What's the best practice for APIs authentication?

Question

I want to build a token-based authentication to my web APIs to let 3rd party applications access those APIs.

No user interaction, no delegation, the roles and the connected applications are managed manually from a management portal.

With those requirements, what's the best practice to acquire the jwt token?

Do I need a protocol like OpenID or OAuth2, or simply, expose an Endpoint that takes an APIKey and it will return a security token if the APIKey is valid?

Answer 1

First, I want to explain the difference between OAuth and OpenID. User adrianbanks contrasts the two well in this answer. To summarize, OpenID is about authentication - proving who you are. While OAuth is about authorization - do you have access to the functionality, data, your application. Now, back to your question.

Whether you need OAuth or not, you should look into the OWIN (Open Web Interface for .NET) Middleware. We are currently using OWIN to implement our own open API with its OAuth 2.0 Authorization Server functionality. However, OWIN is not limited to implementing an OAuth authentication server. Definitely give it a look to see if it can be fit your needs.

For your case, implementing OAuth 2.0 might not be necessary; however, it is what I am recommending. For this problem it is a good, secure solution. Not only will it solve this problem, but in the future, if you want to allow users to authorize third-party integrations, OAuth - the more secure option - will already be implemented.

If you will not have users using third-party integrations, you can use API keys. As long as you implement it in a secure way, this is a good option. If this is more of what you are looking for, read this post about using API keys to securely authenticate (and authorize) third-party applications for an ASP.NET Web API project.