0

I am new to developing API's and have built ASP.NET web api capability into an existing MVC project of mine. I am going to want clients to have the ability to send JSONs of multiple object instances that I can persist to my DB but currently the API consists only of the Values template that the framework provides and I'd like to sort out securing it now before moving forward developing the API fully:

[Authorize]
public class ValuesController : ApiController
{
    // GET api/<controller>
    public IEnumerable<string> Get()
    {
        return new string[] { "value1", "value2" };
    }

    // GET api/<controller>/5
    public string Get(int id)
    {
        return "value";
    }

    // POST api/<controller>
    public void Post([FromBody]string value)
    {
    }

    // PUT api/<controller>/5
    public void Put(int id, [FromBody]string value)
    {
    }

    // DELETE api/<controller>/5
    public void Delete(int id)
    {
    }
}

The Authorize tag requires a user to log in on my site at the moment, and I am confused as to how my API could be called programmatically in this instance.

I am wanting to secure the api whereby a client wanting to use it will have to provide their unique API key in order to access functionality. Furthermore I would like to use this API key to establish which user has called the API so that I can respond to them using only their data.

What are the steps involved in putting this in place from the early starting point I'm at (just having integrated the Web Api functionality)?

I've been looking at and getting confused by HMAC authentication, although this does seem similar to what I'm after it seems quite complicated to implement (maybe just because I'm in a new area here) and I thought there must be a simpler way to achieve what I want?

JonnyKnottsvill
  • 1,123
  • 2
  • 16
  • 39
  • Do you want to use HMAC to verify integrity of your data in addition to authenticating the user? Or do you just want to authenticate the user? – Nikolai Samteladze Jul 11 '15 at 00:36
  • I'm not sure if it's necessary for my scenario. I have a portal where users can create contacts and messages and the API is primarily to allow other systems to create contacts in my system when they are created in their own. I feel authentication is sufficient using some key I have provided to the third party developer. What would you advise? – JonnyKnottsvill Jul 13 '15 at 10:25
  • I feel something like this may be sufficient http://stackoverflow.com/questions/11014953/asp-net-web-api-authentication?rq=1 – JonnyKnottsvill Jul 13 '15 at 10:44
  • HMAC provides more value (payload integrity verification), but it's up to you to decide how much security you need. If high security is not an essential requirement, than start simple. Basic auth with API key/secret should work. The quick and dirty solution is to extend `AuthorizeAttribute` (http://stackoverflow.com/questions/13264496/asp-net-mvc-4-custom-authorize-attribute-with-permission-codes-without-roles). A better approach is to set an authentication filter (http://www.asp.net/web-api/overview/security/authentication-filters). – Nikolai Samteladze Jul 14 '15 at 01:05
  • If I were you, I would probably start with extending `AutorizeAttribute`. – Nikolai Samteladze Jul 14 '15 at 01:10

1 Answers1

2

A quick solution is to extend AuthorizeAttribute and define your authentication logic there. See this SO question for an example.

A little bit more modular approach is to create an authentication filter. See ASP.NET docs here. This way you can separate authentication and authorization.

As for HMAC vs Basic authentication, I would go with the simpler Basic authentication is security is not a key component of your system. This way you can ship v1.0 faster.

Community
  • 1
  • 1
Nikolai Samteladze
  • 7,699
  • 6
  • 44
  • 70