How are people handling user authentication for web services?

Question

I'm creating a web service to expose some data via publicly accessible APIs. At a high level, what mechanisms are people using to secure their APIs to ensure that a valid, authenticated user is making the call?

The service will be C#, the consumer could be anything (Facebook or iPhone app as well as a website) so Microsoft only solutions are out.

It's not a new problem so I assume there are some standard practices in place to deal with it but my google-fu is failing me on this one. Can the collective point me to any resources? Thanks.

I asked for options and got them, but Inquisitor gets the answer for pointing me at OAuth. — MarcE, Jan 24 '11 at 20:02

score 5 · Answer 1 · edited Nov 28 '12 at 14:03

You can still use Membership authentication: have a web service method Login(username, password), inside that method validate user:

[WebMethod]
public bool Login( string username, string password)
{
    bool isValid = Membership.ValidateUser(username, password);
    if (isValid)
    {
        FormsAuthentication.SetAuthCookie(username, true);
        return true;
    }
    return false;
}

And that should do it - it will create a cookie that travels with requests and in each method you can check HttpContext.Current.User.IsAuthenticated.

void SomeWebMethodThatRequiresAuthentication(someparameter)
{
    if (HttpContect.Current.User.IsAuthenticated)
    {
        ... do whatever you need - user is logged in ...
    }
    else
    {
        .... optionally let user know he is not logged in ...
    }
}

I believe it can work with different consumers that support cookies because all it needs to work is for consumer to send the auth cookie along with the request to your web server.

That's interesting - so in that scenario there's no difference between an authenticated user of a website and a consumer of a web service. I guess it fails if the client doesn't support cookies though? (a desktop app for example) — MarcE, Jan 23 '11 at 11:44
ASP.NET membership also supports url rewriting and keeping authentication token in the url itself, so that will work for pretty much any consumer, even those which don't support cookies. For example: http://www.informit.com/articles/article.aspx?p=351414&seqNum=4 — Andrey, Jan 24 '11 at 00:26

score 3 · Answer 2 · edited May 23 '17 at 11:55

3

Try the answers in this similar question:

What is the best way to handle authentication in ASP.NET MVC with a Universe database?

edited May 23 '17 at 11:55

Community

1
1

answered Jan 23 '11 at 01:51

RichardTheKiwi

105,798
26
196
262

1

The first link has no answers? – Phill Jan 23 '11 at 02:09
I don't even think he would need a custom provider, he can use built-in SQL provider if he's using MS SQL as backend. – Andrey Jan 23 '11 at 02:27

score 3 · Accepted Answer · edited Nov 28 '12 at 13:46

3

I see that ferequently in SaaS web services is used authentication by token key over SSL - we choose this simple method in our last project over OAuth and SAML protocols. Maybe this can be usefull - sometimes simple solutions make things more scalable and over control.

edited Nov 28 '12 at 13:46

bluish

26,356
27
122
180

answered Jan 23 '11 at 02:15

That's interesting because "OAuth" was missing from my vocabulary and that opened up a world of google possibilities! – MarcE Jan 23 '11 at 11:59

score 1 · Answer 4 · edited May 23 '17 at 10:10

1

We use the WS-Security. It's a published standard so any client (in theory) can use it to send authentication credentials.

Here's another SO question that covers using WS-Security with C#.
How to use WS-Security in C#?

edited May 23 '17 at 10:10

Community

1
1

answered Jan 23 '11 at 04:21

karoberts

9,828
4
39
39

How are people handling user authentication for web services?

4 Answers4