How to secure .net core API project

Question

I have a web ui application written in Angular 4 running behind IIS with SSL required and one-to-one client certificate mapping.

This SSL web ui application calls a .net core API project that also uses SignalR to push it's data to the ui app.

These run off two different URL's under the same domain.

https://ui.mysite.com
https://api.mysite.com

Both applications are NOT available to the public and require good security.

I'm comfortable with locking the ui site via individual certificates. The SSL certificate is via a trusted certificate authority and then create self-signed certificates for client authentication.

What would you suggest to lock down the api site to the outside world so that only the ui site (and internal developers inside our network for debugging purposes i.e. looking at json responses) can access?

I've seen people mention oauth2 / jwt? Any examples?

The only people that require access are people within our company but on devices that may not be connected to our internal network i.e. mobile phones or laptops when travelling.

Answer 1

You can definitely use JWT to protect the Web API.

Here is a good starting point: https://dev.to/samueleresca/developing-token-authentication-using-aspnet-core

Basically how this implementation works is every controller or action that has the [Authorize] attribute requires an access token to be sent through the Authorization header of the request. This access token is obtained by sending a POST request to /api/token with the username and password. Each key has a set expiration time that you can alter in code.

This is a simple JWT, but you could also expand it with claims such as roles.