Web API token authentication with a custom user database

Question

I am developing a Web API 2.1 service that needs to authenticate the connecting clients (HTML5/JS clients that I will create and control). Unfortunately, the user information (username, password hashes, roles and much, much more info) is stored in an existing (SQL Server) database to which I only have read access. The Users database table was created 5-6 years ago without any reference to security frameworks, so it's a completely custom format. I'm not allowed to make any changes to either the data or the database structure.

Inspired by this article, I rolled my own token-based method of authenticating users, but I'm lacking the completeness and (re)assurance of using an established security framework.

Is there a way to integrate an existing framework, e.g. OAuth2, within my current project given the constraints I mentioned above? I don't know if it makes any difference, but I'm self-hosting using OWIN.

Answer 1

This is a good answer to a similar question. It basically says:

• Make a custom user class which implements IUser
• Define a custom user store which implements public class UserStoreService : IUserStore<CustomUser>, IUserPasswordStore<CustomUser>
• wire everything up

Since the answer is pretty extensive I just provided the basic steps... details are here: How to customize authentication to my own set of tables in asp.net web api 2?

This is also a very valuable content which also applies to web api:

Customizing ASP.NET Authentication with Identity by JumpStart

https://channel9.msdn.com/Series/Customizing-ASPNET-Authentication-with-Identity

HTH

Answer 2

Someone else, having the competence, can explain the options. But if authentication as service is an option, then check out Auth0 @ https://auth0.com

I have tested the service (as Azure plugin) using both HTML/JS- and native Windows Phone applications, against simple Sql Server table and AD. Works liek charm, near zero headache.