5

I've been wrestling with how to simplify our WebAPI/Identity authentication for our current/future WebAPIs. I'm new at this, but I'll explain it the best I can. We started with a single WebAPI and setup ASP.Net Identity to handle the authentication and such. Then we setup another, and soon it will be 30.

What we currently have

The problem here is obvious - for every new WebAPI we have to plug in yet another MS Identity Authorization layer. In some cases just having a single, massive WebAPI would work, but in this case these are totally separate products (plus its bad design).

So we wanted to shoot for something like this:

What we've been asked to do

But I'm having a hard time figuring out how each WebAPI would get User information so I could check roles and such.

I've read many posts on WebAPI authentication such as: this this and this but it seems everything I find has to do with securing that SINGLE WebAPI and we know how to do that already. It feels like what we need is an SSO approach for our WebAPIs. It almost seems that we need something like the External Authentication approach (like Facebook, Twitter, etc) but using our own backend DB - I just don't know the proper terminology.

So I'm turning to the experts for help in getting me headed the right direction:

  • Is it common practice to have each WebAPI have it's own authentication/authorization layer that each point to the same DB?
  • Is the single auth layer concept built in to the WebAPI/Identity already or do I have to do it from scratch?
  • Is an Authentication Filter what we should be using?

I could hack it all together behind the scenes, but it feels like there is an obvious answer out there that I am missing.

Is there a built-in way to setup a "Trust" between each WebAPI and an Authentication API to do something like this:

Trust flow

This is the direction we are currently heading:

Current Direction

If I could just get a general push in the right direction, I'd be pleased as punch. I just don't want to reinvent the wheel.

Oh, and before I forget, we are using asp.net 4.5, WebAPI 2, Identity 2, on IIS

Thank you for any pointers.

Community
  • 1
  • 1
PRB
  • 1,031
  • 11
  • 27

2 Answers2

2

What you are looking for is Federated Identity for your own web apis and is something that Thinktecture's Identity Server aims to solve. The documentation is probably the best place to start

Russ Cam
  • 124,184
  • 33
  • 204
  • 266
  • Yes, I was reading about that today as well but left it out of my request above. I backed off because I read some comments from other people saying you didn't want to do it like that. HOWEVER - based on your SO score and recommendation, it sounds like I need to research and study it myself. That's my homework for tonight! Thanks Russ – PRB Jan 28 '15 at 22:52
  • @PRB - no worries. Federated Identity, Claims Based Identity, WS-Federation, SAML, STS etc can be a mindfield to navigate. I have seen IdentityServer used successfully to provide claims based identity to a number of web apis. I would not call myself a security expert so can only recommend you research and draw your own conclusions. I would also recommend downloading the PDF of Claims based Identity and Access Control too - https://msdn.microsoft.com/en-us/library/ff423674.aspx – Russ Cam Jan 28 '15 at 22:58
1

Not to give too simplistic an answer but couldn't you just build an API as a fasad around the others. The top level API handles all of the authorization and then forwards calls to your other API's. I'm not an architect but that's what I would do.

will
  • 105
  • 2
  • 8
  • Yes, you are correct. That approach is what we were thinking of in the "all in one WebAPI" mentioned above, but that Facade would have to have knowledge of every method in every WebAPI. And if we wanted to stand up a minimalist server with only a few of the WebAPIs setup, it would require code changes. I hope that makes sense, but I do want to thank you for bringing that up, since I wasn't very clear in my original statement. ;) – PRB Jan 28 '15 at 22:45
  • Another thing I may not have been clear about, is that each WebAPI currently houses hundreds of endpoints so setting up a facade for all of them would be quite an undertaking (unless I'm missing the boat on this) and would worsen as we added new APIs. Unless there is a way to pass them blindly? [sigh] Not sure there. But that is really leaning towards an Authentication Filter at that point - it doesn't care what you are asking for, it just does it's job and passes the request down the line. **Thanks Will!** – PRB Jan 28 '15 at 22:49