Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

ASP.NET Web API Questions - Authorization / Authentication

I've been asked to create an API for clients. Before I begin I have some questions. I've decided to use the ASP.NET Web API technology. I've created my first method and it works fine, I'm able to return a set of results of products in XML/Json format. The problem is, anyone who accesses my API held at my website will be able to see all my products. I already have a database of customers, how can I use this so that prior to accessing my API, they have to set some credentials.

The API should be accessible to both Web and Desktop clients

One way I thought of doing it, is they pass their username/password along as parameters but this didnt seem very secure/right?. For example: api/products/GetById/750?username=bob&pass=123

like image 530
CallumVass Avatar asked May 21 '12 11:05

CallumVass


People also ask

How will you implement authentication and authorization in ASP.NET web API?

Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.

How does authentication and authorization work in Web API?

The authentication and authorization mechanism in such a site is simple. After the user logs into the website, a single database holding user information verifies their identity. A session is created on the server, and all subsequent requests use the session to identify the user without another login required.

How do I bypass authorization in Web API?

If you want to allow anonymous access you can use the [AllowAnonymous] attribute. This will block access to all methods when a user is not authorized, except the GetData() method which can be called anonymously.


2 Answers

You could use AuthorizeAttribute to decorate your controllers/actions.

[Authorize]
public IEnumerable<Product> Get() {...}

This can restrict your resources to be available only to authenticated users.

The actual authentication method is another story. By default Web API uses cookie-based ASP.NET forms authentication, which is good if api is directly consumed from a html+js web client.

On the other hand if your API is to be consumed by desktop/mobile apps or plugin base web client, using HTTP Basic authentication may be better as you wouldn't have to manage cookies (remember to use SSL in this scenario).

You may want to look at my blog post at http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-membership-provider/ which shows how to provide http basic authentication that uses ASP.NET membership and role providers.

like image 159
Piotr Walat Avatar answered Nov 08 '22 18:11

Piotr Walat


  • You want to host your API inside a SSL folder. That will encrypt all communications (same as sending your credit card # over the web)

  • You can also encrypt the URL so it will read like this:

    api/products/GetById/750?u=828s388332e328e38&p=328e23e2i38324r423ur29834

    But this represents a challenge since now you have to sync the encryption method used by your client

  • You can also use tokens, and have your client retrieve a token with an expiration date. Tokens expire (1 hour, or 1 day, etc). Then the URL can look like this:

    api/products/GetById/750?token=1241824123yxxcn2r348

  • You can also use private/public keys: MSDN

like image 27
Internet Engineer Avatar answered Nov 08 '22 18:11

Internet Engineer