Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Authentication using OAuth in Web API

I'm working on a project using ASP.Net MVC5 which also includes a Web API. The API will be for internal use only. I'm using the OWIN library to provider authentication.

I'm having a difficult time figuring out how to correctly implement authentication through the API. I was planning on using OAuth 2.0 but the problem with OAuth is that the user needs to login through a browser page instead of a native login screen. So I was wondering if it is possible to somehow skip the browser.

I've found this example which creates it's own OAuth Authorization Server. But it doesn't show how to make the login native.

like image 876
sgtfrankieboy Avatar asked Nov 15 '13 20:11

sgtfrankieboy


People also ask

What is OAuth authentication in Web API?

OAuth is a token based authorization mechanism for REST Web API. You develop the authorization with the API only once up until the expiration time of the token. The generated token is then used each time the REST Web API is called, saving an authorization step every time the REST Web API is called.

How do I provide authentication in Web API?

Web API assumes that authentication happens in the host. For web-hosting, the host is IIS, which uses HTTP modules for authentication. You can configure your project to use any of the authentication modules built in to IIS or ASP.NET, or write your own HTTP module to perform custom authentication.

What OAuth uses to authenticate the users?

OAuth doesn't share password data but instead uses authorization tokens to prove an identity between consumers and service providers. OAuth is an authentication protocol that allows you to approve one application interacting with another on your behalf without giving away your password.


2 Answers

If it's a highly trusted client, then you can use the OAuth2 resource owner password flow. You can look at the VS2013 SPA template and/or read on this post:

http://leastprivilege.com/2013/11/13/embedding-a-simple-usernamepassword-authorization-server-in-web-api-v2/

like image 158
Brock Allen Avatar answered Nov 07 '22 02:11

Brock Allen


You could use Thinktecture.IdentityServer v2 as a light-weight security token service.

https://github.com/thinktecture/Thinktecture.IdentityServer.v2

like image 34
hutchonoid Avatar answered Nov 07 '22 02:11

hutchonoid