Reputation: 7818
Authenticating via http using the web api in asp.net
I've watched and viewed lots of pages on securing asp.net web api's - including: http://weblogs.asp.net/jgalloway/archive/2012/03/23/asp-net-web-api-screencast-series-part-6-authorization.aspx and http://weblogs.asp.net/jgalloway/archive/2012/05/04/asp-net-mvc-authentication-customizing-authentication-and-authorization-the-right-way.aspx - however, I've not yet seen a KISS type example.
If I have a web api, which returns a list of cars for example - and I am working with a 3rd party (ie. not my own website or server/domain) who wants to query (get) and insert (post) lists of cars by a type, into my database, how so I authenticate them (via https)?
Do they simply add (into their JSON GET/Post) something like:
[
{"username":"someusername","password":"somepassword",
{
"carTypeID":12345,
"carTypeID":9876}
"carTypeID":2468}
}
}
]
I can then grab the username and password, and check against my membership database in .net, and "IfUserAuthenticated" go on to process the rest of the JSON?
Or is there a better way of doing this? I've heard of adding details to headers etc - but I'm not sure if that's for a reason, or over complicating it. I've also heard of setting tokens which are sent back to the 3rd party - if that's the best method, what instructions do I give them got building their side of the app that will use my API?
Thanks for any advice/pointers,
Mark
Upvotes: 5
Views: 5716
Answers (3)
Reputation: 7216
If you want to keep it simple you can use Basic authentication. Over SSL it's quite secure. It simply involves adding a header to the request:
Authorization: Basic <username:password encoded as base64>
You can find a way to implement it here.
Upvotes: 4
Reputation: 971
You can use HTTP Basic authenticaiton along with SSL. Its very simple to implement using message handlers and is supported out of the box on many platforms. See my blog for an example (it is very easy to integrate with membership provider of your choice)
http://www.piotrwalat.net/basic-http-authentication-in-asp-net-web-api-using-message-handlers/
Upvotes: 3
Reputation: 12713
I've written something similar for the Web API:
http://remy.supertext.ch/2012/04/basic-http-authorization-for-web-api-in-mvc-4-beta/
It's in use at a few places now and we've been using it since about 2 month in production. Seems to work fine.
Upvotes: 0
Related Questions
- how to add Authentication to web api
- MVC user Authentication using Web API
- asp.net web api - How to authenticate user
- web api authentication in MVC application?
- How to Setup Authentication for Web API?
- Web api authentication and MVC 4
- Authenticating ASP.NET Web API
- Authentication in webAPI
- How to use authentication with MVC Web API?
- Web API Request - Send back authentication request