASP.NET Web API security.
187
I would also suggest the use of the Thinktecture.IndentityModel.40 library that can support the following:
Base
Claims
Constant
Extension Methods
20
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
