Reputation: 865
How to correctly secure api credentials in a c# application
Ok, so just a bit of a background on the setup.
i currently have a Web Api2 project which is the server side of this restful api. Clients currently use a username/password combination to obtain a bearer token which is then used in subsequent api calls. The project is stored in a private project on GitHub.
i am looking to build and deploy a c# windows service that will utilize this api. What would be the best practice in regards to deploying/storing the credentials along with this windows service.
I control both ends of the api and i will be controlling the deployment of the windows service as well. This will be packaged as an msi and deployed through some 3rd party software (automated).
Here are the requirements
- Credentials cannot be stored in source control
- Credentials cannot be in plain text on the client side.
So my question is, how would i get the api credentials onto the client, not in plain text but in a usable format?
Or should i be looking into a different type of authentication for the api? I had a brief look at oauth2, but as far as i can tell you would need someone at the client side to accept?
If anyone has any advice or resources on how to accomplish this, that would be awesome.
Upvotes: 1
Views: 495
Answers (1)
Reputation: 849
I'm not that of an expert, but I had a similar case, I'll take my chance for getting some down votes :0)
One approach in desktop/service applications is to ask the user to enter the credentials. If it's possible, then this is the best way for you. If the user can enter the credentials even once, you can save the data encrypted using ProtectedData (using this class you don't have to save the encryption key in your code, which is very easy to extract (using reflector...)).
But if you want to do this automatic and store the credentials there isn't a good way to do so. You can obfuscate the credentials, and prevent script kids to see them, but for more serious hackers, it will be rather easy to hack.
There are several other options but they are all hackables. A different approach will be to register each machine on your server with a MAC address and a random string (GUID will do the job) which is saved using the ProtectedData class and then only this specific key-value pair will be able to get data from your API. You have 2 problems here:
- If the user uninstall the app and reinstall it, then he won't be able to reconnect to the server (since he can't re-produce the same GUID). You can delete the user in the server and create a new user, but you can't just change the guid on the server since anyone will be able to hack the user data on the server.
- Anyone will be able to open users on your API and use it.
Upvotes: 1
Related Questions
- Credentials for REST API
- Secure Web API with token c#
- Adding Security to .NET Web API
- Securing user/password for REST API
- How to Setup Authentication for Web API?
- how to secure a Web Api
- User Login Authentication with Restful asp.net Web api and securing API
- REST service authentication
- Web API - Authentication Advice
- What is the best practice for user authentication on a C# web api?