4

We're developing an API and a single page application (that is one of more possible future consumers of it).

We already started on the web API, and basically implemented a system very similar to the one John Papa made in his course on pluralsight, named "Building Single Page Apps (SPA) with HTML5, ASP.NET Web API, Knockout and jQuery".

We now need to implement authentication and user managing in this application and need to find the easy way out to implement this in as little time as possible as we are in a hurry.

We realized the SPA template included in the ASP.NET update had very similar features to our needs, but we wonder what the best approach to implement a similar feature in our existing code.

We are novice developers, as you might figure.

Is it possible nstall some packages using the package manager, and voila, a simple membership and OAuth auth option be readily available?

Our use case is that we need to protect some resources on our API based on roles, and that one should be able to log in using a username and password, but also log in using ones facebook, google, or twitter account.

Kenneth Lynne
  • 15,461
  • 12
  • 63
  • 79

3 Answers3

3

Found an interesting talk regarding the subject here: https://vimeo.com/43603474 named Dominick Baier - Securing ASP.NET Web APIs.

Synopsis: Microsoft’s new framework for writing RESTful web services and web APIs is appropriately enough called ASP.NET Web API. As the name applies, this technology is part of ASP.NET and also inherits its well-known security architecture. But in addition it also supports a number of new extensibility points and a flexible hosting infrastructure outside of IIS. There are a number of ways how to do authentication and authorization in Web API - from Windows to usernames and passwords up to token based authentication and everything in between. This talk explores the various options, and puts special focus on technologies like claims, SAML, OAuth2, Simple Web Tokens and delegation.

Kenneth Lynne
  • 15,461
  • 12
  • 63
  • 79
3

We eventually went with the SPA template, doing authentication on the API (separate MVC part). Then the API would generate a unique token and redirect the user to the front-end with the token in url parameters.

The front-end then needs to send this token on every subsequent request.

Kenneth Lynne
  • 15,461
  • 12
  • 63
  • 79
  • We are doing the same thing. Quick question though. Was your login part of the SPA or did it have its own separate ASP.Net MVC view? – uriDium Sep 24 '13 at 06:30
  • We solved it like this: Redirect from MVC to Angular login-returnUrl with token in url parameters, persist this, and use Angulars response interceptors to append it to all subsequent requests to the API. – Kenneth Lynne Nov 21 '13 at 09:55
0

Have a look here - Identity Server done by the security experts. This is all you need in one package.

In terms of OAuth, you would need to use Client-Side Web Application flow which the access token is issue immediately to the client and can be used.

Aliostad
  • 80,612
  • 21
  • 160
  • 208