Reputation: 1041
Authenticating multiple WebAPIs with a single Identity Authentication layer
I've been wrestling with how to simplify our WebAPI/Identity authentication for our current/future WebAPIs. I'm new at this, but I'll explain it the best I can. We started with a single WebAPI and setup ASP.Net Identity to handle the authentication and such. Then we setup another, and soon it will be 30.
The problem here is obvious - for every new WebAPI we have to plug in yet another MS Identity Authorization layer. In some cases just having a single, massive WebAPI would work, but in this case these are totally separate products (plus its bad design).
So we wanted to shoot for something like this:
But I'm having a hard time figuring out how each WebAPI would get User information so I could check roles and such.
I've read many posts on WebAPI authentication such as: this this and this but it seems everything I find has to do with securing that SINGLE WebAPI and we know how to do that already. It feels like what we need is an SSO approach for our WebAPIs. It almost seems that we need something like the External Authentication approach (like Facebook, Twitter, etc) but using our own backend DB - I just don't know the proper terminology.
So I'm turning to the experts for help in getting me headed the right direction:
- Is it common practice to have each WebAPI have it's own authentication/authorization layer that each point to the same DB?
- Is the single auth layer concept built in to the WebAPI/Identity already or do I have to do it from scratch?
- Is an Authentication Filter what we should be using?
I could hack it all together behind the scenes, but it feels like there is an obvious answer out there that I am missing.
Is there a built-in way to setup a "Trust" between each WebAPI and an Authentication API to do something like this:
This is the direction we are currently heading:
If I could just get a general push in the right direction, I'd be pleased as punch. I just don't want to reinvent the wheel.
Oh, and before I forget, we are using asp.net 4.5, WebAPI 2, Identity 2, on IIS
Thank you for any pointers.
Upvotes: 5
Views: 1337
Answers (2)
Reputation: 125488
What you are looking for is Federated Identity for your own web apis and is something that Thinktecture's Identity Server aims to solve. The documentation is probably the best place to start
Upvotes: 2
Reputation: 105
Not to give too simplistic an answer but couldn't you just build an API as a fasad around the others. The top level API handles all of the authorization and then forwards calls to your other API's. I'm not an architect but that's what I would do.
Upvotes: 1
Related Questions
- Different authentication mechanisms for different asp.net web api controllers
- How to support multiple authentication scheme in Web API Core 2?
- Could set two authentications for one Api ? Identity server4
- Multiple authentication mechanisms in the same webapi controller
- Web API 2.0 Owin authorization with multiple .net applications
- Web Api Asp.Net Identity
- Web API Multiple Authentication during login
- Double authentication with Web app & Web API needed?
- ASP.NET MVC login client / ASP.NET WebAPI authentication/authorization server separation
- Different Authentication Schemes for the Same ASP.NET Web API