Reputation: 856
How to authenticate web api calls from MVC client
So I have an ASP.NET MVC application with its own users and using cookies and claim authentication. And I'm adding a Web Api application that will be hosted elsewhere. The MVC app is the only thing that should be calling the api. I'm wondering what is the proper way to authenticate the calls to the api. All the authorization checks are done in the MVC app, and for now the API doesn't care about authorization, just authentication.
My first thought was just have one "application user" that will request a bearer token then pass that along with each request. The web api will authenticate this user and give the token. Does that sound correct? Is there a better way?
And if, in the future, the web api does care about authorization, what would be the proper way to make the api calls as the logged in user?
Thanks!
Upvotes: 3
Views: 2718
Answers (1)
Reputation: 609
If the applications don't share the cookie a proper way of doing this would be using the OAuth 2.0 protocol you will need
- OAuth server in Web Api
- OAuth client in your MVC app.
Your users will put username and password in your MVC app(OAuth client) and through that you will get a bearer token from the Web Api(OAuth server), you can use that token for every other session requests by putting it in the Authentication header.
This particular OAuth flow is called Password Credentials Flow and can be used when you need to authenticate a user from within a trusted application(as your MVC app).
- More about OAuth
- More about Password Credentials Flow
Upvotes: 5
Related Questions
- MVC user Authentication using Web API
- asp.net web api - How to authenticate user
- web api authentication in MVC application?
- Authenticate MVC clients with Web API Tokens
- Authorization and Authentication ASP.Net web api
- Web api authentication and MVC 4
- Authentication in webAPI
- How to use authentication with MVC Web API?
- Authenticating via http using the web api in asp.net
- Authentication for ASP.Net MVC 4 and WebApi