Menu
I've been asked to create an API for clients. Before I begin I have some questions. I've decided to use the ASP.NET Web API technology. I've created my first method and it works fine, I'm able to return a set of results of products in XML/Json format. The problem is, anyone who accesses my API held at my website will be able to see all my products. I already have a database of customers, how can I use this so that prior to accessing my API, they have to set some credentials.
The API should be accessible to both Web and Desktop clients
One way I thought of doing it, is they pass their username/password along as parameters but this didnt seem very secure/right?. For example: api/products/GetById/750?username=bob&pass=123
530
Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.
The authentication and authorization mechanism in such a site is simple. After the user logs into the website, a single database holding user information verifies their identity. A session is created on the server, and all subsequent requests use the session to identify the user without another login required.
If you want to allow anonymous access you can use the [AllowAnonymous] attribute. This will block access to all methods when a user is not authorized, except the GetData() method which can be called anonymously.
You could use AuthorizeAttribute to decorate your controllers/actions.
[Authorize]
public IEnumerable<Product> Get() {...}
This can restrict your resources to be available only to authenticated users.
The actual authentication method is another story. By default Web API uses cookie-based ASP.NET forms authentication, which is good if api is directly consumed from a html+js web client.
On the other hand if your API is to be consumed by desktop/mobile apps or plugin base web client, using HTTP Basic authentication may be better as you wouldn't have to manage cookies (remember to use SSL in this scenario).
You may want to look at my blog post at http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/ which shows how to provide http basic authentication that uses ASP.NET membership and role providers.
159
You want to host your API inside a SSL folder. That will encrypt all communications (same as sending your credit card # over the web)
You can also encrypt the URL so it will read like this:
api/products/GetById/750?u=828s388332e328e38&p=328e23e2i38324r423ur29834
But this represents a challenge since now you have to sync the encryption method used by your client
You can also use tokens, and have your client retrieve a token with an expiration date. Tokens expire (1 hour, or 1 day, etc). Then the URL can look like this:
api/products/GetById/750?token=1241824123yxxcn2r348
You can also use private/public keys: MSDN
27
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
