how can i send a Post request that include a token inside the authorization header using WebClient

Question

I am working on building a secure integration between two asp.net mvc web applications; and ERP system that calls a network scanning application. so currently on the receiver application (the network scanning application) i have the following action method , which should only be executed by the ERP system:-

    public async Task<ActionResult> ScanServer(string tokenfrom, string FQDN) //only the ERP system should be able to call this
            {
                string Token = System.Web.Configuration.WebConfigurationManager.AppSettings["Token"];//get the token from the web.config, this should be encrypted

                if (tokenfrom != Token ) // check if the request is authorized by checking comparing the 2 tokens.
                {



                 return new HttpStatusCodeResult(403, "request failed");
//code goes here..
                }

and on the caller system (the ERP system), i have the following action method which calls the above action method.

[HttpPost]
       [CheckUserPermissions(Action = "", Model = "Admin")]//check if the user is defined as an admin inside my custom authorization system
       public async Task<ActionResult> Scan()
       {
           try
           {

               string currentURL = System.Web.Configuration.WebConfigurationManager.AppSettings["scanningURL"];
               string token = System.Web.Configuration.WebConfigurationManager.AppSettings["Token"];
               using (WebClient wc = new WebClient())
               {
                   string url = currentURL + "home/scanserver?tokenfromtms=" + token + "&FQDN=allscan" ;
                   var json = await  wc.DownloadStringTaskAsync(url);
                   TempData["messagePartial"] = string.Format("Scan has been completed. Scan reported generated");

               }




           }

as shown on the above code i am sending a security token, which is stored inside the 2 applications' web.config files. in this way i can make sure (or this is my intention) that any request received by the network scanning application is comming from the ERP system (since they only know the token).

but based on my searching and reading i realized that the above approach might not be 100% secure, for this reason:-

1. Any user how have access to the ERP or to the network scanning servers , can see all the urls which contain the token as a plain text. because servers stored all the get requests inside their logs as a plain text, even if the urls are send/received over https as in my case.

so it will be better if i send the token as part of the authorization header.

so my questions are how i can do this inside webclient:-

1. currently i am sending the token as a Get request, as follow:-

   string url = currentURL + "home/scanserver?tokenfro=" + token + "&FQDN=allscan" ; var json = await wc.DownloadStringTaskAsync(url);

so how i can modify this to send the token as part of the authorization header ?

2. second question how i will be receiving this authorization header inside the network scanning application ?

Thanks

Answer 1

This is an example for Basic auth.

var creds = string.Format("{0}:{1}", userName, Password);
var bytes = Encoding.ASCII.GetBytes(creds);
var header = new AuthenticationHeaderValue("Basic", Convert.ToBase64String(bytes));
var client = new HttpClient();
client.DefaultRequestHeaders.Authorization = header;

And for checking on receiver.

var headers = request.Headers;
if (headers.Authorization != null && headers.Authorization.Scheme.Equals(AuthScheme))
{
    var encoding = Encoding.GetEncoding("iso-8859-1");
    var creds = encoding.GetString(Convert.FromBase64String(headers.Authorization.Parameter));

    var parts = creds.Split(':');
    var userName = parts[0].Trim();
    var pwd = parts[1].Trim();

}