Reputation: 34008
Windows and Token Auth for same WEB API
Ok, I have this scenario.
I have one WEB API which will provide functionality to an intranet application, the idea is this application WILL not be visible to the outside world, so it wont have a login page.
However, the web api will also be consumed by mobile apps outside the organization, so the webapi WILL be exposed via a public url.
How can I make the authentication/authorization here to support both scenarios? 1. Internal users will be able to consume the web api via the angular backend app without an explicit login page. 2. External users via the mobile app will consume the web api with their active directory account.
I found this: https://stormpath.com/blog/token-authentication-asp-net-core
where I could easily replace the GetIdentity Method to go to Active Directory and check if user exists with that user and password, but on the intranet, I wont have that info.
ideas please?
Upvotes: 0
Views: 679
Answers (1)
Reputation: 2222
The best way to handle such a scenario is to use HMAC Authentication as discussed here. This will allow easier access to the piblic endpoint without requirering some kind of a login from the mobile clients, while at the same time enabling you to know which mobile is acceessing your endpoint. This is the same workflow as implemented in External Auth services like login with google and facebook where you are given an apikey and a apisecret
YOU CAN FIND THE SOURCE CODE OF THE EXAMPLE USING ASP.NET HERE
Upvotes: 1
Related Questions
- Use both windows authentication and bearer tokens in one web api
- C# Owin Auth - Common Token for the Webite and API
- Token Based Authentication in ASP.NET Core
- .Net - Share token between two webapi on same IIS
- Secure Web API with token c#
- How to enable windows authentication in conjunction with Owin token authentication in web api?
- Asp.net Web Api Token Authentication
- Web API - Token
- Token based authentication in web api
- Token Based Authorization Web API