I am implementing Authentication/Authorization in our Webapi.Currently its working in basic http authentication which is ofcourse just authentication.
We have to implement Role based authorization. What the best practice to go this way.
I am thinking to generate a token based on authentication and was wondering if there is any to contain information in token that can tell me about user, its role , expiration date etc. This token will be passed back and forth with every request.
How do i check for expiration of this token and extract information. I am thinking not to store it in db to query database again for every requestto see if it expired or not. Whats the right way to do this.
I am open to suggestions and want to see whats being done related to this.
I am thinking to design our controller in a way that the REST url are transparent to the consumers of our services. In Controller/HttpHandler we are able to figure out which role this id belongs to and bring the data accordingly.
Please suggest
