Authentication between mvc and webapi (Separate domains/Applications)

Question

im looking for good ideas/resources/implementations for the following scenario

A MVC website at http://mywebsite.com

A Webapi REST service at http://myapi.com

IMPORTANT -- Please notice the separate domains/Applications..

A user logs in at the website and data is fetched from the API via JSONP/CORS

Obviously i dont want the user to authenticate on the webapi using basic authentication. But the API is also exposed to Android/IOS apps, so i need the basic auth

I've thought about returning a token from the MVC site and then writing a DelegatingHandler at the webapi site to authenticate using that token, but i would like some inputs, or perhaps even better solutions

I made a pretty diagram just for the occation:

Answer 1

Although JSONP works also consider using CORS some examples of WebApi implementation here.

Consider following a standard (at least a draft) for your token rather than creating your own. Json Web Token (JWT) seem to be a good approach the specification here includes the format and determines the encryption or signing approach. There are libraries to support this kind of token such as the Thinkteckture Identity Model this article covers some of the usage of that library and the JWT. Google have a good dev guide here.

Disclaimer, only consider the above having read about some of the OAuth and JWT standardization criticisms.

If you did use a HTTP header, I am not sure you need a custom header (@Vipul) the "Authorization :" header is there for this kind of information.

If you are using a custom token, ensure it has an expiration date, consider using a nonce if you want to protect against replay attacks and sign or encrypt using a well known algorithm.

Agree with you that delegating handler is a good place to put token validation. An ActionFilter is called much later than necessary in the stack and the middle ground would be to implement System.Web.Http.AuthorizeAttribute.