Reputation: 632
How to secure WebAPI inside MVC 4 .NET SPA template with token-based HTTP basic authentication?
I've been reading different articles on the subject of securing WebAPI, including:
and many others.
I would like to use the MVC 4.NET SPA template (with either Backbone.js or another JS lib) and I'd like to secure WebAPI used by SPA with basic http authentication, using tokens in the headers because some of the WebAPI clients will not support cookies required by forms authentication.
The SPA template uses SimpleMembership and oauth, which I would like to use and combine with basic http authentication.
What's unclear to me is whether the SPA template out-of-the-box authenticate and authorize WebAPI with basic HTTP authentication and tokens, or do I have to follow and piece this together from the links above?
Upvotes: 2
Views: 908
Answers (1)
Reputation: 3329
This is quite a large topic and its best to completely understand it before simply plugging in templates.
Here is a great video to help put everything in place: https://vimeo.com/43603474
You must be using SSL for any token based authentication (like oAuth)
Once the user is authenticated - via oAuth or your own membership provider, you can simply attribute any Web Api methods with [Authorize] to ensure that a non-authenticated user can't call those methods (will return a 401 - not authorized if not authenticated)
Upvotes: 0
Related Questions
- Add token authentication for webApi controller to existing asp.net MVC 5 application
- Secure webapi 2 without authorisation or user login
- web api authentication in MVC application?
- Authenticate MVC clients with Web API Tokens
- Secure JSON Web Token in Web API / MVC 6
- Web api authentication and MVC 4
- Proper way to authenticate to Web API from SPA MVC app?
- MVC to WebAPI authentication for the same application
- How to Secure WebAPI with Single-Page
- How to secure WebAPI application / HTML+JS clients?