Best way to secure ASP.NET Web API 2 where multiple client use it [closed]

Question

What is the best way to secure a Web API when you have multiple different clients to use? Each client should have its own API key to connect with. Now I have read different things but I still have some questions.

I have found this one: http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/#comments but is it sufficient?

So basically:

1. client connects with given username/password
2. client gets a bearer token back
3. client uses this token in each post to the api until the timestamp is over

I also have read about giving a API Secret key to each client which he can uses: http://bitoftech.net/2014/12/15/secure-asp-net-web-api-using-api-key-authentication-hmac-authentication/

What is the best approach?

Answer 1

You are on the right track by using Token based authentication. Here is a link which shows the implementation details-

Token based authentication in Web API without any user interface

Additionally, I think you can secure the channel using SSL-

http://www.c-sharpcorner.com/UploadFile/55d2ea/creating-and-using-C-Sharp-web-application-over-https-ssl/

Answer 2

The token based approach used in OAuth2 and OpenIdentity is very wide spread and enables a wide range of scenarios (Web Apps, Mobile, Deskop Apps, microservices).

There are some good libraries out there for providing and consuming tokens. They should be preferred over implementing your own protocols. Later approach is more error prone and is more difficult to be consumed by other clients (if there is the need in the future). I recommend to have a look in the IdentityServer (it is OpenSource). A introduction can be found here.

Generally I recommend to dig deeper into the blogs about token based authentication - it is a huge topic, but it is worth it.