22

Assuming that I currently have a newly created project based on Visual Studio 2015 "WebApp" template with Individual Accounts authentication, I use Microsoft.AspNet.Authentication package and I can't always rely on cookies, because my web API should also target mobile apps:

How can I add authentication to my web API? I'm especially interested in token based authentication.

vauhochzett
  • 2,732
  • 2
  • 17
  • 40
Piotrek
  • 10,919
  • 18
  • 73
  • 136
  • 4
    you don't keep `Authenticated Data` in the browser you keep a Session variable that would be `Session["IsAuthenticated"]` and it would be true or false depending if the user/password passes logic / login or not.. this is extremely easy actually..tons of examples lookup `PrincipalContext Class` also there are ways to do this validating against sql server etc.. – MethodMan Dec 14 '15 at 21:07
  • 3
    ASP.NET Web API and MVC have merged in MVC 6. I think you'll find you can use whatever MVC is using, but obviously with Web API you're dealing with calls to endpoints rather than a prebuilt UI. – mason Dec 14 '15 at 21:52
  • 2
    If you can't find any valuable information, then you're certainly looking at the wrong place. F.e.: Google leads me to this page whitin 5 seconds: http://www.asp.net/web-api/overview/security/individual-accounts-in-web-api – huysentruitw Dec 29 '15 at 09:46

3 Answers3

4

You can use basic http authentication or implement a similar one with a token or ticket passed through http headers.

mehmet mecek
  • 2,615
  • 2
  • 21
  • 25
  • But does this Library that I use provides some way to generate those tokens? Do I have to develop and store those tokens by myself or is it already done? – Piotrek Jan 08 '16 at 13:47
3

Implement custom AuthorizeAttribute in your web api project. In IsAuthorized(HttpActionContext actionContext) overload you can check the authorization scheme and authorization header and then you can connect to your sessions provider and check if the user has an active session. You must pass the login token in the authorization header, so if the token is missing that means there is no active user. So when you login you must create and encrypt the token on successful login. Then pass this token with each request to the server.
This blog contains more information about using AuthorizeAttribute: http://weblogs.asp.net/jongalloway/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way

Radin Gospodinov
  • 2,313
  • 13
  • 14
3

You can make separate table in db for storing authentication detail (AuthKey, UserID, CreatedDate, ExpiredDate, IsExpired) and make functions like CheckAuthorizationKey(string authKey), ExtendAuthorization(string authKey), ExpireAuthorization(string authKey){}

and call that functions for checking the authorization as below sample code.

public ServiceResult<LoginModel> Login(string auth_key)
 {
            var service = new ServiceResult<LoginModel>();
            LoginModel user = new LoginModel();
            if (AuthKey.CheckAuthorizationKey(auth_key) == false)
            {
                service.message = TemplateCodes.GetMessage(TemplateCodes.UnAuthorize, null, db);
                service.status = ServiceStatus.authorization_failed;
                return service;
            }
Crestamr
  • 57
  • 8