Web API - Token

Question

My MVC application makes access to my WEB API.

To access the WEB API is absolutely necessary to inform a "token".

There is a button in the WEB API that generates the token.

How to make the Web API application only accepts the token generated by MVC application without using database?

I did the MVC generate the token (a GUID + date) and pass this token to the Web API to validate if the date is within a period of 30s. If within the period I consider that the token is valid.

byte [] data = Convert.FromBase64String ( token) ;
When DateTime = DateTime.FromBinary ( BitConverter.ToInt64 (date, 0 ) ) ;

if (when < DateTime.UtcNow.AddSeconds (-30 ) )
{
    return false;
}

This works, however, any GUID that was reported concatenated with a date will be valid. I need to make my web API knows exactly which token was generated by the MVC application.

i would recommend you have look at JWT if not done already https://jwt.io/ and the msdn already has some offering for this https://msdn.microsoft.com/en-us/library/dn205065(v=vs.110).aspx. The advantage is it does not persist anything and is secured. — Gomes, Mar 22 '16 at 15:04

score 1 · Answer 1 · edited May 23 '17 at 12:25

1

You could use a two-way hash to encrypt the token, then decrypt it server side. Or to put it another way, manipulate the string in manner that is non-obvious, then perform the opposite operation server side. This will prevent someone from spoofing your token. This question has a lot of details.

edited May 23 '17 at 12:25

Community

1
1

answered Mar 22 '16 at 14:58

Bruce Van Horn

613
2
6
14

Web API - Token

1 Answers1