0

I currently have an ASP.NET MVC 4 website where members have an account and can log in using both Facebook and my own login form. I am then using FormsAuthentication.

I would next like to build an API, using WebAPI and expose some of my functionality to a mobile client I am planning on building.

I do not have any plans on having others consume my API, so this would just be for the client I build.

How would I go about implementing security on the WebAPI? Should I be using a token system where I can have a login form on the client, receive the credentials, log them in, and return a token which would be send back to the server on each call?

Should I implement oAuth on the server?

Andy T
  • 10,223
  • 5
  • 53
  • 95

2 Answers2

0

Try to be completely RESTful: use HTTP's built-in authentication system where authentication information is provided by the client in each request. You can also use HTTP Basic Authentication without any security concerns provided that you use SSL, otherwise HTTP Digest is also secure enough for this purpose.

You will need to implement your own HTTP Basic Authentication provider for ASP.NET, fortunately it's easy (and fun!).

It also beats other systems which require a signed URI using a querystring parameter, which is ugly and messes up lovely REStfulness, or carrying a token around (usually passed as a cookie).

Dai
  • 141,631
  • 28
  • 261
  • 374
0

Holy wars about how to do authentication in rest aside, you can just use forms authentication. If you are also using a web interface from the same site/domain and you have your authentication stuff well factored this is really convenient and easy.

you need a base class for your api controllers

public class MyApiControllerBase : ApiController
{
    public MySecurityContextType SecurityContext { get; set; }
}

an ActionFilterAttribute

public class AuthenticationContextAttribute : System.Web.Http.Filters.ActionFilterAttribute
{
    public override void OnActionExecuting(HttpActionContext actionContext)
    {
        MyApiControllerBase controller = actionContext.ControllerContext.Controller as MyApiControllerBase ;
        if (controller != null)
        {

            var context = ((HttpContextBase)controller.Request.Properties["MS_HttpContext"]);

            HttpCookie cookie = context.Request.Cookies[FormsAuthentication.FormsCookieName];
            FormsAuthenticationTicket ticket = FormsAuthentication.Decrypt(cookie.Value);

            controller.SecurityContext= ParseFormsAuthenticationTicket(ticket);
        }
    }
}

and code to create the ticket in the first place.

LogIn(HttpRequestBase httpRequest, string userName, string password)
{
    var context = DoLoginLogic(userName,password);
    FormsAuthentication.SetAuthCookie(context, usePersistentCookies);
}

Authorization will obviously need to be done in the controller methods.

Yaur
  • 7,333
  • 1
  • 25
  • 36
  • You could simplify authorization implementation by adding an attribute to controller action methods. – Dai Apr 24 '13 at 00:37
  • That really depends on your authorization scheme. If you need authorization levels (e.g. admin vs non-admin) sure. If you need object level authorization its much harder to make it simple using action filters. – Yaur Apr 26 '13 at 17:07