Best way to secure ASP.NET Web API 2 where multiple client use it

Question

What is the best way to secure a Web API when you have multiple different clients to use? Each client should have its own API key to connect with. Now I have read different things but I still have some questions.

I have found this one: http://bitoftech.net/2014/06/01/token-based-authentication-asp-net-web-api-2-owin-asp-net-identity/#comments but is it sufficient?

So basically:

client connects with given username/password
client gets a bearer token back
client uses this token in each post to the api until the timestamp is over

I also have read about giving a API Secret key to each client which he can uses: http://bitoftech.net/2014/12/15/secure-asp-net-web-api-using-api-key-authentication-hmac-authentication/

What is the best approach?

score 5 · Accepted Answer · edited May 23 '17 at 12:01

5

You are on the right track by using Token based authentication. Here is a link which shows the implementation details-

Token based authentication in Web API without any user interface

Additionally, I think you can secure the channel using SSL-

http://www.c-sharpcorner.com/UploadFile/55d2ea/creating-and-using-C-Sharp-web-application-over-https-ssl/

edited May 23 '17 at 12:01

Community

1
1

answered Jan 13 '17 at 07:52

Souvik Ghosh

4,456
13
56
78

score 1 · Answer 2 · answered Jan 13 '17 at 07:42

The token based approach used in OAuth2 and OpenIdentity is very wide spread and enables a wide range of scenarios (Web Apps, Mobile, Deskop Apps, microservices).

There are some good libraries out there for providing and consuming tokens. They should be preferred over implementing your own protocols. Later approach is more error prone and is more difficult to be consumed by other clients (if there is the need in the future). I recommend to have a look in the IdentityServer (it is OpenSource). A introduction can be found here.

Generally I recommend to dig deeper into the blogs about token based authentication - it is a huge topic, but it is worth it.

Ok then the token approach is the one to go with. thanks – Kaizer Jan 13 '17 at 07:44 — Kaizer, Jan 13 '17 at 07:44

score 0 · Answer 3 · answered Jan 13 '17 at 07:35

0

Yes, OAuth2 is a pretty standard protocol for securing resources and I would recommend it instead of rolling custom implementations. The idea is that each client will receive a client_id/client_secret pair (not username, password) and use those to get Bearer tokens from an OAuth Issuer. Then those tokens can be used to access the protected resources of the Web API.

answered Jan 13 '17 at 07:35

Darin Dimitrov

1,023,142
271
3,287
2,928

So basicly I need to provide a client_id and client_secret per client. Should I use GUID for both? – Kaizer Jan 13 '17 at 07:37
Ok then the token approach is the one to go with. thanks – Kaizer Jan 13 '17 at 07:44

Best way to secure ASP.NET Web API 2 where multiple client use it

3 Answers3