5

I am developing an ASP.NET MVC 4 site on .NET 4.0. I am trying to authenticate the site to a WEB API. Now the site will pass a username and password and the WEB API will authenticate it. If authenticated, the WEB API will return a Token with roles, Time To Live etc. I am looking for a few pointers on this.

1.)How to generate this token?I dont want to use STS or anything else. Even a non fool proof approach would do. 2.)In the MVC side, i have to receive this token and set the current session as authenticated and make sure once TTL is expired i redirect the user to login page? Also in all the WEB API requests i need to send this token.

Hari Subramaniam
  • 1,814
  • 5
  • 26
  • 46

3 Answers3

4

Generally you can either generate token and implement its verification logic manually or use some 3rd party tools.

For manual implementation look here or here at blog post, it could be a good starting point for you. It's based on http://oauth.googlecode.com/svn/code/csharp/OAuthBase.cs class.

For client side and OAuth concepts you can read here a good answer.

From 3rd parties a goo choice could be DotNetOpenAuth. It's a good library but is complicated when working with OAuth. Try to look at its Web API OAuth2 sample

Second questions - answer is yes. You validate token and set request as authenticated. Anyway you can look at Wep API OAuth sample, where it's implemented.

Community
  • 1
  • 1
Regfor
  • 8,515
  • 1
  • 38
  • 51
3

You might consider using the WebAPI Token Auth Bootstrap Package I am currently working on - available at GitHub or NuGet.

Documentation and code samples available at GitHub Wiki.

Simple Token and Users Authentication and Authorization Bootstrap for WebAPI applications. Provided with 'TokenAuthApiController' which has built-in support for Login and Logout (cookies-based) and automatic token parsing and authenticating (inside query strings, form data or cookies).

This bootstrap allow you to simply have [TokenAuthentication] attribute on actions with the appropriate AccessLevel: Admin, User, Public or Annonymous.

This bootstrap also provides TokenAuthApiController that inherits from the traditional ApiController and adds extra functionality detailed here.

Feel free to Pull requests, Report issues or Contribute

Aviran Cohen
  • 5,581
  • 4
  • 48
  • 75
1

This would be one of the good places to start, This ties in nicely with the asp.net membership

https://stackoverflow.com/a/7217957/989679

You basically store information in userData of authCookie and works well with WebAPI

Community
  • 1
  • 1
Naresh Jois
  • 834
  • 11
  • 18