Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to send secure token from RESTful service?

I am building a RESTful service using ASP.NET Web API with custom token based authentication. The client will send credentials on the first call. The service will create an encrypted token using the user details and this token will be used for authentication from this point onwards. Now the service needs to send this token back to the client. Initially I kept the token in a HTTP custom response header so that the client can read the value independent of the data returned by the service. This worked well when client and service are in the same domain, but failed in Cross domain scenario. I have CORS enabled my Service and added all kinds of headers like "Access-Control-Expose-Headers", "Access-Control-Allow-Origin: *" etc. But the cross domain client is not able to read the custom response header I created which is "SecureToken:". I saw in couple of posts that web browsers have some issues with reading custom response headers in cross domain scenarios. So now I am thinking of sending the secure token through a common base class of all the ViewModel/data objects sent from the service.

From this context I have couple of questions:

  1. What is the best place to send custom secure tokens. Is it in response header or as a common property in the base class of the ViewModel/data classes?

  2. is there a standard HTTP response header that I can use to send token and custom information so that even cross domain clients can also read it?

Any help will be greatly appreciated! Thanks!

like image 373
Nishanth Nair Avatar asked Sep 26 '12 16:09

Nishanth Nair


People also ask

Can we send secure request using REST?

It has to be an integral part of any development project and also for REST APIs. There are multiple ways to secure a RESTful API e.g. basic auth, OAuth, etc. but one thing is sure that RESTful APIs should be stateless – so request authentication/authorization should not depend on sessions.

How do I use authentication token in REST API?

Users of the REST API can authenticate by providing a user ID and password to the REST API login resource with the HTTP POST method. An LTPA token is generated that enables the user to authenticate future requests. This LTPA token has the prefix LtpaToken2 .

How do I make RESTful API calls secure?

Use HTTPS/TLS for REST APIs HTTPS and Transport Layer Security (TLS) offer a secured protocol to transfer encrypted data between web browsers and servers. Apart from other forms of information, HTTPS also helps to protect authentication credentials in transit.


1 Answers

The Authorization header is intended for this. Check section 14.8 in this link for details on how to use it.

like image 55
basiljames Avatar answered Oct 15 '22 00:10

basiljames