Https and Http only on .net webapi v2 actions

Question

I have been working on a project with webapi 2 using oauth 2 (openid connect to be precise) bearer tokens to grant access. Now the whole idea is that the bearer tokens are only secure if used with a secure connection.

Until now I have simply not allowed http calls to the webserver which kinda worked since no one could do a http call with a bearer token.

We now have some endpoints that need to be avaible over http (no bearer token/authenticaiton required) and we are going to enable http of course. Now my question is, what is normal in these situations?

Would I have an attribute that I can put on all actions that only accept https? Can I make that the default behaviour and only put attribute on those that are okay on http?

What is the advice on, is it our responsibility that no one use a oauth token over a non secure line or is the user of the api ?

Answer 1

I believe the right way to do this is to add global action filter which forces you to use HTTPs on all controllers/actions on your Web API. The implementation for this HTTPs action filter can be as the below:

public class ForceHttpsAttribute : AuthorizationFilterAttribute
{
    public override void OnAuthorization(System.Web.Http.Controllers.HttpActionContext actionContext)
    {
        var request = actionContext.Request;

        if (request.RequestUri.Scheme != Uri.UriSchemeHttps)
        {
            var html = "<p>Https is required</p>";

            if (request.Method.Method == "GET")
            {
                actionContext.Response = request.CreateResponse(HttpStatusCode.Found);
                actionContext.Response.Content = new StringContent(html, Encoding.UTF8, "text/html");

                UriBuilder httpsNewUri = new UriBuilder(request.RequestUri);
                httpsNewUri.Scheme = Uri.UriSchemeHttps;
                httpsNewUri.Port = 443;

                actionContext.Response.Headers.Location = httpsNewUri.Uri;
            }
            else
            {
                actionContext.Response = request.CreateResponse(HttpStatusCode.NotFound);
                actionContext.Response.Content = new StringContent(html, Encoding.UTF8, "text/html");
            }

        }
    }
}

Now you want to register this globally on WebApiConfig class as the below:

config.Filters.Add(new ForceHttpsAttribute());

As I understand from your question, the number of controllers you want to call them over https are greater than controllers over http, so you want to add override attribute to those http controllers [OverrideActionFiltersAttribute] Do not forget to attribute your anonymous controllers with [AllowAnonymous] attribute. But my recommendation is to keep all the communication over https and you just allow anonymos calls. You can read more about enforcing https on my blog here: http://bitoftech.net/2013/12/03/enforce-https-asp-net-web-api-basic-authentication/ Hope this helps.