5

I've watched and viewed lots of pages on securing asp.net web api's - including: http://weblogs.asp.net/jgalloway/archive/2012/03/23/asp-net-web-api-screencast-series-part-6-authorization.aspx and http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx - however, I've not yet seen a KISS type example.

If I have a web api, which returns a list of cars for example - and I am working with a 3rd party (ie. not my own website or server/domain) who wants to query (get) and insert (post) lists of cars by a type, into my database, how so I authenticate them (via https)?

Do they simply add (into their JSON GET/Post) something like:

[
{"username":"someusername","password":"somepassword",
{
"carTypeID":12345,
"carTypeID":9876}
"carTypeID":2468}
}
}
]

I can then grab the username and password, and check against my membership database in .net, and "IfUserAuthenticated" go on to process the rest of the JSON?

Or is there a better way of doing this? I've heard of adding details to headers etc - but I'm not sure if that's for a reason, or over complicating it. I've also heard of setting tokens which are sent back to the 3rd party - if that's the best method, what instructions do I give them got building their side of the app that will use my API?

Thanks for any advice/pointers,

Mark

Mark
  • 7,778
  • 24
  • 89
  • 147
  • In addition to the basic auth approach in the accepted answer, see this question and Darin Dimitrov's answer about how to use Forms authentication: http://stackoverflow.com/questions/11014953/asp-net-mvc-4-webapi-authentication – Jim Harte Jun 13 '12 at 15:14

3 Answers3

4

If you want to keep it simple you can use Basic authentication. Over SSL it's quite secure. It simply involves adding a header to the request:

Authorization: Basic <username:password encoded as base64>

You can find a way to implement it here.

Antony Scott
  • 21,690
  • 12
  • 62
  • 94
Carles Company
  • 7,118
  • 5
  • 49
  • 75
  • Hi @carles-company - thank you for replying. I'd viewed that post too - but can't see (or more likely, don't have the knowledge yet) of what to tell the 3rd party in order for them to authenticate. The article advises to "leave it up to them to figure out", but helping them, has benefits to both parties - so I'd like to be able to say "do this, do that, you will get the list of cars" - Thank you again, Mark – Mark Jun 11 '12 at 21:16
  • The third part just has to add the Authorization header. See http://en.wikipedia.org/wiki/Basic authentication for more details. – Carles Company Jun 12 '12 at 04:54
  • Thanks @Carles-company - I'll look more closely at that - it's obviously an area I just need to learn! Cheers, Mark – Mark Jun 12 '12 at 08:25
3

You can use HTTP Basic authenticaiton along with SSL. Its very simple to implement using message handlers and is supported out of the box on many platforms. See my blog for an example (it is very easy to integrate with membership provider of your choice)

http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers/

Piotr Walat
  • 971
  • 7
  • 9
0

I've written something similar for the Web API:
http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/

It's in use at a few places now and we've been using it since about 2 month in production. Seems to work fine.

Remy
  • 12,555
  • 14
  • 64
  • 104