-1

I currently have a WCF Rest based API that used token-based authentication to authenticate users. However, I now need to implement an additional security layer that restricts users based on a token generated prior to making any API calls in the core layer.

The workflow would be as follows: 1) User makes a call to API-1, API-1 returns a token. 2) User uses that token and makes a call to the Core API. The Core API should recognize the token and only give specific access to the user based on the token.

For example, I have a FormService class that has 3 methods: SaveForm, GetForm, AddUserToForm. I would need to generate a token that FormService would recognize to only allow access to SaveForm or GetForm or all the methods. If the user doesn't have access return an unauthorized error message. I'm not really sure how to approach this problem. I don't want to have static mapping tables that I query everytime someone makes a call to check for access. I'm also not sure how to generate these tokens which can then be used later for specific access. Any ideas would be helpful

brasewel
  • 73
  • 1
  • 1
  • 14

1 Answers1

0

I pesonnally store the token in a WCF cache. When the user calls your API for the first time (supposing he's not logged in and the call is the authentication), the API verifies the identity (login/password), generates the token, send it back to the user and store it in the cache (I persannly invalidate the cache once every two hours.

To generate the token, I use this :

var time = BitConverter.GetBytes(DateTime.UtcNow.ToBinary());
var key = Guid.NewGuid().ToByteArray();
token = Convert.ToBase64String(time.Concat(key).ToArray());

This answer about hte subject is really good. You can find more information on token based authentication here

Hope it helps.

Community
  • 1
  • 1
Hamid Cherif
  • 171
  • 2
  • 16